Edit tour

Windows Analysis Report
https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e

Overview

General Information

Sample URL:	https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e
Analysis ID:	1481924
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

.NET source code contains potential unpacker

Downloads suspicious files via Chrome

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3020 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=2336,i,1610588987333776437,15318128558683380301,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

unarchiver.exe (PID: 6440 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Emis Web installer.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 6528 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu" "C:\Users\user\Downloads\Emis Web installer.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6316 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EmisHealthInstaller.exe (PID: 6756 cmdline: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe MD5: D9171359379F547B6AE4E47CAA9AA2E5)

chrome.exe (PID: 6460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T15:12:40.519738+0200
SID:	2022930
Source Port:	443
Destination Port:	49748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T15:12:02.233690+0200
SID:	2022930
Source Port:	443
Destination Port:	49742
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe

File created: C:\ProgramData\SDS\EmisHealthInstallerLogs\EmisHealthInstaller Log (25-07-24 09-11).txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49741 version: TLS 1.2

Source:	Binary string: i:\B\58\1415\Sources\Emis.UX\obj\Debug\Emis.UX.pdbt source: EmisHealthInstaller.exe, 00000009.00000002.2572648422.00000000131DE000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2573591347.000000001BA90000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\SDS.Client.EventBroking\obj\Release\SDS.Client.EventBroking.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.Services\obj\Release\Emis.SDS.Client.Installation.Services.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2575142776.000000001C020000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\DataHelper\obj\Debug\EMIS.DataHelper.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009B2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: c:\src\procexp\sys\objfre_wxp_x86\i386\procexp141.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, handle.exe.9.dr, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\MiddleTier\obj\Debug\EMIS.MiddleTier.pdb\T~T pT_CorDllMainmscoree.dll source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009EB000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.Wpf.Mvvm\obj\Release\Emis.Wpf.Mvvm.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2574519463.000000001BDF0000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\SDS.Client.ServiceInstaller\obj\Release\SDS.Client.ServiceInstaller.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr, SDS.Client.ServiceInstaller.exe.9.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.ExternalServices\obj\Release\Emis.SDS.Client.Installation.ExternalServices.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2575209624.000000001C030000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\SDS.Client.Framework\obj\Release\SDS.Client.Framework.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: c:\src\Handle\Release\handle.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, handle.exe.9.dr, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\EmisHealthInstaller\obj\Release\EmisHealthInstaller.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.WebServices.Common\obj\Release\Emis.SDS.WebServices.Common.pdb4 source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\Entities\obj\Debug\EMIS.Entities.pdb0 source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009CB000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.UI\obj\Release\Emis.SDS.Client.Installation.UI.pdb4 source: EmisHealthInstaller.exe, 00000009.00000002.2570271235.0000000003000000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\Entities\obj\Debug\EMIS.Entities.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009CB000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.UI\obj\Release\Emis.SDS.Client.Installation.UI.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2570271235.0000000003000000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.Wpf.Mvvm\obj\Release\Emis.Wpf.Mvvm.pdb` source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2574519463.000000001BDF0000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.Services\obj\Release\Emis.SDS.Client.Installation.Services.pdbX source: EmisHealthInstaller.exe, 00000009.00000002.2575142776.000000001C020000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Common\obj\Release\Emis.SDS.Common.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.WebServices.Common\obj\Release\Emis.SDS.WebServices.Common.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2570421838.0000000003050000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\SDS.Client.Framework\obj\Release\SDS.Client.Framework.pdb<# source: EmisHealthInstaller.exe, 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: i:\B\58\1415\Sources\Emis.UX\obj\Debug\Emis.UX.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2572648422.00000000131DE000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2573591347.000000001BA90000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: T:\B\152\1601\Sources\Foundation\Emis.Net40\obj\Debug\net40\Emis.Net40.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: c:\src\procexp\sys\objfre_wnet_amd64\amd64\procexp141.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, handle.exe.9.dr, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Applications.Common\obj\Release\Emis.SDS.Applications.Common.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2569739638.00000000014E0000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\MiddleTier\obj\Debug\EMIS.MiddleTier.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009EB000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\EMISCore\obj\Debug\EMISCore.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe, type: DROPPED

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e HTTP/1.1Host: www.emisnow.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: www.emisnow.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.0000000003086000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Emis.SDS.Client.Installation.UI;component/Resources/128x51horizontal.png
Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Emis.SDS.Client.Installation.UI;component/Resources/blue-bkg.ico
Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Emis.Wpf.Mvvm;component/controls/busyindicator.xaml
Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.0000000003086000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Resources/128x51horizontal.png
Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Resources/blue-bkg.ico
Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/controls/busyindicator.baml
Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.0000000003086000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/resources/128x51horizontal.png
Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/resources/blue-bkg.ico
Source: EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/controls/busyindicator.xaml

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49741 version: TLS 1.2

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\Emis Web installer.zip (copy)

Jump to dropped file

Source: handle.exe.9.dr	Static PE information: Resource name: BINRES type: PE32+ executable (console) x86-64, for MS Windows
Source: handle.exe.9.dr	Static PE information: Resource name: BINRES type: MS-DOS executable, LE executable for MS Windows (VxD)
Source: handle.exe.9.dr	Static PE information: Resource name: BINRES type: PE32 executable (native) Intel 80386, for MS Windows

Source: EmisHealthInstaller.exe.5.dr	Binary string: \Device\Mup
Source: EmisHealthInstaller.exe.5.dr	Binary string: \Device\Mup\DevicekeySection%s pid: %d %s
Source: EmisHealthInstaller.exe.5.dr	Binary string: \Device\PROCEXP141
Source: EmisHealthInstaller.exe.5.dr	Binary string: \DosDevices\PROCEXP141D:P(A;;GA;;;SY)(A;;GA;;;BA)PsReleaseProcessExitSynchronizationPsAcquireProcessExitSynchronization\DosDevices\Global\PROCEXP141\Device\PROCEXP141~:

Source: classification engine

Classification label: mal52.troj.evad.win@27/10@4/5

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\2e78d3a3-1f0c-4eae-a73d-15b8fc099006.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=2336,i,1610588987333776437,15318128558683380301,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Emis Web installer.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu" "C:\Users\user\Downloads\Emis Web installer.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=2336,i,1610588987333776437,15318128558683380301,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Emis Web installer.zip"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu" "C:\Users\user\Downloads\Emis Web installer.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: i:\B\58\1415\Sources\Emis.UX\obj\Debug\Emis.UX.pdbt source: EmisHealthInstaller.exe, 00000009.00000002.2572648422.00000000131DE000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2573591347.000000001BA90000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\SDS.Client.EventBroking\obj\Release\SDS.Client.EventBroking.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.Services\obj\Release\Emis.SDS.Client.Installation.Services.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2575142776.000000001C020000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\DataHelper\obj\Debug\EMIS.DataHelper.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009B2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: c:\src\procexp\sys\objfre_wxp_x86\i386\procexp141.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, handle.exe.9.dr, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\MiddleTier\obj\Debug\EMIS.MiddleTier.pdb\T~T pT_CorDllMainmscoree.dll source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009EB000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.Wpf.Mvvm\obj\Release\Emis.Wpf.Mvvm.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2574519463.000000001BDF0000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\SDS.Client.ServiceInstaller\obj\Release\SDS.Client.ServiceInstaller.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr, SDS.Client.ServiceInstaller.exe.9.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.ExternalServices\obj\Release\Emis.SDS.Client.Installation.ExternalServices.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2575209624.000000001C030000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\SDS.Client.Framework\obj\Release\SDS.Client.Framework.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: c:\src\Handle\Release\handle.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, handle.exe.9.dr, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\EmisHealthInstaller\obj\Release\EmisHealthInstaller.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.WebServices.Common\obj\Release\Emis.SDS.WebServices.Common.pdb4 source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\Entities\obj\Debug\EMIS.Entities.pdb0 source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009CB000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.UI\obj\Release\Emis.SDS.Client.Installation.UI.pdb4 source: EmisHealthInstaller.exe, 00000009.00000002.2570271235.0000000003000000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\Entities\obj\Debug\EMIS.Entities.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009CB000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.UI\obj\Release\Emis.SDS.Client.Installation.UI.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2570271235.0000000003000000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.Wpf.Mvvm\obj\Release\Emis.Wpf.Mvvm.pdb` source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2574519463.000000001BDF0000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Client.Installation.Services\obj\Release\Emis.SDS.Client.Installation.Services.pdbX source: EmisHealthInstaller.exe, 00000009.00000002.2575142776.000000001C020000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Common\obj\Release\Emis.SDS.Common.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.WebServices.Common\obj\Release\Emis.SDS.WebServices.Common.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2570421838.0000000003050000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\SDS.Client.Framework\obj\Release\SDS.Client.Framework.pdb<# source: EmisHealthInstaller.exe, 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: i:\B\58\1415\Sources\Emis.UX\obj\Debug\Emis.UX.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2572648422.00000000131DE000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2573591347.000000001BA90000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: T:\B\152\1601\Sources\Foundation\Emis.Net40\obj\Debug\net40\Emis.Net40.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: c:\src\procexp\sys\objfre_wnet_amd64\amd64\procexp141.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, handle.exe.9.dr, EmisHealthInstaller.exe.5.dr
Source:	Binary string: j:\B\64\201\Sources\SDS\Emis.SDS.Applications.Common\obj\Release\Emis.SDS.Applications.Common.pdb source: EmisHealthInstaller.exe, 00000009.00000002.2569739638.00000000014E0000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\MiddleTier\obj\Debug\EMIS.MiddleTier.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009EB000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr
Source:	Binary string: d:\Code\Workspaces\SDSDev\Sienna\EMISCore\obj\Debug\EMISCore.pdb source: EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe.5.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: EmisHealthInstaller.exe.5.dr, AssemblyEmbeddedResourceLoader.cs

.Net Code: Load System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\EmisHealthInstaller\handle.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\EmisHealthInstaller\SDS.Client.ServiceInstaller.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe

File created: C:\ProgramData\SDS\EmisHealthInstallerLogs\EmisHealthInstaller Log (25-07-24 09-11).txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Memory allocated: 1B070000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 607			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 9391			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EmisHealthInstaller\handle.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EmisHealthInstaller\SDS.Client.ServiceInstaller.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6312	Thread sleep count: 607 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6312	Thread sleep time: -303500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6312	Thread sleep count: 9391 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6312	Thread sleep time: -4695500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed

Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: set_IsVirtualMachineString
Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: get_IsVirtualMachineString
Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2575209624.000000001C030000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: get_IsVirtualMachine
Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: IsVirtualMachine
Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2575209624.000000001C030000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: isVirtualMachine
Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: <IsVirtualMachine>k__BackingField
Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: <IsVirtualMachineString>k__BackingField
Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2575142776.000000001C020000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.0000000000B56000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: set_IsVirtualMachine
Source: EmisHealthInstaller.exe, 00000009.00000002.2569878509.0000000002E10000.00000004.08000000.00040000.00000000.sdmp, EmisHealthInstaller.exe, 00000009.00000000.1817173201.00000000009F2000.00000002.00000001.01000000.00000008.sdmp, EmisHealthInstaller.exe, 00000009.00000002.2572648422.0000000013078000.00000004.00000800.00020000.00000000.sdmp, EmisHealthInstaller.exe.5.dr	Binary or memory string: IsVirtualMachineString

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu" "C:\Users\user\Downloads\Emis Web installer.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
http://defaultcontainer/Emis.SDS.Client.Installation.UI;component/Resources/128x51horizontal.png	0%	Avira URL Cloud	safe
http://foo/bar/resources/blue-bkg.ico	0%	Avira URL Cloud	safe
http://foo/Resources/128x51horizontal.png	0%	Avira URL Cloud	safe
http://defaultcontainer/Emis.Wpf.Mvvm;component/controls/busyindicator.xaml	0%	Avira URL Cloud	safe
http://foo/Resources/blue-bkg.ico	0%	Avira URL Cloud	safe
http://foo/bar/resources/128x51horizontal.png	0%	Avira URL Cloud	safe
http://foo/bar/controls/busyindicator.baml	0%	Avira URL Cloud	safe
http://foo/controls/busyindicator.xaml	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
emisprod.service-now.com	148.139.13.160	true	false	unknown
www.google.com	216.58.206.36	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
www.emisnow.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://foo/Resources/128x51horizontal.png	EmisHealthInstaller.exe, 00000009.00000002.2570512849.0000000003086000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/Emis.SDS.Client.Installation.UI;component/Resources/128x51horizontal.png	EmisHealthInstaller.exe, 00000009.00000002.2570512849.0000000003086000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/resources/blue-bkg.ico	EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/Emis.Wpf.Mvvm;component/controls/busyindicator.xaml	EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Resources/blue-bkg.ico	EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/resources/128x51horizontal.png	EmisHealthInstaller.exe, 00000009.00000002.2570512849.0000000003086000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/controls/busyindicator.xaml	EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/controls/busyindicator.baml	EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/Emis.SDS.Client.Installation.UI;component/Resources/blue-bkg.ico	EmisHealthInstaller.exe, 00000009.00000002.2570512849.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
148.139.13.160	emisprod.service-now.com	United States	16839	SNCUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481924
Start date and time:	2024-07-25 15:10:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.troj.evad.win@27/10@4/5

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.227, 216.58.206.46, 66.102.1.84, 34.104.35.123, 40.127.169.103, 199.232.214.172, 192.229.221.95, 52.165.164.15, 13.85.23.206, 142.250.186.131
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, clientservices.googleapis.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e

Simulations

Behavior and APIs

Time	Type	Description
09:12:25	API Interceptor	205488x Sleep call for process: unarchiver.exe modified

Process:	C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	62
Entropy (8bit):	4.593219852199717
Encrypted:	false
SSDEEP:	3:xHzpfNyEJGMa1i5:VzryEJGMag5
MD5:	D8DF180E9C1B09AAA60A5E16DA46553C
SHA1:	26D8B77BB54B375F02A6AB066DC5016CD287DB30
SHA-256:	69E28B7800E8E6434BBB2E2A2B6641B173F1C1CAE1CD30DE57728F8E1846BF1E
SHA-512:	4C8352118550F9410C2226CFB7FF822EA9D9566E5B2F3B1ADD75156061CB66D35587CA91F016D32C7EE5CB9A17312E2B54D7A183841032E04AA9313C051674F5
Malicious:	false
Reputation:	low
Preview:	(25/07/24 09:12:00) Instance changed to New Default Instance..

C:\Users\user\AppData\Local\Temp\EmisHealthInstaller\SDS.Client.ServiceInstaller.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.996808827929713
Encrypted:	false
SSDEEP:	192:SBlvEvBd8STP3U3ep/eLHnyno5bLPUbAX+ScTVSbFkYkyIRtOgxla:rvBd8STP3uepgHnyn4LPEAfcTVcFkaz0
MD5:	E766E1FE1D681CE53FCCFABE7E552F80
SHA1:	085765DAF39EC3EE66D5BD5B23D5CAA7E4411677
SHA-256:	C954DEA6FF6D5EA6F2DC155D646D61EFC937F7C985A265B89AB543CFEC1E7345
SHA-512:	1B408A5D85B861EB10B4B70FF19F40DEBE735BBF9D14F36B1CACC313CA73BAE27D9959F4B0936208EB1BA9BABA2B14610645F4F2A5CBD44B4E9609585CA0A9F4
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......[.................$...........C... ...`....@.. ....................................@.................................pC..K....`..H...........................8B............................................... ............... ..H............text....#... ...$.................. ..`.rsrc...H....`.......&..............@..@.reloc..............................@..B.................C......H........'..<............................................................0..U........(......}......}.....s....}.......s....}.........(....-.#......>@(....+...(....}........0..I..........{....(....%.}.........(.....{.....{.....o....-.r...p(.......,..o................(>.......0..H.........}.....{.....o.....{.....{....o.....{.....{....o.........(.....(..............$7.......0..H..........{....(....%.}........(.....{.....{.....o....-.r...p(.......,..o.............'=.......0..

C:\Users\user\AppData\Local\Temp\EmisHealthInstaller\handle.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	423288
Entropy (8bit):	6.435706066516779
Encrypted:	false
SSDEEP:	6144:Gzhmwu/RyL8heQcnyRE11ulyhCs2VSP0N3+mUinHv6AcNkqJGLrVU5B:cw/ULVQw1J2eOvAG3K5B
MD5:	50C128C5B28237B3A01AFBDF0E546245
SHA1:	7DFFDFDE2856D2DBD21F54AF16EDD9CC3447CB6F
SHA-256:	4690B6FCA6898297EB31259C7FAD2EDAEA5308FF8628C12C4586C5FC9902247E
SHA-512:	6AC8AA872AFCDE96833E9B347DB8765AAC0378231C0A920781A14D1D4A79ED3BC1FF1A7CD6B2AC3F7E03C43208C6D2B77B75649497A4D0BEA611C22CA54E90FF
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..j-_.j-_.j-_..._.j-_..._.j-_.j,_.j-_..._.j-_..._.j-_..._.j-_..._.j-_Rich.j-_................PE..L..."..M.....................j......8p............@.................................I........................................\..x.......T............^..x............................................R..@...............<............................text............................... ..`.rdata...h.......j..................@..@.data...<....p.......^..............@....rsrc...T............x..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2882048
Entropy (8bit):	5.936405391148738
Encrypted:	false
SSDEEP:	49152:b+joQwrffCP9ec1TMiysgpnavruxYKUI3DYv13K:qjLysgpavy7UI3
MD5:	D9171359379F547B6AE4E47CAA9AA2E5
SHA1:	DC1047C0B7786B2A8AB504DA8C163B86C892C803
SHA-256:	1CDE831FBABD65D870A948C3AF6F6206F9B45FC6265A9873A2B57BB5D61E3E93
SHA-512:	748815013AA03659739BCDA7BD081634D1C254BBBF3F70F94EA17647EB1904C7F2E27CC9AE173A765B83A0A2D2F0D1E89F9BAF7502203A618A78AEE9DDCF3D4E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe, Author: Joe Security
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......[....................d.......... .......@.. .......................`,...........@...................................O.......`...................@,..................................................... ............... ..H............text...4... ..................... ..`.rsrc....`......b.................@..@.reloc.......@,.......+.............@..B.......................H.......,..x............#..ls.........................................^(...........s....o.....0.."........o....s....(....r...p(......(....~~.....o....-..(....~.....o.......0..,........(......-.~......o....+...(.......,..o..............!........(....6..{....o.......0..8.......s.......}....( .....o!..........s"...(...+..-....o$....0..-........o%....#.........io&...&.('....~......o(....s).........(...........s+...o,...(....~-...(....(....(/...(....(0....0..C.......

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1480
Entropy (8bit):	5.156195536316416
Encrypted:	false
SSDEEP:	24:sCoDfwwiJMiJjWIMiJMiJUwRAiJfGPiJMiJFTACNiJbFAiJTCNiJopiJa0fiJMiO:tiwwGMGbMGMGpuGePGMGpJNGbqGWNGkW
MD5:	F6815765DBBC4E92B683C850C395BDC0
SHA1:	34D9D6A512A17B91EF0222019474964C6F401979
SHA-256:	B219387450D5F2C34E195A32DA2A831358A4DE8543938B5B2AD56EE678A7C9D4
SHA-512:	26AC3CEE6816B69157B3FF1B5AE45062D40351007FB7BA692BA4A078EE1ABF06FA32287BBB6AFB8DD223B2E49F232E861343DDF6BB7C1478B0DE002BB3CE8843
Malicious:	false
Reputation:	low
Preview:	07/25/2024 9:11 AM: Unpack: C:\Users\user\Downloads\Emis Web installer.zip..07/25/2024 9:11 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu..07/25/2024 9:11 AM: Received from standard out: ..07/25/2024 9:11 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..07/25/2024 9:11 AM: Received from standard out: ..07/25/2024 9:11 AM: Received from standard out: Scanning the drive for archives:..07/25/2024 9:11 AM: Received from standard out: 1 file, 1039124 bytes (1015 KiB)..07/25/2024 9:11 AM: Received from standard out: ..07/25/2024 9:11 AM: Received from standard out: Extracting archive: C:\Users\user\Downloads\Emis Web installer.zip..07/25/2024 9:11 AM: Received from standard out: --..07/25/2024 9:11 AM: Received from standard out: Path = C:\Users\user\Downloads\Emis Web installer.zip..07/25/2024 9:11 AM: Received from standard out: Type = zip..07/25/2024 9:11 AM: Received from standard out: Physical Size = 1039124..07/25/20

C:\Users\user\Downloads\2e78d3a3-1f0c-4eae-a73d-15b8fc099006.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	10917
Entropy (8bit):	7.98293890164875
Encrypted:	false
SSDEEP:	192:V7GfiR9h2pTAp2Xz/Sfq5S5ePoZ3qplzFfTMc7UqndZCzp:ZG2wmpiECTAZ6plJfTMcYqdZCzp
MD5:	EF19EBCEE7F91777ACAB33E27EDFBA66
SHA1:	610149B9077BD769A0ED3A9D1D5BCB194118BB05
SHA-256:	13793E504EBE37BA996C9F5C843B7A3D0E8F751CA4F27E66E0C5AA0FCB8EBB4A
SHA-512:	75123C2FDB8B6FAA016717462C1CB013862775315846B2032E87D97B16F4081C16836BF4AF25522CA64767402C10FAD4F233C3AA68AFFDE8D09786430AFB9339
Malicious:	false
Reputation:	low
Preview:	PK........CpON...7......+.....EmisHealthInstaller.exe.;....u...t......!vg.v..Y...eu......m..l!qX....,.^...db.T).`...bb..8..U.v..X...X^L.1..NU.\..J....t..bHR.JU.K;........~...........6..@.........<...&^.........p.4Z.]q}...G.xc..W.jG....)m.....W.f2.%.....v.&\|....x...H.)....4.m..\|...)..w...o..;...v...w......u..2\D..............<U.E.{....C.q\|._.}p.....>-.. ra..Z.v...7.. ..(G.6...U.y......_U..B....."...`..2...@.X.`.:..z...>..........<>{...R...o....T/..?5l.u;.)i..vyr..,.!#..\.......@..(%..Un...v.E`..ZYqp....I{......L.h.1.t.B...Vn7a\c.q.by=.?........v:.&..-1.^/..3.B.s1I..+)...e....T.}3..>l..1T..Tv.>~...~.]...sn:.K.....6EM...M...)t..I%UzJ..;HO...C.....c....(.F.v....$.%...t.qW.t....e.u7.Vt...X.<.]E$...j.[J..!...&=.F\6.....$.......M...B..&....;.k..&;......K..!."......j ......Q..h.A.k..V..Y...%..\|..P.9.="vXG...zz.@<m.q..2...G.t....q...f......c.c.$.xh..<mc.....v..nU.?E...Vw'w..{....H....W..x1..r...U.....<.q6..s..S...~.@..=..x....=e.........H.

C:\Users\user\Downloads\Emis Web installer.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1039124
Entropy (8bit):	7.99787806862077
Encrypted:	true
SSDEEP:	24576:oCybXsPueAf2IfPVlgOuc86WccPcKokHg4ROeoY2:EKoEOuF4cJNdV2
MD5:	E27FFB7BD5421FC959654C208AF38997
SHA1:	7B48C27357787365DE6DC21433C574C6C88DCE8B
SHA-256:	35635DB036A0EEF4CBD6ADB00BEC88ADCB37743AB9FC33E96D00C5D1CCB18350
SHA-512:	22E586EFC2866D9868B226337003B6212409C67E9B0E0B12C25A8CFACA69355B345A96E4D145348EEDDBEB9CBB5166CB62F4D2C85D4FB55B4BDBD48B86BE2284
Malicious:	true
Reputation:	low
Preview:	PK........CpON...7......+.....EmisHealthInstaller.exe.;....u...t......!vg.v..Y...eu......m..l!qX....,.^...db.T).`...bb..8..U.v..X...X^L.1..NU.\..J....t..bHR.JU.K;........~...........6..@.........<...&^.........p.4Z.]q}...G.xc..W.jG....)m.....W.f2.%.....v.&\|....x...H.)....4.m..\|...)..w...o..;...v...w......u..2\D..............<U.E.{....C.q\|._.}p.....>-.. ra..Z.v...7.. ..(G.6...U.y......_U..B....."...`..2...@.X.`.:..z...>..........<>{...R...o....T/..?5l.u;.)i..vyr..,.!#..\.......@..(%..Un...v.E`..ZYqp....I{......L.h.1.t.B...Vn7a\c.q.by=.?........v:.&..-1.^/..3.B.s1I..+)...e....T.}3..>l..1T..Tv.>~...~.]...sn:.K.....6EM...M...)t..I%UzJ..;HO...C.....c....(.F.v....$.%...t.qW.t....e.u7.Vt...X.<.]E$...j.[J..!...&=.F\6.....$.......M...B..&....;.k..&;......K..!."......j ......Q..h.A.k..V..Y...%..\|..P.9.="vXG...zz.@<m.q..2...G.t....q...f......c.c.$.xh..<mc.....v..nU.?E...Vw'w..{....H....W..x1..r...U.....<.q6..s..S...~.@..=..x....=e.........H.

C:\Users\user\Downloads\Emis Web installer.zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1039124
Entropy (8bit):	7.99787806862077
Encrypted:	true
SSDEEP:	24576:oCybXsPueAf2IfPVlgOuc86WccPcKokHg4ROeoY2:EKoEOuF4cJNdV2
MD5:	E27FFB7BD5421FC959654C208AF38997
SHA1:	7B48C27357787365DE6DC21433C574C6C88DCE8B
SHA-256:	35635DB036A0EEF4CBD6ADB00BEC88ADCB37743AB9FC33E96D00C5D1CCB18350
SHA-512:	22E586EFC2866D9868B226337003B6212409C67E9B0E0B12C25A8CFACA69355B345A96E4D145348EEDDBEB9CBB5166CB62F4D2C85D4FB55B4BDBD48B86BE2284
Malicious:	false
Reputation:	low
Preview:	PK........CpON...7......+.....EmisHealthInstaller.exe.;....u...t......!vg.v..Y...eu......m..l!qX....,.^...db.T).`...bb..8..U.v..X...X^L.1..NU.\..J....t..bHR.JU.K;........~...........6..@.........<...&^.........p.4Z.]q}...G.xc..W.jG....)m.....W.f2.%.....v.&\|....x...H.)....4.m..\|...)..w...o..;...v...w......u..2\D..............<U.E.{....C.q\|._.}p.....>-.. ra..Z.v...7.. ..(G.6...U.y......_U..B....."...`..2...@.X.`.:..z...>..........<>{...R...o....T/..?5l.u;.)i..vyr..,.!#..\.......@..(%..Un...v.E`..ZYqp....I{......L.h.1.t.B...Vn7a\c.q.by=.?........v:.&..-1.^/..3.B.s1I..+)...e....T.}3..>l..1T..Tv.>~...~.]...sn:.K.....6EM...M...)t..I%UzJ..;HO...C.....c....(.F.v....$.%...t.qW.t....e.u7.Vt...X.<.]E$...j.[J..!...&=.F\6.....$.......M...B..&....;.k..&;......K..!."......j ......Q..h.A.k..V..Y...%..\|..P.9.="vXG...zz.@<m.q..2...G.t....q...f......c.c.$.xh..<mc.....v..nU.?E...Vw'w..{....H....W..x1..r...U.....<.q6..s..S...~.@..=..x....=e.........H.

Chrome Cache Entry: 51

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	downloaded
Size (bytes):	1039124
Entropy (8bit):	7.99787806862077
Encrypted:	true
SSDEEP:	24576:oCybXsPueAf2IfPVlgOuc86WccPcKokHg4ROeoY2:EKoEOuF4cJNdV2
MD5:	E27FFB7BD5421FC959654C208AF38997
SHA1:	7B48C27357787365DE6DC21433C574C6C88DCE8B
SHA-256:	35635DB036A0EEF4CBD6ADB00BEC88ADCB37743AB9FC33E96D00C5D1CCB18350
SHA-512:	22E586EFC2866D9868B226337003B6212409C67E9B0E0B12C25A8CFACA69355B345A96E4D145348EEDDBEB9CBB5166CB62F4D2C85D4FB55B4BDBD48B86BE2284
Malicious:	false
Reputation:	low
URL:	https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e
Preview:	PK........CpON...7......+.....EmisHealthInstaller.exe.;....u...t......!vg.v..Y...eu......m..l!qX....,.^...db.T).`...bb..8..U.v..X...X^L.1..NU.\..J....t..bHR.JU.K;........~...........6..@.........<...&^.........p.4Z.]q}...G.xc..W.jG....)m.....W.f2.%.....v.&\|....x...H.)....4.m..\|...)..w...o..;...v...w......u..2\D..............<U.E.{....C.q\|._.}p.....>-.. ra..Z.v...7.. ..(G.6...U.y......_U..B....."...`..2...@.X.`.:..z...>..........<>{...R...o....T/..?5l.u;.)i..vyr..,.!#..\.......@..(%..Un...v.E`..ZYqp....I{......L.h.1.t.B...Vn7a\c.q.by=.?........v:.&..-1.^/..3.B.s1I..+)...e....T.}3..>l..1T..Tv.>~...~.]...sn:.K.....6EM...M...)t..I%UzJ..;HO...C.....c....(.F.v....$.%...t.qW.t....e.u7.Vt...X.<.]E$...j.[J..!...&=.F\6.....$.......M...B..&....;.k..&;......K..!."......j ......Q..h.A.k..V..Y...%..\|..P.9.="vXG...zz.@<m.q..2...G.t....q...f......c.c.$.xh..<mc.....v..nU.?E...Vw'w..{....H....W..x1..r...U.....<.q6..s..S...~.@..=..x....=e.........H.

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T15:12:40.519738+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49748	40.127.169.103	192.168.2.4
2024-07-25T15:12:02.233690+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49742	40.127.169.103	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 15:11:36.731715918 CEST	49675	443	192.168.2.4	173.222.162.32
Jul 25, 2024 15:11:47.105556965 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.105601072 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.105665922 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.107532978 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.107542038 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.107597113 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.108056068 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.108066082 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.108211994 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.108217955 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.953990936 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.954356909 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.954390049 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.955461025 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.955560923 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.956661940 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.956724882 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.956933975 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.956942081 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.991929054 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.992320061 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.992343903 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.993464947 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.993539095 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.993915081 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:47.993969917 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:47.998229980 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.045675993 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.045706034 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.093521118 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.299961090 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.299988031 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.300101995 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.300138950 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.300182104 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.303457022 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.303546906 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.309381008 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.309478045 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.417220116 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.417283058 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.421269894 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.421335936 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.422251940 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.422332048 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.425965071 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.426033974 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.427906036 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.427958012 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.432451963 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.432524920 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.440084934 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.440161943 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.497865915 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.497940063 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.500535965 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.500611067 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.504620075 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.504683018 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.508703947 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.508763075 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.510752916 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.510811090 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.512916088 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.512973070 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.516851902 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.516923904 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.518357038 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.518429041 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.521425962 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.521491051 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.526405096 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.526468039 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.589493990 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.589605093 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.592422962 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.592499971 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.594273090 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.594337940 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.597660065 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.597718954 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.598970890 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.599028111 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.601752996 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.601810932 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.604536057 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.604592085 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.605829954 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.605882883 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.608581066 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.608637094 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.609827042 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.609877110 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.611056089 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.611131907 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.613423109 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.613481045 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.615571976 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.615621090 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.691734076 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.691812038 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.692893982 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.692967892 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.695346117 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.696604967 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.698791027 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.698822975 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.698842049 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.698868990 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.698875904 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.698915958 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.698916912 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.699618101 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.699672937 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.699687958 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.699728012 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.702811956 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.702872992 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.702915907 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.702970982 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.704619884 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.704684019 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.706422091 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.706475019 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.707595110 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.707597017 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:48.707643032 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:48.707659006 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.707711935 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:48.708650112 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:48.708676100 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:48.709110975 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.709167957 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.710005999 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.710058928 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.710827112 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.710882902 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.712390900 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.712450981 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.713920116 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.713996887 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.714653969 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.714713097 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.716200113 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.716259003 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.716970921 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.717046022 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.719423056 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.719521999 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.719558001 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.719574928 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.719588041 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.763752937 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.776890039 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.776983976 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.777781963 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.777827978 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.779352903 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.779418945 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.780108929 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.780155897 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.781714916 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.782504082 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.782535076 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.782548904 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.782563925 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.782584906 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.784116983 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.784169912 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.784876108 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.784913063 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.788049936 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.788100958 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.788964033 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.789021015 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.790446997 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.790493011 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.791182995 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.791240931 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.792689085 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.792759895 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.793529034 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.793582916 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.794981956 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.795022964 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.796519995 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.796570063 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.797317982 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.797360897 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.798058033 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.798104048 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.799454927 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.799510002 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.800373077 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.800578117 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.801307917 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.801352024 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.802206039 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.802254915 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.803143978 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.803195953 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.803976059 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.804022074 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.804847002 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.804896116 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.805705070 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.805772066 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.807055950 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.807120085 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.807372093 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.807418108 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.808172941 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.808218002 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.808948040 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.809005022 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.809935093 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.809997082 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.867280960 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.867357969 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.867762089 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.867820024 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.869216919 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.869294882 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.870014906 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.870055914 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.870083094 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.870095968 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.870115042 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.871586084 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.871640921 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.871650934 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.871692896 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.872351885 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.872406960 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.873150110 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.873301029 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.873949051 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.874008894 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.874599934 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.874633074 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.874656916 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.874665022 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.874690056 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.875417948 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.875471115 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.875479937 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.875519991 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.876250982 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.876312017 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.877078056 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.877115011 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.877135992 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.877144098 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.877172947 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.877954006 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.878010988 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.878019094 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.878062963 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.879221916 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.879276991 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.880527973 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.880580902 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.880712032 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.880764008 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.881508112 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.881584883 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.882302999 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.882359028 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.883285999 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.883327961 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.883351088 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.883358002 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.883395910 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.884282112 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.884336948 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.884345055 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.884388924 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.885297060 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.885354042 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.888889074 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.888928890 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.888943911 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.888951063 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.888973951 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.888977051 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.889014959 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.889023066 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.889071941 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.889698982 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.889750004 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.890362024 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.890397072 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.890412092 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.890419006 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.890439034 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.891290903 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.891338110 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.891345978 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.891386986 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.958831072 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.958914995 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.960504055 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.960537910 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.960568905 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.960583925 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.960597992 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.960695982 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.960741997 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.960750103 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.960792065 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.961621046 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.961654902 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.961705923 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.961714029 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.961746931 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.961746931 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.962574005 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.962619066 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.963488102 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.963540077 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.965497971 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.965542078 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.965552092 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.965562105 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.965573072 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.965583086 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.965601921 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.965609074 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.965631008 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.969069958 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.969147921 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.969167948 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.969213963 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.969580889 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.969650030 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.970431089 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.970468044 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.970479965 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.970487118 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.970506907 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.972918987 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.972982883 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.972992897 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.973038912 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.973391056 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.973443031 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.974343061 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.974379063 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.974399090 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.974406004 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.974416971 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.975270033 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.975332975 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.975342035 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.975379944 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.976248980 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.976301908 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.977152109 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.977200985 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.977207899 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.977221966 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.977241039 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.978297949 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.978347063 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.978367090 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.978405952 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.979222059 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.979258060 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.979278088 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.979288101 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.979300976 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.979322910 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.980195045 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.980243921 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.981116056 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.981180906 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.982278109 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.982300997 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.982330084 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.982343912 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.982355118 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.982382059 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:48.983154058 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:48.983210087 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.004657030 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.048305035 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.048386097 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.051000118 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.051054955 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.051160097 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.051197052 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.051203966 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.051218987 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.051245928 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.051271915 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.051439047 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.051484108 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.051664114 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.051708937 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.053544998 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.053582907 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.053597927 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.053608894 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.053622007 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.053639889 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.053663015 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.053714037 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.054003000 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.054040909 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.054209948 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.054254055 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.055026054 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.055073977 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.055125952 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.055171013 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.060404062 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.060458899 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.060743093 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.060789108 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.061407089 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.061446905 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.061470032 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.061487913 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.061499119 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.062442064 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.062484980 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.062494993 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.062534094 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.063254118 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.063297987 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.064085960 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.064137936 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.064928055 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.064960957 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.064980030 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.064987898 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.065004110 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.065016985 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.065957069 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.066006899 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.066808939 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.066860914 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.066883087 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.066889048 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.066901922 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.066916943 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.066939116 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.066943884 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.066978931 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.067065001 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.067114115 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.070655107 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.070732117 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.071058035 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.071090937 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.071105957 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.071118116 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.071157932 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.071166039 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.071613073 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.116930008 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.116986036 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.123532057 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.123584986 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.137969971 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.138036966 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.138381958 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.138431072 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.139266968 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.139302969 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.139316082 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.139328003 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.139350891 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.139364958 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.140408039 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.140439034 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.140460968 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.140472889 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.140497923 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.140506029 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.141495943 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.141546965 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.142405987 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.142436981 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.142465115 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.142477036 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.142503977 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.143481016 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.143526077 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.143538952 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.143572092 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.143848896 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.143883944 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.143896103 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.143907070 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.143923998 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.143942118 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.144541025 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.144578934 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.144587040 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.144596100 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.144619942 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.144634008 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.146166086 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.146197081 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.146215916 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.146225929 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.146250963 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.146270037 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.147141933 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.147191048 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.148114920 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.148147106 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.148159981 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.148169994 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.148194075 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.149148941 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.149183035 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.149192095 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.149204016 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.149214029 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.149226904 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.149262905 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.149270058 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.149311066 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.150449991 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.150501013 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.151158094 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.151194096 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.151211023 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.151221037 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.151240110 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.152105093 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.152136087 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.152194023 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.152203083 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.152941942 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.152976036 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.152987003 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.152997017 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.153022051 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.153882027 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.153928041 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.153939962 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.153970957 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.175910950 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.207441092 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.207514048 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.207827091 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.207876921 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.266515970 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.266563892 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.266591072 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.266609907 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.266639948 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.266653061 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.269330978 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.269535065 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.270220995 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.270272970 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.270301104 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.270315886 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.270334959 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.270793915 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.270833969 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.270843029 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.270875931 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.270946026 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.270999908 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.271954060 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.272008896 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.272633076 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.272665024 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.272680998 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.272692919 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.272711039 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.272753000 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.273094893 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.273123980 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.273143053 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.273153067 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.273173094 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.273185968 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.274154902 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.274224997 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.274857998 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.274899006 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.274915934 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.274925947 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.274946928 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.275863886 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.275917053 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.275934935 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.275978088 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.276976109 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.277008057 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.277029991 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.277043104 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.277060032 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.277093887 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.277420044 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.277461052 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.277484894 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.277492046 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.277513027 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.277528048 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.278532982 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.278567076 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.278584957 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.278598070 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.278614998 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.278636932 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.279223919 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.279269934 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.279755116 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.279803991 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.279877901 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.279923916 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.280891895 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.280940056 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.281044006 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.281092882 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.281435966 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.281471968 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.281486034 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.281497955 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.281511068 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.282546043 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.282591105 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.282603025 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.282638073 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.302081108 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.302164078 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.302704096 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.302771091 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.344156981 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.344310999 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.344578981 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.344624043 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.344645023 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.344655991 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.344667912 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.346102953 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.346183062 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.346194029 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.346366882 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.350397110 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.350457907 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.352890015 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.352938890 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.352947950 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.352960110 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.352984905 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.352997065 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.353030920 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.353037119 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.353044033 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.353082895 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.353578091 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.353642941 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.353648901 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.353696108 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.353948116 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.369472980 CEST	49735	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:11:49.369499922 CEST	443	49735	148.139.13.160	192.168.2.4
Jul 25, 2024 15:11:49.403008938 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:49.404105902 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:49.404124975 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:49.405394077 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:49.405486107 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:49.415694952 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:49.415877104 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:49.466850042 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:49.466881990 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:49.513302088 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:50.387343884 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:50.387379885 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:50.387454033 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:50.399279118 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:50.399298906 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.047230005 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.047352076 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.073411942 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.073434114 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.073714972 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.123219967 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.261678934 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.304512978 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.450618982 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.450690031 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.450743914 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.451795101 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.451807022 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.451896906 CEST	49740	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.451901913 CEST	443	49740	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.572772980 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.572805882 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:51.572894096 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.573304892 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:51.573316097 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:52.435132027 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:52.435283899 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:52.486452103 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:52.486470938 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:52.486804962 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:52.490947008 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:52.532505989 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:52.716569901 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:52.716645002 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:52.716824055 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:52.718025923 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:52.718039036 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:52.718050957 CEST	49741	443	192.168.2.4	184.28.90.27
Jul 25, 2024 15:11:52.718055964 CEST	443	49741	184.28.90.27	192.168.2.4
Jul 25, 2024 15:11:59.370641947 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:59.370714903 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:59.370779037 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:59.742039919 CEST	49739	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:11:59.742069960 CEST	443	49739	216.58.206.36	192.168.2.4
Jul 25, 2024 15:11:59.910918951 CEST	49672	443	192.168.2.4	173.222.162.32
Jul 25, 2024 15:11:59.910943985 CEST	443	49672	173.222.162.32	192.168.2.4
Jul 25, 2024 15:12:33.059803009 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:12:33.059823990 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:12:47.694329023 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:12:47.694427967 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:12:47.699506044 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:12:47.729383945 CEST	49736	443	192.168.2.4	148.139.13.160
Jul 25, 2024 15:12:47.729403019 CEST	443	49736	148.139.13.160	192.168.2.4
Jul 25, 2024 15:12:48.730083942 CEST	49750	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:12:48.730137110 CEST	443	49750	216.58.206.36	192.168.2.4
Jul 25, 2024 15:12:48.730210066 CEST	49750	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:12:48.730467081 CEST	49750	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:12:48.730487108 CEST	443	49750	216.58.206.36	192.168.2.4
Jul 25, 2024 15:12:49.394218922 CEST	443	49750	216.58.206.36	192.168.2.4
Jul 25, 2024 15:12:49.394568920 CEST	49750	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:12:49.394583941 CEST	443	49750	216.58.206.36	192.168.2.4
Jul 25, 2024 15:12:49.394912004 CEST	443	49750	216.58.206.36	192.168.2.4
Jul 25, 2024 15:12:49.395358086 CEST	49750	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:12:49.395427942 CEST	443	49750	216.58.206.36	192.168.2.4
Jul 25, 2024 15:12:49.435765028 CEST	49750	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:12:59.292783022 CEST	443	49750	216.58.206.36	192.168.2.4
Jul 25, 2024 15:12:59.292871952 CEST	443	49750	216.58.206.36	192.168.2.4
Jul 25, 2024 15:12:59.292922020 CEST	49750	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:12:59.738992929 CEST	49750	443	192.168.2.4	216.58.206.36
Jul 25, 2024 15:12:59.739029884 CEST	443	49750	216.58.206.36	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 15:11:45.037750959 CEST	53	60334	1.1.1.1	192.168.2.4
Jul 25, 2024 15:11:45.100878000 CEST	53	53725	1.1.1.1	192.168.2.4
Jul 25, 2024 15:11:46.162058115 CEST	53	54027	1.1.1.1	192.168.2.4
Jul 25, 2024 15:11:46.825781107 CEST	53970	53	192.168.2.4	1.1.1.1
Jul 25, 2024 15:11:46.826256037 CEST	58453	53	192.168.2.4	1.1.1.1
Jul 25, 2024 15:11:46.888561964 CEST	53	58453	1.1.1.1	192.168.2.4
Jul 25, 2024 15:11:47.104406118 CEST	53	53970	1.1.1.1	192.168.2.4
Jul 25, 2024 15:11:48.677966118 CEST	52736	53	192.168.2.4	1.1.1.1
Jul 25, 2024 15:11:48.678852081 CEST	61278	53	192.168.2.4	1.1.1.1
Jul 25, 2024 15:11:48.695245981 CEST	53	61278	1.1.1.1	192.168.2.4
Jul 25, 2024 15:11:48.697618961 CEST	53	52736	1.1.1.1	192.168.2.4
Jul 25, 2024 15:12:00.772938967 CEST	138	138	192.168.2.4	192.168.2.255
Jul 25, 2024 15:12:03.216006994 CEST	53	54721	1.1.1.1	192.168.2.4
Jul 25, 2024 15:12:22.204391956 CEST	53	50227	1.1.1.1	192.168.2.4
Jul 25, 2024 15:12:44.448656082 CEST	53	61953	1.1.1.1	192.168.2.4
Jul 25, 2024 15:12:45.048382044 CEST	53	51576	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 15:11:46.825781107 CEST	192.168.2.4	1.1.1.1	0xccaf	Standard query (0)	www.emisnow.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:11:46.826256037 CEST	192.168.2.4	1.1.1.1	0x5e81	Standard query (0)	www.emisnow.com	65	IN (0x0001)	false
Jul 25, 2024 15:11:48.677966118 CEST	192.168.2.4	1.1.1.1	0x9bca	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:11:48.678852081 CEST	192.168.2.4	1.1.1.1	0x3e5f	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 15:11:46.888561964 CEST	1.1.1.1	192.168.2.4	0x5e81	No error (0)	www.emisnow.com	emisprod.service-now.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 15:11:47.104406118 CEST	1.1.1.1	192.168.2.4	0xccaf	No error (0)	www.emisnow.com	emisprod.service-now.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 15:11:47.104406118 CEST	1.1.1.1	192.168.2.4	0xccaf	No error (0)	emisprod.service-now.com		148.139.13.160	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:11:48.695245981 CEST	1.1.1.1	192.168.2.4	0x3e5f	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 25, 2024 15:11:48.697618961 CEST	1.1.1.1	192.168.2.4	0x9bca	No error (0)	www.google.com		216.58.206.36	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:12:01.457818985 CEST	1.1.1.1	192.168.2.4	0xc7	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:12:01.457818985 CEST	1.1.1.1	192.168.2.4	0xc7	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:12:02.876245022 CEST	1.1.1.1	192.168.2.4	0x534	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 15:12:02.876245022 CEST	1.1.1.1	192.168.2.4	0x534	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:12:15.202182055 CEST	1.1.1.1	192.168.2.4	0x58e1	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 15:12:15.202182055 CEST	1.1.1.1	192.168.2.4	0x58e1	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:12:37.116070986 CEST	1.1.1.1	192.168.2.4	0xef0b	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 15:12:37.116070986 CEST	1.1.1.1	192.168.2.4	0xef0b	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:12:57.708492994 CEST	1.1.1.1	192.168.2.4	0xe1ff	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 15:12:57.708492994 CEST	1.1.1.1	192.168.2.4	0xe1ff	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.emisnow.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	148.139.13.160	443	3332	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 13:11:47 UTC	715	OUT	GET /sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e HTTP/1.1 Host: www.emisnow.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-25 13:11:48 UTC	1350	IN	HTTP/1.1 200 OK Server: snow_adc Date: Thu, 25 Jul 2024 13:11:48 GMT Content-Type: application/zip;charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: BIGipServerpool_emisprod=aeab12b4c8dee8f589ad474af05e129d; httponly; secure; path=/; SameSite=None Set-Cookie: JSESSIONID=D0ADD22128545656BDD99F63D73A9E43; Path=/; HttpOnly; secure; SameSite=None Server-Timing: sem_wait;dur=0, sesh_wait;dur=0 Set-Cookie: glide_user=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly; secure; SameSite=None Set-Cookie: glide_user_session=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly; secure; SameSite=None Set-Cookie: glide_user_route=glide.5470c948ab15f1b10e83e82b218e043a; Max-Age=2147483647; Expires=Tue, 12-Aug-2092 16:25:55 GMT; Path=/; HttpOnly; secure; SameSite=None Set-Cookie: glide_node_id_for_js=8b194846b0033aaf221737bc882af90a41abdad6687018b923548e90d394bf6f; Path=/; secure; SameSite=None X-Is-Logged-In: false X-Transaction-ID: 845943a28327 Pragma: no-store,no-cache Cache-Control: public Expires: Sat, 24 Aug 2024 13:11:48 GMT X-Content-Type-Options: nosniff Content-Disposition: attachment; filename*= UTF-8''Emis%20Web%20installer.zip x-edge-enc-proxy-static: true x-edge-enc-proxy-attachment: true Strict-Transport-Security: max-age=63072000; includeSubDomains
2024-07-25 13:11:48 UTC	2746	IN	Data Raw: 31 39 30 0d 0a 50 4b 03 04 14 00 00 00 08 00 43 70 4f 4e 01 0c 8a 37 84 da 0f 00 00 fa 2b 00 17 00 00 00 45 6d 69 73 48 65 61 6c 74 68 49 6e 73 74 61 6c 6c 65 72 2e 65 78 65 ec 3b 09 90 1c d5 75 af 7f f7 74 cf b9 da d9 19 cd ec 21 76 67 85 76 d5 9a d9 59 ad 0e a4 65 75 0b 1d 86 08 81 82 6d 09 19 6c 21 71 58 18 d4 eb 99 95 c1 2c bb 5e ce 18 83 64 62 0c 54 29 c1 60 11 82 1d 62 62 8e aa 38 e0 8a 55 c4 76 8e 82 58 8e 0d 81 58 5e 4c ca 31 8e cb 4e 55 aa 5c 94 93 4a 96 bc e3 f7 74 f7 ec 62 48 52 ae 4a 55 b6 4b 3b dd fd ff fb ef fe ef bf ff 7e eb c2 fd f7 82 09 00 16 fe bd fd 36 c0 d7 40 ae cd f0 ee d7 14 fe b5 f4 3c d7 02 cf 26 5e ea fd 9a b1 eb a5 de f7 7f f4 70 bd 34 5a f3 ae a9 5d 71 7d e9 d0 15 47 8e 78 63 a5 83 57 95 6a 47 8f 94 0e 1f 29 6d bb e8 92 d2 f5 Data Ascii: 190PKCpON7+EmisHealthInstaller.exe;ut!vgvYeuml!qX,^dbT)`bb8UvXX^L1NU\JtbHRJUK;~6@<&^p4Z]q}GxcWjG)m
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: c6 5e a9 5d c6 5a 10 da 43 11 0f 1d 21 1e 3e 30 9b 87 91 66 9e 3b 43 f0 1f 9c 0d bf 97 e1 47 7c 88 7d fc ea 8f 6d 0b 8d bd d4 1f 0b cd fa e3 3c ce 7d 39 92 9f 2a f6 bd ae 20 56 28 17 39 b3 eb e9 48 ae d7 de 04 63 ba e7 46 80 08 0f f2 40 39 b5 4f c7 74 5f 0d 08 f9 7c 84 fa dd d7 22 7c 48 ff 59 a1 fe 7f 98 a3 bf 3b d4 ff 8a df 1f 56 cb 1a d1 2a c5 c0 17 11 be 87 7d 9e a7 ad 87 73 20 99 1e a6 af 01 ea 1f 22 15 d9 12 80 3d 8c 24 c9 7e 59 06 e4 19 74 5a a2 23 d1 5e 3f 12 5d c8 5f 89 74 1d db a3 c3 44 a1 76 8e 01 a3 27 71 2f e4 78 97 23 00 3e b5 d7 36 48 53 87 c3 1b 5b 26 8a af 9d 8c 1e 1f dc 0f 53 2b 93 09 a2 cf 17 82 e8 83 11 cd 8f 3e 8d 4c cf 16 d6 69 df 22 df 9c 6c 82 ab 1f 93 50 72 6b fd 23 d8 e5 1e c0 9f 29 ca 5e 0a 53 b8 5b b0 6a db 91 89 a9 b4 5e 33 68 Data Ascii: ^]ZC!>0f;CG\|}m<}9* V(9HcF@9Ot_\|"\|HY;V*}s "=$~YtZ#^?]_tDv'q/x#>6HS[&S+>Li"lPrk#)^S[j^3h
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: 63 6f 85 95 e6 ba d0 0f 4b 90 ef d2 3e a8 33 4c 47 47 22 0b 8a af 2f c1 e0 f4 9d 2a 47 21 20 bc d1 ac 80 96 ff b2 22 fe 39 31 e2 97 85 e9 45 37 40 d5 57 c1 da 19 da e6 56 46 6c f8 01 24 78 0f 10 51 d7 21 96 9d 2d fc a3 68 1d 3f 5d 9c b2 59 38 d7 d0 3a de 11 af 19 02 63 10 02 51 f7 eb a5 b0 6c eb 27 56 ca 41 19 e7 ec 76 e4 a2 28 f6 62 0c 1b a9 46 ca a8 41 4f dc 8f 64 e0 87 dd bb 0d 33 9d ac e0 f2 a7 b0 5e 33 fe 0a 80 ec 59 8d 92 21 df 51 9f 94 c2 4a ef ad 94 5f 8c 1f 90 4d 91 21 b0 14 ba 46 4a 91 10 cf 10 6e 11 e3 43 64 64 ec 5e 58 e3 41 cf 3c 48 65 04 13 1b d0 fa 16 34 80 53 0c 9c 6e f8 1f 7f 55 e0 c4 73 9a b8 1b 50 2d 6a df b7 58 79 00 20 eb 61 94 9d af 51 7e 43 50 0d 96 53 9c 76 37 47 dd 33 85 c0 68 a4 7f 13 9e 9e f0 7a 42 3b fe 3a 24 76 57 6d cd 11 96 Data Ascii: coK>3LGG"/*G! "91E7@WVFl$xQ!-h?]Y8:cQl'VAv(bFAOd3^3Y!QJ_M!FJnCdd^XA<He4SnUsP-jXy aQ~CPSv7G3hzB;:$vWm
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: 4e 9e a5 25 b7 43 f2 4c 4e 9e dd a6 a5 4f 87 74 bb f7 97 a4 d5 ec e8 cb 28 1f 61 a9 5e b6 41 5b db 99 b6 26 d8 9d 38 e7 79 a4 80 7f 0e b3 2e 8b af 15 86 c5 17 e8 0d d0 88 ed 67 b5 48 79 cb 04 4b 06 03 4c 35 e2 a5 06 de e4 68 98 45 2f 7a 94 d8 a6 20 ab 7c ef 63 20 5d 0a 48 0a 8b d0 eb a4 10 11 89 0d cf cb 49 49 f6 09 79 7d 88 a6 d8 68 46 61 5a 2d e8 18 a7 66 73 af 05 36 ee ce 39 54 01 6e ef af 26 6b 15 d8 d1 fd 05 b5 0e c6 f1 72 03 4d 8b cd ec ae 2e d9 81 33 bd 2c e2 1a ff e2 67 61 fc a5 ea 4b 87 b2 54 e5 fe ac 89 66 1f cb 18 d6 8d 76 f1 46 bd ee 23 0a 42 45 7b af 95 81 0e 77 63 dd fa 70 72 e2 77 21 54 3a 94 4b 6e f7 4c 97 64 b0 3b 30 9d 78 6e 01 af df 0d d3 8d d1 74 d7 c3 6a 94 47 16 ea b1 e0 77 1f 24 08 22 84 f9 81 1e ff 5d 13 db ae 54 77 fc 99 b4 7f fa Data Ascii: N%CLNOt(a^A[&8y.gHyKL5hE/z \|c ]HIIy}hFaZ-fs69Tn&krM.3,gaKTfvF#BE{wcprw!T:KnLd;0xntjGw$"]Tw
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: 31 b3 52 f2 6f e7 3a 23 2b 7d c2 35 f6 37 d3 f8 fc 9a cc a7 9b a8 81 5c 72 d6 ca 9f 73 48 b4 af 05 de 0a 88 d5 1d 7e 46 73 74 f9 32 ea 05 d4 22 13 29 7f 0a 58 80 e9 2e a7 7c fb d2 6e e5 25 1c a8 39 51 7a 69 8e 8a a3 8a 49 2a 2a 5b 43 2d 25 3f c8 d3 e0 15 08 9b 59 88 83 d5 a0 be 58 98 9e 2f a8 3f ae b1 c8 ca 04 f2 ed 9b 1d 61 35 48 5b 88 6b ad 6c 7d ba 44 6c c8 f7 2f 25 b2 c9 d2 74 62 50 8b b5 5e c4 ad 98 66 8b 89 7c ba d2 7e d0 7a 71 40 e0 90 4e 63 aa 03 20 28 b1 6b 33 df 81 03 a5 21 9e a7 bd 9e 32 cf 8e cb 8c cb b6 5c fe 50 66 9c 38 6c a0 0f f7 1e 4d 4b fb 70 0e 94 cc 99 18 0b 1f 16 dc bc 95 bc 3e 9e 89 a1 4e 98 89 97 d7 44 fc 62 db 6a 08 70 25 02 d2 a5 77 69 d8 64 eb 13 a5 bf a2 08 b9 39 dc 57 9f 8c 73 0f 64 92 2d 5d e5 b5 11 99 71 1b 8e 05 4e d9 e2 e4 Data Ascii: 1Ro:#+}57\rsH~Fst2")X.\|n%9QziI**[C-%?YX/?a5H[kl}Dl/%tbP^f\|~zq@Nc (k3!2\Pf8lMKp>NDbjp%wid9Wsd-]qN
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: d0 ce e8 d3 84 bb dc 69 62 18 ac 56 e8 31 77 26 a2 bd 0a 3d e7 ae 85 52 38 a6 d0 3e 77 9e 28 85 9f 15 fa da dd 53 94 41 de 50 89 7e 71 17 21 2a 51 28 35 61 b0 18 0e d5 0a f5 4c a8 83 e1 b0 80 d1 91 84 21 09 a5 62 04 2c 55 b2 86 84 51 88 ee 52 28 9c 30 0e d1 16 85 6e 4a a8 14 23 e1 2f 0a 3d 9c 30 05 d1 7b 12 89 1d 09 27 61 14 1c 57 e8 a5 84 5a 31 0a 92 87 49 f4 b7 84 5a 94 95 30 ba 1a 3e 4a 98 85 b2 19 06 3a 1f 51 54 69 66 24 36 88 72 58 6b a0 85 e2 34 d8 aa 34 cb 13 17 21 7a 53 c9 26 27 9e 05 a7 c1 b7 0a cd 4a 3c 89 e8 84 42 17 32 b2 97 12 da 2d fc 89 4b 30 de 71 46 6b 72 db 53 16 e2 9e 36 ad 8c d0 0a 9c 01 bb c5 68 08 32 ba da bd 38 69 02 9c 0e 2b 14 5a 91 f4 96 38 1d 56 2b 74 53 d2 41 f1 3f b0 51 a1 07 92 8e 20 da aa d0 d3 49 47 c5 19 b8 f7 90 68 67 52 Data Ascii: ibV1w&=R8>w(SAP~q!*Q(5aL!b,UQR(0nJ#/=0{'aWZ1IZ0>J:QTif$6rXk44!zS&'J<B2-K0qFkrS6h28i+Z8V+tSA?Q IGhgR
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: f0 f3 80 8a c4 bb b4 17 9e 96 b2 e4 81 95 70 8f f6 a6 42 7d 06 a6 89 7b b4 a3 0a 8d 66 f4 6f 19 8f 5b fe 1e cd fd 27 96 01 b5 e7 3d 5a 21 a3 35 70 c3 c0 17 12 ef d1 a2 4a 46 75 d8 a0 ad 55 88 ea b0 41 db 2b 91 9b 5a fe 5e ed b0 42 37 31 3a c1 e8 4a b8 7b e0 21 db bd da c0 6d 32 1e b5 fc 7d da 2e 85 a8 e5 1f d0 0e 29 44 7d f4 a0 66 df 2e 11 f5 c3 43 da 68 85 a8 1f 36 6a 33 14 1a c8 68 81 42 e3 19 2d 55 68 26 a3 75 0a 51 4b 6c d4 36 29 44 2d b1 51 db a5 d0 68 46 07 19 c9 d3 f3 8d 1a bd ca db 3a 90 e8 2e 87 4e 35 78 66 20 9d 21 be 36 90 5e 03 8f 2d ea 8a 2f e0 53 83 6a f0 15 87 7f 62 6a 2b 26 9a 54 4c 7c 19 ce e6 70 41 5c d8 06 fd 0d 8e ce 97 1c 49 0b 0c aa f3 87 32 95 e5 19 c5 e1 31 4c 67 b1 8e e4 7b 39 3c 8b d3 97 9c 5f 97 4a 7a d0 63 a6 76 d0 61 b6 c9 af Data Ascii: pB}{fo['=Z!5pJFuUA+Z^B71:J{!m2}.)D}f.Ch6j3hB-Uh&uQKl6)D-QhF:.N5xf !6^-/Sjbj+&TL\|pA\I21Lg{9<_Jzcva
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: ed 81 74 49 f7 be 48 2f e9 3e d0 15 ab f3 97 ee 44 65 fa bf eb b1 ce e0 cb 52 2d ec 71 01 a7 70 1f d3 8d 48 7f d7 93 52 90 ed 26 a9 6c b7 70 f7 37 90 bf b3 d7 d7 48 77 f7 a2 14 be 60 9a 5a 78 02 39 43 0a 69 0c 8c 28 24 4e 65 21 95 fc 6f 70 99 1b e0 7f 7b 5f 8b f4 d6 3e 54 c7 70 f7 23 6e a2 d3 13 b1 37 fb 0d e4 1c 67 25 ea 69 5e ca 63 46 4a 25 5f ea 8c 83 fb 31 5c d6 9f cb cc e1 a9 03 29 dc c8 d4 0c bb e1 5d a0 6f e4 3e 88 54 ce 1a fa eb c0 5f 1b b8 e8 6c 06 e7 8c 40 4c a7 16 4e 9c 3b 1a 72 3d c8 19 88 f3 87 fe 0b 10 d1 62 9c 43 02 06 21 a5 ff ca 4d df c9 51 c2 74 28 64 21 67 08 d3 61 38 13 35 28 c5 59 26 f8 74 43 83 e1 40 df 00 31 82 69 15 ce 36 0d 2a 99 56 03 7d 0b cb 44 a4 1a 4c c2 99 a7 e1 bc ec 8b 9c 29 48 e9 ff 19 f5 c3 f0 99 48 e9 ff 18 0e 40 3a 15 Data Ascii: tIH/>DeR-qpHR&lp7Hw`Zx9Ci($Ne!op{_>Tp#n7g%i^cFJ%_1\)]o>T_l@LN;r=bC!MQt(d!ga85(Y&tC@1i6*V}DL)HH@:
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: 02 c7 5d 16 79 bb bc 87 3f c5 4a 7b 2a 6d 63 65 a8 d5 fd 46 ac 71 9d 97 86 03 e2 28 dd e1 fd b6 84 38 91 05 68 ee 2d e7 c1 ea 90 d7 3c f4 0d 84 95 71 c0 4c b0 8e 01 39 98 b9 d9 c2 86 25 5a c0 27 5d d2 75 37 ed 53 24 06 f1 22 ac f4 22 96 b0 fe 77 72 dc a6 7d 72 dc 46 7b 72 dc 36 7d 72 cc e6 5a 9a 1c 7e 01 12 d1 a7 7e 17 22 cb d6 d5 4c 46 7a d5 71 b1 b8 4d 17 fb 3b 73 67 fa a3 e1 80 bf 2b 49 17 bb 5b 53 c8 bb 55 ca de 64 c9 83 c5 58 de cc 90 dc dd c6 71 e5 41 74 ec 41 a3 29 36 0f 9e 09 c5 5c 11 c8 d5 c0 54 95 4d 5c a5 b6 47 06 43 8d 79 a3 8d 2b 22 b4 40 34 b3 79 37 52 91 0f 8d 62 f2 a2 4b 35 9c cd be 80 3e 44 a6 fb 97 98 77 2a 7a ab eb 27 9c 66 cb 5a 8f 43 cd 6a 98 67 a1 ea 6c a5 eb 0e 3d 75 67 06 94 a2 31 0f 26 46 1a bd ad b1 97 26 7a 62 74 92 da d6 4a d5 Data Ascii: ]y?J{mceFq(8h-<qL9%Z']u7S$""wr}rF{r6}rZ~~"LFzqM;sg+I[SUdXqAtA)6\TM\GCy+"@4y7RbK5>Dwz'fZCjgl=ug1&F&zbtJ
2024-07-25 13:11:48 UTC	4096	IN	Data Raw: 15 96 11 57 ef 60 ee 4a 08 d2 c7 a6 3b 7d 6f 45 d5 1e 1b d0 51 82 af c2 cd 8d 1e 15 f5 17 a4 d4 3d f8 d9 01 83 12 86 85 8a dd 19 a9 0d 63 23 ea 3b 73 9b 6b d9 db 88 0a 47 cb 37 a0 7c cf 94 71 69 1b 0b be f6 8c 10 c3 75 4a 76 13 1b e6 53 5c 99 2f be fc ad 1f 7c f7 ef d6 1c fb ce a7 2f bd e5 44 df 07 95 f7 85 bb b7 6d 99 7f e1 cb f7 7b 9f b9 7c c7 3d 99 17 12 ab 2c 27 db 8b 4f 1c 1f df 76 b2 b5 e7 4c 27 8d f4 76 d3 31 f1 e8 b3 7d 95 8d c7 70 ab 3d 47 49 df f2 95 69 fb 86 61 22 51 c0 c7 8b 21 93 ed 8d fb 36 ee 66 ba a3 e0 fa 16 a7 2c 05 b3 f2 0d 2f 3b e0 fa 26 ee 1d 69 ce 0d 7a 07 5f ea dd 71 d5 e8 b3 7f e2 20 db 91 1d a6 5a 53 3f b3 5d d9 51 cf b7 e4 c9 cd bb 1c 2e f6 e2 2b 0c d5 96 1d 37 16 a9 c4 0a c3 90 94 07 08 d9 fd d9 51 f4 a4 87 07 b4 cc 02 a1 d3 51 Data Ascii: W`J;}oEQ=c#;skG7\|qiuJvS\/\|/Dm{\|=,'OvL'v1}p=GIia"Q!6f,/;&iz_q ZS?]Q.+7QQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-07-25 13:11:51 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-25 13:11:51 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0758) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus2-z1 Cache-Control: public, max-age=64270 Date: Thu, 25 Jul 2024 13:11:51 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-07-25 13:11:52 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-25 13:11:52 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=64440 Date: Thu, 25 Jul 2024 13:11:52 GMT Content-Length: 55 Connection: close X-CID: 2
2024-07-25 13:11:52 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Target ID:	0
Start time:	09:11:40
Start date:	25/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:11:43
Start date:	25/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=2336,i,1610588987333776437,15318128558683380301,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:11:46
Start date:	25/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:11:51
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Emis Web installer.zip"
Imagebase:	0x260000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:11:52
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu" "C:\Users\user\Downloads\Emis Web installer.zip"
Imagebase:	0xc70000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:11:52
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:11:53
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	09:11:53
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:11:53
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe
Imagebase:	0x9b0000
File size:	2'882'048 bytes
MD5 hash:	D9171359379F547B6AE4E47CAA9AA2E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000009.00000002.2570094129.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\SDS\EmisHealthInstallerLogs\EmisHealthInstaller Log (25-07-24 09-11).txt

C:\Users\user\AppData\Local\Temp\EmisHealthInstaller\SDS.Client.ServiceInstaller.exe

C:\Users\user\AppData\Local\Temp\EmisHealthInstaller\handle.exe

C:\Users\user\AppData\Local\Temp\s4vd4sul.3zu\EmisHealthInstaller.exe

C:\Users\user\AppData\Local\Temp\unarchiver.log

C:\Users\user\Downloads\2e78d3a3-1f0c-4eae-a73d-15b8fc099006.tmp

C:\Users\user\Downloads\Emis Web installer.zip (copy)

C:\Users\user\Downloads\Emis Web installer.zip.crdownload

Chrome Cache Entry: 51

Static File Info

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
https://www.emisnow.com/sys_attachment.do?sys_id=2aa262adc3310290023cf25c0501316e